From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Oct 30 2002 - 11:29:22 CET
You must specify the complete DN of the peer, i.e.
rightid="C=CH, ST=ZH, L=Zurich, O=madduck.net,CN=fishbowl.dyn.madduck.net"
I think that you omitted ST=ZH and L=Zurich. If you type
ipsec auto --status
then the connection definition must exactly match the ID that the peer
sends to you.
Regards
Andreas
martin f krafft wrote:
> also sprach Andreas Steffen <andreas.steffen_at_strongsec.net> [2002.10.30.1031 +0100]:
>
>>You take the private key file myKey.pem and store it in the directory
>>/etc/ipsec.d/private. The private key is loaded via ipsec.secrets with
>>the statement
>>
>> : RSA myKey.pem "<optional 3DES password>"
>
>
> Okay, done.
>
>
>>The public X.509 certificate myCert.pem is stored by default in
>>/etc/ipsec.d (in version 1.0 of the X.509 patch this has changed to
>>/etc/ipsec.d/certs) or you can give any relative or absolute path.
>>The certificate is loaded via ipsec.conf with the statement
>>
>> leftcert=myCert.pem
>
>
> Done. I put it in the certs subdirectory straight.
>
>
>>After Pluto has started up, the command
>>
>> ipsec auto --listcerts
>>
>>should list some important parameters of myCert.pem and if myKey.pem
>>has been loaded successfully, the comment "..., has private key"
>>should be present.
>
>
> All this is proper:
>
> 000
> 000 List of User/Host Certificates:
> 000
> 000 Oct 30 10:54:15 2002, count: 1
> 000 subject: 'C=CH, ST=ZH, L=Zurich, O=madduck.net, CN=fishbowl.dyn.madduck.net'
> 000 issuer: 'C=DE, ST=Bavaria, L=Munich, O=madduck.net, CN=madduck.net CA, E=ca_at_madduck.net'
> 000 pubkey: 2048 RSA Key AwEAAbpGz, has private key
> ^^^^^^^^^^^^^^^
> 000 validity: not before Oct 23 01:08:46 2002 ok
> 000 not after Oct 23 01:08:46 2003 ok
>
> and similar on the other side.
>
> Still, it is not working. Now both sides report (with the left side
> mentioning albatros (right) in the first line, and the right side
> mentioning fishbowl (left) in the first line. and the IP in the log on
> the right is that of the left side).
>
> "gate-albatros" #5: no suitable connection for peer
> 'C=CH, ST=ZH, L=Zurich, O=madduck.net, CN=albatros.dyn.madduck.net'
> "gate-albatros" #5: sending notification INVALID_ID_INFORMATION
> to 217.162.173.237:500
>
> I am sorry if I am being such a pain, but I really really appreciate
> your help. I have to get this VPN working by tomorrow or else I'll
> have some other problems.
>
> Do let me assure you that if I get it working, then it's downhill from
> there as I will learn more and more about FreeS/WAN and start helping
> out on the mailing list.
>
> Or if I can ever help someone with Debian or Check Point VPN-1/FW-1
> please let me know!
>
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Z黵ichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET