Re: [Users] FreeS/WAN to FreeS/WAN x509

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sat Nov 09 2002 - 18:37:25 CET

• Next message: yin_at_helios.iihe.ac.be: "[Users] cannot ping to subnet"
• Previous message: Andreas Steffen: "Re: [Users] Are virtual IPs on Windows Road Warrios possible?"
• In reply to: Phill Ashworth: "[Users] FreeS/WAN to FreeS/WAN x509"
• Next in thread: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Reply: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Phill Ashworth wrote:
> Hi
> I'm having some problems getting a standard FreeS/WAN install to talk to
> x509 (0.9.14) enabled FreeS/WAN.
>
> I have searched around but I don't fully understand how to set this up
> ad I've not managed to configure a suitable connection in the ipsec.conf
> file. I can't get past 'no suitable connection for peer', 'STATE_MAIN_R2
> failed: INVALID_ID_INFORMATION'
>
> I've added 'nocrsend=yes' to the x509 enabled gateway and I have 2 host
> keys in ipsec.secrets, one in PKCS#1 file format loaded with : RSA <my
> keyfile> and the other as a raw rsa key.
> : RSA {
> # RSA 2192 bits txvpn.mydomain .......
>
> Is this correct, will x509 FreeS/WAN load both keys?

Both keys will be loaded, but the raw RSA key must be loaded first, because
otherwise the connection based on the raw key won't find its private key.
Certificate based connections will always find their matching private
key.

> I also get the following when freeswan starts and loads the connection
> definition:
> pluto[16184]: no subjectAltName matches ID '@ txvpn.mydomain',
> replaced by subject DN
>

if you write

leftdid=@txvpn.mydomain
leftcert=mycert.pem

then the FQDN txvpn.mydomain must be contained as a subjectAltName in
the mycert.pem certificate. Please refer to

   http://www.strongsec.com/freeswan/install.htm

for the inclusion of subjectAltNames.

> In the connection I have pasted the raw host keys and the corresponding id.
> conn myconn
> ....
> # Standard FreeS/WAN
> right=81.xx.xx.xx
> rightid=@goldfinger.smersh.casa
> rightrsasigkey=0sAQOWOpY.....
> ....
> # x509 FreeS/WAN
> left=62.xx.xx.xx
> leftid=@txvpn.mydomain
> leftrsasigkey=0sAQOg6BB....
>
>
> txvpn pluto[16664]: "rw_nat1"[1] 81.xx.xx.xx #1: Peer ID is ID_FQDN:
> '@goldfinger.smersh.casa'
> txvpn pluto[16664]: "rw_nat1"[1] 81.xx.xx.xx #1: no suitable connection
> for peer '@goldfinger.smersh.casa'
> txvpn pluto[16664]: | state transition function for STATE_MAIN_R2
> failed: INVALID_ID_INFORMATION
>
> I would really appreciate some suggestions.
> Thanks
> Phill Ashworth
>
>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

• Next message: yin_at_helios.iihe.ac.be: "[Users] cannot ping to subnet"
• Previous message: Andreas Steffen: "Re: [Users] Are virtual IPs on Windows Road Warrios possible?"
• In reply to: Phill Ashworth: "[Users] FreeS/WAN to FreeS/WAN x509"
• Next in thread: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Reply: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 15 2002 - 05:20:49 CET