<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body>
Paul Wouters wrote:<br>
<blockquote
cite="midPine.LNX.4.44.0406181532120.12016-100000@expansionpack.xtdnet.nl"
type="cite">
<pre wrap="">On Fri, 18 Jun 2004, Leonard Tulipan wrote:
</pre>
<blockquote type="cite">
<pre wrap="">What is your freeswam-cert ?
Is that the gateway's certificate.
anyways, "find" tells me of these pem-fiiles in /etc/ipsec.d/
$ find . -name "*.pem"
./cacerts/cacert.pem
./certs/gatewayCert.pem
./certs/roadwarriorCert.pem
./crls/crl.pem
ca is the Certificate Authority
CRL - Certificate Revocation List
Gateway is the openswan server
roadwarrior is the windows client
Thanks for the input, but doesnt' look like the solution
</pre>
</blockquote>
<pre wrap=""><!---->
you can look at ipsec auto --listall to get a list of all the loaded
certificates and keys. Check there is a 'has private key' belonging to
the gatewayCert.pem
Paul
</pre>
</blockquote>
Well it has:<br>
<br>
[root@firewall root]# ipsec auto --listall|less<br>
000<br>
000 List of Public Keys:<br>
000<br>
000 Jun 18 11:57:24 2004, 1024 RSA Key AwEAAbQjT, until Jun 15 14:30:20
2005 ok<br>
000 ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=gateway'<br>
000 Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 Jun 18 11:57:23 2004, 1024 RSA Key AwEAAaq3Q, until Jun 15 14:33:03
2005 ok<br>
000 ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'<br>
000 Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000<br>
000 List of X.509 End Certificates:<br>
000<br>
000 Jun 18 11:57:23 2004, count: 1<br>
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'<br>
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 serial: 02<br>
000 pubkey: 1024 RSA Key AwEAAaq3Q<br>
000 validity: not before Jun 15 14:33:03 2004 ok<br>
000 not after Jun 15 14:33:03 2005 ok<br>
000 Jun 18 11:57:17 2004, count: 8<br>
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=gateway'<br>
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 serial: 01<br>
000 pubkey: 1024 RSA Key AwEAAbQjT, has private key<br>
000 validity: not before Jun 15 14:30:20 2004 ok<br>
000 not after Jun 15 14:30:20 2005 ok<br>
000<br>
000 List of X.509 CA Certificates:<br>
000<br>
000 Jun 18 11:57:16 2004, count: 1<br>
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 serial: 00<br>
000 pubkey: 2048 RSA Key AwEAAb9GT<br>
000 validity: not before Jun 15 14:29:34 2004 ok<br>
000 not after Jun 14 14:29:34 2008 ok<br>
000<br>
000 List of X.509 CRLs:<br>
000<br>
000 Jun 18 11:57:17 2004, revoked certs: 0<br>
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'<br>
000 updates: this Jun 15 14:31:00 2004<br>
000 next Jul 15 14:31:00 2004 ok<br>
<br>
Looks, good doesn't it?<br>
I still suspect the windows-side to send something wrong.<br>
Or could it really be iptables, when VPN already works with PSK?<br>
<br>
What ports need to be open for NAT-Traversal?<br>
<br>
btw: I posted the same question over at the strongswan mailing list. A
few people probably read both, but I suspect the strongswan people are
more fluent with certificates and all.<br>
<br>
Cheers<br>
Leonard<br>
</body>
</html>