<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello:</FONT></DIV>
<DIV><FONT face=Arial size=2>trying to set up a basic ipsec tunnel using x509
certificates across the internet using two linux boxes running openswan.
All appears to be good as far as communication goes, the two computers bounce
information back and forth and I can watch that fine in the logs. but
then, when it comes time to send certificates, that is when things fail.
Seems to fail on both sides the same, as I have seen this in both sets of
logs...</FONT></DIV>
<DIV><FONT face=Arial size=2>It occurs to me I may have set things up
wrong. I followed Nate Carlson's page at first, then another, and both
times when I created the certificates, I ended up with three files, newreq.pem,
newkey.pem, and newcert.pem. according to the instructions, newreq is
the private key, and newcert is the certificate, put them in their spot and they
should work - no mention of the third file. for me, I got problems doing
that, errors about the private key, so using newkey instead of newreq as the
private key fixed that. But I admit I don't really understand why what I
see is different from what the instructions imply. Perhaps this is
related, but kind of don't think so. Also, I have my CA behind one of
the firewalls, so if communication between the CA and the computer who
wants to check is necessary, I would think one would succeed and one would
fail, not both fail. I don't think that communication is necessary, but
seems like a reasonable thing to consider.</FONT></DIV>
<DIV><FONT face=Arial size=2>here is an excerpt from the log where it fails
out:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> Nov 27 18:11:05 megareporting
pluto[19068]: | certificate signature (C=CA, ST=Yuko<BR>n, O=Computerisms,
CN=Bob Miller, <A href="mailto:E=bob@computerisms.ca">E=bob@computerisms.ca</A>
-> C=CA, ST=Yukon, O=Compu<BR>terisms, CN=Bob Miller, <A
href="mailto:E=bob@computerisms.ca">E=bob@computerisms.ca</A>) is valid<BR>Nov
27 18:11:05 megareporting pluto[19068]: | reached self-signed root ca<BR>Nov 27
18:11:05 megareporting pluto[19068]: | Public key validated<BR>Nov 27 18:11:05
megareporting pluto[19068]: | unreference key: 0x8147450 C=CA, ST=<BR>Yukon,
L=Whitehorse, O=Computerisms, CN=Bob Miller, <A
href="mailto:E=bob@computerisms.ca">E=bob@computerisms.ca</A> cnt 1--<BR>Nov 27
18:11:06 megareporting pluto[19068]: | CR<BR>Nov 27 18:11:06 megareporting
pluto[19068]: | requested CA: '%any'<BR>Nov 27 18:11:06 megareporting
pluto[19068]: | refine_connection: starting with gat<BR>e.to.mega<BR>Nov 27
18:11:06 megareporting pluto[19068]: | match_id a=C=CA,
ST=Yukon, L=Whit<BR>ehorse, O=Computerisms, CN=Bob Miller, <A
href="mailto:E=bob@computerisms.ca">E=bob@computerisms.ca</A><BR>Nov 27 18:11:06
megareporting pluto[19068]:
|
b=207.189.252.14<BR>Nov 27 18:11:06 megareporting pluto[19068]:
| results fail<BR>Nov 27 18:11:06 megareporting
pluto[19068]: | trusted_ca called with a=C=CA, ST=<BR>Yukon,
O=Computerisms, CN=Bob Miller, <A
href="mailto:E=bob@computerisms.ca">E=bob@computerisms.ca</A> b=(empty)<BR>Nov
27 18:11:06 megareporting pluto[19068]: | refine_connection: checking
gate.to.<BR>mega against gate.to.mega, best=(none) with
match=0(id=0/ca=1/reqca=1)<BR>Nov 27 18:11:06 megareporting pluto[19068]: |
find_host_pair: comparing to 199.247<BR>.237.224:500 207.189.252.14:500<BR>Nov
27 18:11:06 megareporting pluto[19068]: | find_host_pair_conn
(refine_host_con<BR>nection): 199.247.237.224:500 %any:500 -> hp:none<BR>Nov
27 18:11:06 megareporting pluto[19068]: "gate.to.mega" #391: no suitable
conne<BR>ction for peer 'C=CA, ST=Yukon, L=Whitehorse, O=Computerisms, CN=Bob
Miller, E=bob<BR>@computerisms.ca'<BR>Nov 27 18:11:06 megareporting
pluto[19068]: | complete state transition with (null<BR>)<BR>Nov 27 18:11:06
megareporting pluto[19068]: "gate.to.mega" #391: sending
encrypted<BR> notification INVALID_ID_INFORMATION to
207.189.252.14:500<BR> </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>From this, it appears to be the value of b that is
conflicting, but I am not sure how to rectify that, or where it takes that
value from. Can anyone give me a hint as to what I missed here? or even
better, point me at some documentation that will explain how/why this
happened?</FONT></DIV>
<DIV><FONT face=Arial size=2>your time is much appreciated
:)</FONT></DIV></BODY></HTML>