On 2/24/06, <b class="gmail_sendername">Andy</b> <<a href="mailto:fs@globalnetit.com">fs@globalnetit.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Fri, 2006-02-24 at 15:01 -0500, Christian Brechbühler wrote:<br><br>> However when I leave out "rightcert=vpn.pem" the client (left=lithium)<br>> will no longer connect to the gateway (right=vpn). It says that "we
<br>> require peer to have ID '<a href="http://6.6.6.6"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "6.6.6.6" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 6.6.6.6</a>'". How can I NOT require that?<br>><br>Use "rightid", not rightcert. Set the ID to match what the other end<br>sends - looking back at your earlier message that will be
<br><br> rightid="C=US, ST=Massachusetts, L=Boston, O=E, CN=vpn, E=<a href="mailto:brechbuehler@gmail.com">brechbuehler@gmail.com</a>"</blockquote><div><br>
Andy's mail sent me off in the right direction. I had tried that,
but "O=E" is actually "O=EventMonitor, Inc.". And having that
comma there caused an error (invalid OID), even with slash
separators. I created a new server certificate, got various
errors (pluto Abort / Assertion failed / no suitable connection),
updated ipsec.secrets and the iptables rules. Now it works!<br>
<br>
If I read <a href="http://www.strongsec.com/freeswan/install.txt">http://www.strongsec.com/freeswan/install.txt</a> right, the
initiator MUST specify the id of the peer, only the responder can use a
wildcard like %any.<br>
<br>
Thanks to Andy and Paul for their help!<br>
<br>
Christian<br>
</div><br></div><br>