On 11/14/06, <b class="gmail_sendername">AntZ</b> <<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
$ ipsec auto --listall<br>000<br>000 List of Public Keys:<br>000<br>000 Nov 15 03:40:28 2006, 1024 RSA Key AwEAAb9RN, until Dec 15 02:15:46 2006 ok<br>000 ID_DER_ASN1_DN 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll,<br>E=
<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000 Issuer 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000<br>000 List of X.509 End Certificates:<br>
000<br>000 Nov 15 03:40:28 2006, count: 1<br>000 subject: 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000 issuer: 'C=cn,
ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000 serial: 00:80:03:c8:30:c2:21:b0:d2<br>000 pubkey: 1024 RSA Key AwEAAb9RN, has private key<br>000 validity: not before Nov 15 02:15:46 2006 ok
<br>000 not
after Dec 15 02:15:46 2006 warning (expires<br>in 29 days)<br>000 subjkey: 46:5d:13:73:60:a7:52:b0:f3:72:00:f2:83:7a:d8:ed:a8:1d:71:ef<br>000 authkey: 46:5d:13:73:60:a7:52:b0:f3:72:00:f2:83:7a:d8:ed:a8:1d:71:ef
<br>000 aserial: 00:80:03:c8:30:c2:21:b0:d2<br>000 Nov 15 03:40:28 2006, count: 1<br>000 subject: 'C=cn, ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000 issuer: 'C=cn,
ST=hb, L=wh, O=tc, OU=ip, CN=ll, E=<a href="mailto:antzcn@gmail.com">antzcn@gmail.com</a>'<br>000 serial: 00:c3:10:5e:23:76:d2:fa:72<br>000 pubkey: 1024 RSA Key AwEAAdqR/<br>000 validity: not before Nov 15 02:16:32 2006 ok
<br>000 not
after Dec 15 02:16:32 2006 warning (expires<br>in 29 days)<br>000 subjkey: f1:94:40:14:48:4f:de:c0:1b:8c:11:0e:85:a9:45:4d:b9:fa:a9:d4<br>000 authkey: f1:94:40:14:48:4f:de:c0:1b:8c:11:0e:85:a9:45:4d:b9:fa:a9:d4
<br>000 aserial: 00:c3:10:5e:23:76:d2:fa:72</blockquote><div><br>
Several things seem unusual to me:<br>
<ul>
<li>You have more than one end certificate. That's probably OK,
and may be desirable in some situations. But it is not necessary.</li>
<li>Both end certificates specify exactly the same subject
(you). I think that will cause trouble. At a minimum,
openswan might pick the wrong one (AwEAAdqR/, for which you don't have
the private key). I suspect a mistake. Entities should
always differ in at least one attribute (C, ST, L, O, OU, CN, or
E). I use ONE end certificate (different on each peer).<br>
</li>
<li>You have no CA certificates. Put the certificate of your CA
onto each peer. This is the same across all machines. None
of them must have its key -- keep the certificate on a separate host,
if you can.<br>
</li>
<li>(Consequence:) The end certificates are both self-signed --
specifically, aserial == serial. You should sign all end
certificates by your CA.</li>
</ul>
For a successful VPN connection, authentication is granted based on the
fact that the peer presents a host certificate that is signed by a CA
that we know. To keep your life simple, just use one CA.<br>
<br>
Good luck!<br>
<br>
/Christian<br>
</div></div>