<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>Dear Paul,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>Thanks for your reply.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>I solved this problem. The error is misconfiguration of
ipsec.conf:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>left=1.1.1.1</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>leftcert=A.cert</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>right=1.1.1.2</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2><SPAN
class=969064800-17112006>rightcert=B.cert</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><SPAN class=969064800-17112006></SPAN><FONT color=#0000ff><FONT
size=2>I<SPAN class=969064800-17112006>n host 1.1.1.1, the /etc/ipsec.d/private
directory should have the A.pem, but I place B.pem in it. So it cannot
locate RSA signature. FT!</SPAN></FONT></FONT></DIV>
<DIV><FONT color=#0000ff><FONT size=2><SPAN
class=969064800-17112006></SPAN></FONT></FONT> </DIV>
<DIV><FONT color=#0000ff><FONT size=2><SPAN class=969064800-17112006>Thank you
and Paul Wouters.</SPAN></FONT></FONT></DIV>
<DIV><BR></DIV>
<DIV class=OutlookMessageHeader lang=zh-cn dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2><B>发件人:</B> Christian Brechbühler [mailto:brechbuehler@gmail.com]
<BR><B>发送时间:</B> 2006年11月17日 3:00<BR><B>收件人:</B> AntZ<BR><B>抄送:</B> Paul
Wouters; users@openswan.org<BR><B>主题:</B> Re: [Openswan Users] [Openswan dev]
X.509 in openswan<BR></FONT><BR></DIV>
<DIV></DIV>On 11/16/06, <B class=gmail_sendername>Christian Brechbühler</B>
<<A href="mailto:brechbuehler@gmail.com">brechbuehler@gmail.com</A>>
wrote:
<DIV><SPAN class=gmail_quote></SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">keep
the certificate on a separate host, if you can.</BLOCKQUOTE>
<DIV><BR>For clarity: I meant "keep the <SPAN
style="FONT-STYLE: italic">certificate authority (CA)</SPAN> on a separate
host".<BR>Guard it well. Here's where you create and sign the various
peer's certificates. Make sure you distribute the certificates to their
owners in a secure way, e.g., floppy, CD-ROM; ssh/scp/sftp is probably OK
too.<BR></DIV><BR></DIV>Christian<BR></BODY></HTML>