<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18372">
<STYLE>BLOCKQUOTE {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</STYLE>
</HEAD>
<BODY style="FONT-FAMILY: verdana; FONT-SIZE: 10pt">
<DIV><FONT size=2 face=Verdana>I am come from china ,my english is very
poor ! and need some one can help me ! i just want one-way certification ,thany
u !</FONT></DIV>
<DIV>now let\s begin </DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Verdana>Topology</FONT></DIV>
<DIV> </DIV>
<DIV>
gw-left(eth0)-------(eth1)route(eth0)---------(eth0)gw-right</DIV>
<DIV> </DIV>
<DIV>gw-left: eth0 192.168.1.2 </DIV>
<DIV>route : eth0 192.168.2.1 eth1 192.168.1.1</DIV>
<DIV>gw-right: eth0 192.168.2.2</DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Verdana>my ipsec.conf config:</FONT></DIV>
<DIV> </DIV>
<DIV>gw-right:</DIV>
<DIV>conn %default<BR>
authby=rsasig<BR>
compress=yes<BR>
leftrsasigkey=%cert<BR>
rightrsasigkey=%cert<BR>
keyingtries=1<BR>
disablearrivalcheck=no<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR># sample VPN connections, see
/etc/ipsec.d/examples/<BR>conn
x509<BR>
left=192.168.1.2<BR>
leftsubnet=10.0.0.0/8<BR>
leftcert=left.pem<BR>
leftnexthop=%defaultroute<BR>
right=192.168.2.2<BR>
rightsubnet=172.16.1.0/24<BR>
rightid=192.168.2.2<BR>
#rightcert=right.pem<BR>
rightnexthop=%defaultroute<BR>
pfs=no<BR> auto=add<BR></DIV>
<DIV>gw-left:</DIV>
<DIV>conn %default<BR>
authby=rsasig<BR>
compress=yes<BR>
leftrsasigkey=%cert<BR>
rightrsasigkey=%cert<BR>
keyingtries=1<BR>
disablearrivalcheck=no<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR># sample VPN connections, see
/etc/ipsec.d/examples/<BR>conn
x509<BR>
left=192.168.1.2<BR>
leftsubnet=10.0.0.0/8<BR>
leftcert=left.pem<BR>
leftnexthop=%defaultroute<BR>
right=192.168.2.2<BR>
rightid=192.168.2.2<BR>
rightsubnet=172.16.1.0/24<BR>
#rightcert=right.pem<BR>
rightnexthop=%defaultroute<BR>
pfs=no<BR> auto=add<BR></DIV>
<DIV> </DIV>
<DIV>when i from gw-right send request , and it fail !</DIV>
<DIV>log :</DIV>
<DIV>gw-left:/etc# startipsec x509<BR>104 "x509" #2: STATE_MAIN_I1:
initiate<BR>003 "x509" #2: received Vendor ID payload [Openswan (this version)
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<BR>003
"x509" #2: received Vendor ID payload [Dead Peer Detection]<BR>003 "x509" #2:
received Vendor ID payload [RFC 3947] method set to=110<BR>106 "x509" #2:
STATE_MAIN_I2: sent MI2, expecting MR2<BR>003 "x509" #2: NAT-Traversal: Result
using 3: no NAT detected<BR>108 "x509" #2: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>003 "x509" #2: no RSA public key known for '192.168.2.2'<BR>217 "x509"
#2: STATE_MAIN_I3: INVALID_KEY_INFORMATION<BR></DIV>
<DIV>best regard !</DIV>
<DIV align=left><FONT color=#c0c0c0 size=2 face=Verdana>2009-04-02
</FONT></DIV><FONT size=2 face=Verdana>
<HR style="WIDTH: 122px; HEIGHT: 2px" align=left SIZE=2>
<DIV><FONT color=#c0c0c0 size=2 face=Verdana><SPAN>
<DIV>
<DIV><FONT size=2
face=Verdana>致<BR> 礼!<BR> </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2
face=Verdana> 研发测试:陈永泉<BR> 福建省海峡信息技术有限公司<BR> 福州市北环西路108号
P.C:350003<BR> Tel:(0591)87303715</FONT></DIV><FONT
size=2 face=Verdana>
<DIV><BR> <A
href="http://www.si.net.cn">http://www.si.net.cn</A><BR> <A
href="http://www.heidun.net">http://www.heidun.net</A></DIV>
<DIV><BR> E-mail: <A
href="mailto:chenyq@mail.si.net.cn">chenyq@mail.si.net.cn</A>
</FONT></DIV></DIV></SPAN></FONT></DIV></FONT></BODY></HTML>