<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:11pt; font-weight:400; font-style:normal;">Dňa Po 11. Máj 2009 Michael H. Warfield napísal:<br>
> On Mon, 2009-05-11 at 10:38 +0200, Marek Greško wrote:<br>
> > Dňa Ut 24. Február 2009 ste napísali:<br>
> > > On Tue, 24 Feb 2009, Marek Greško wrote:<br>
> > > > I cannot get Fedora's openswan-2.6.19-1.fc10 to connect to<br>
> ><br>
> > openswan 2.4.<br>
> ><br>
> > > > It complains about:<br>
> > > ><br>
> > > > we require peer to have ID 'xxx.xxx.xxx.xx', but peer declares<br>
> ><br>
> > 'C=SK,<br>
> ><br>
> > > > ......'<br>
> > > ><br>
> > > > I have left and right set to public ip addresses and leftid<br>
> ><br>
> > rightid to<br>
> ><br>
> > > > subject dn on both sides. I am almost sure certificates are loaded<br>
> > > > properly.<br>
> > > ><br>
> > > > What am I doing wrong?<br>
> > ><br>
> > > On the 2.6 side, use leftid=%fromcert<br>
> > ><br>
> > > Paul<br>
> ><br>
> > No luck also with left and rightid=%fromcert. Result is the same.<br>
><br>
> Oh, one thing I noticed playing with this... These are order<br>
> dependent. Make sure you declare rightid=%fromcert AFTER you declare<br>
> rightrsasigkey=%cert and you can't declare rightid=%fromcert in the<br>
> default and then declare the rightrsasigkey=%cert in the conn. Same<br>
> goes for left* as well.<br>
><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I have <br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
only in the default section and <br>
leftid=%fromcert<br>
rightid=%fromcert<br>
only in the tunnel definition. I expect the defaults are loaded prior to tunnel definition. Isn't it?<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I also do not want to have fromcert in the id, just testing it because of Paul's suggestion. I would like to use full id string (Subject DN) there.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Marek<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> > --<br>
> > Marek Greško<br>
><br>
> Mike<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html>