<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
Hi Paul,<br><br>Thanks for the information. We ended up having to put
the Netgear's (right) public certificate on our Linux (left) machine
and specify it as part of the "rights" parameters . We were expecting
messages 5 & 6 to contain the certificate. Should ISAKMP messages 5
& 6 contain the certificates? Is there a way to decrypt message 5
& 6 payloads? <br><br>In message 4, we see the "Certificate
Request Payload" coming from the Netgear (right) in addition the CA
field within the Certificate Request Payload is empty. Accortding to
RFC 4945 (http://tools.ietf.org/html/rfc4945#page-13), this is valid
but a rare case. Could OpenSWAN be expecting something populted in this
field? <br><br>If message 6 does contain certificates (as we expect),
is there a chance OpenSWAN 2.6.19 is not parsing and using the
certificate properly.<br><br>Here's our command string:<br><br>ipsec whack --name vpn_tunnel <br>--encrypt <br>--tunnel <br>--ike 3des-md5-modp1024 <br>--esp 3des-md5 <br>--compress <br>--dpdaction hold <br>--ikelifetime 28800 <br>--rsasig <br>--host 130.168.1.3 <br>--client 172.16.2.3/32 <br>--nexthop %direct <br>--updown "ipsec _updown" <br>--sendcert always <br>--cert /etc/ipsec.d/clientcert.pem <-- Linux (left) public certificate<br>--ca "/C=US/ST=Florida/O=Corp/OU=/CN=Device" <br>--to <br>--host 130.168.1.2 <br>--id 130.168.1.2 <br>--client 10.10.10.0/24 <br>--nexthop %direct <br>--updown "ipsec _updown" <br>--sendcert always <br>--ipseclifetime 3600 <br>--rekeymargin 540 <br>--keyingtries 1 <br>--cert /etc/ipsec.d/sn00032_1024.pem <-- Netgear (right) public certificate<br>--ca "/C
=US/ST=Florida/O=Corp/OU=Group/CN=Device"<br><br><br>I appreciate the help Paul! <br><br>marcos<br><br><br><br /><hr />HotmailŪ has a new way to see what's up with your friends. <a href='http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009' target='_new'>Check it out.</a></body>
</html>