
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:11pt; font-weight:400; font-style:normal;">Dňa Št 28. Máj 2009 Marek Greško napísal:<br>

&gt; Dňa Po 11. Máj 2009 ste napísali:<br>

&gt; &gt; On Mon, 11 May 2009, Marek Greško wrote:<br>

&gt; &gt; &gt; I have<br>

&gt; &gt; &gt; leftrsasigkey=%cert<br>

&gt; &gt; &gt; rightrsasigkey=%cert<br>

&gt; &gt; &gt; only in the default section and<br>

&gt; &gt; &gt; leftid=%fromcert<br>

&gt; &gt; &gt; rightid=%fromcert<br>

&gt; &gt; &gt; only in the tunnel definition. I expect the defaults are loaded prior<br>

&gt; &gt; &gt; to tunnel definition. Isn't it?<br>

&gt; &gt;<br>

&gt; &gt; You can't have all certs and all ids come in via IKE. You need to point<br>

&gt; &gt; to one cert on disk at least for the local end, so you need at least one<br>

&gt; &gt; of leftcert=filename / rightcert=filename<br>

&gt; &gt;<br>

&gt; &gt; &gt; I also do not want to have fromcert in the id, just testing it because<br>

&gt; &gt; &gt; of Paul's suggestion. I would like to use full id string (Subject DN)<br>

&gt; &gt; &gt; there.<br>

&gt; &gt;<br>

&gt; &gt; You can specify that with rightid=, but you need to use %fromcert on the<br>

&gt; &gt; side that you load from disk locally (eg with leftcert=filename)<br>

&gt; &gt;<br>

&gt; &gt; Paul<br>

&gt;<br>

&gt; I am still struggling with the issue with no luck. Here is modified part of<br>

&gt; ipsec barf containing the config file dump:<br>

&gt;<br>

&gt; version 2.0     # conforms to second version of ipsec.conf specification<br>

&gt;<br>

&gt; # basic configuration<br>

&gt; config setup<br>

&gt;         # Debug-logging controls:  "none" for (almost) none, "all" for<br>

&gt; lots. # klipsdebug=none<br>

&gt;         #plutodebug="control parsing"<br>

&gt;         #plutodebug="all"<br>

&gt;         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<br>

&gt;         protostack=netkey<br>

&gt;         nat_traversal=yes<br>

&gt;        <br>

&gt; virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,<br>

&gt; %v4:!192.168.24.0/24<br>

&gt;         oe=off<br>

&gt;         nhelpers=0<br>

&gt;         interfaces="%defaultroute"<br>

&gt;<br>

&gt; #&lt; /etc/ipsec.d/aa-default.conf 1<br>

&gt; conn %default<br>

&gt;         keyingtries=%forever<br>

&gt;         authby=rsasig<br>

&gt;         leftrsasigkey=%cert<br>

&gt;         rightrsasigkey=%cert<br>

&gt;         #auto=start<br>

&gt;<br>

&gt;<br>

&gt; #&lt; /etc/ipsec.d/aa-no_oe.conf 1<br>

&gt; # 'include' this file to disable Opportunistic Encryption.<br>

&gt; # See /usr/share/doc/freeswan/policygroups.html for details.<br>

&gt; #<br>

&gt; # RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $<br>

&gt; conn block<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; conn private<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; conn private-or-clear<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; conn clear-or-private<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; conn clear<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; conn packetdefault<br>

&gt;     auto=ignore<br>

&gt;<br>

&gt; #&lt; /etc/ipsec.d/ipsec.his-mine.conf 1<br>

&gt; conn his-mine<br>

&gt;         keyingtries=%forever<br>

&gt;         authby=rsasig<br>

&gt;         auto=start<br>

&gt;         compress=no<br>

&gt;         left=hispublicip<br>

&gt;         leftsourceip=192.168.24.254<br>

&gt;         leftnexthop=%defaultroute<br>

&gt;         leftsubnet=192.168.24.0/24<br>

&gt;         right=%defaultroute<br>

&gt;         rightnexthop=%defaultroute<br>

&gt;         #<br>

&gt;         leftcert=cert-his.pem<br>

&gt;         rightcert=cert-mine.pem<br>

&gt;         #<br>

&gt;         leftid="C=SK, ......his"<br>

&gt;         #rightid="C=SK, ..... mine"<br>

&gt;         rightid=%fromcert<br>

&gt;<br>

&gt;<br>

&gt; I am still getting: we require peer to have ID 'hispublicip', but peer<br>

&gt; declares 'C=SK, ....... his'<br>

&gt;<br>

&gt; I am sure I have certificates loaded. When using ipsec barf I also see<br>

&gt; remote certificate.<br>

&gt;<br>

&gt; I suspect I should have some problem in configuration, but still cannot<br>

&gt; find any. Do you have any suggestions?<br>

&gt;<br>

&gt; Thank you.<br>

<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I found the solution. I should comment out the leftcert line on the right side.<br>

<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>M.<br>

<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>-- <br>

Marek Greško<br>

<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html>