<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:11pt; font-weight:400; font-style:normal;">Dňa Po 11. Máj 2009 ste napísali:<br>
> On Mon, 11 May 2009, Marek Greško wrote:<br>
> > I have<br>
> > leftrsasigkey=%cert<br>
> > rightrsasigkey=%cert<br>
> > only in the default section and<br>
> > leftid=%fromcert<br>
> > rightid=%fromcert<br>
> > only in the tunnel definition. I expect the defaults are loaded prior to<br>
> > tunnel definition. Isn't it?<br>
><br>
> You can't have all certs and all ids come in via IKE. You need to point to<br>
> one cert on disk at least for the local end, so you need at least one of<br>
> leftcert=filename / rightcert=filename<br>
><br>
> > I also do not want to have fromcert in the id, just testing it because of<br>
> > Paul's suggestion. I would like to use full id string (Subject DN) there.<br>
><br>
> You can specify that with rightid=, but you need to use %fromcert on the<br>
> side that you load from disk locally (eg with leftcert=filename)<br>
><br>
> Paul<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I am still struggling with the issue with no luck. Here is modified part of ipsec barf containing the config file dump:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>version 2.0 # conforms to second version of ipsec.conf specification<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p># basic configuration<br>
config setup<br>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<br>
# klipsdebug=none<br>
#plutodebug="control parsing"<br>
#plutodebug="all"<br>
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<br>
protostack=netkey<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.24.0/24<br>
oe=off<br>
nhelpers=0<br>
interfaces="%defaultroute"<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>#< /etc/ipsec.d/aa-default.conf 1<br>
conn %default<br>
keyingtries=%forever<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
#auto=start<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>#< /etc/ipsec.d/aa-no_oe.conf 1<br>
# 'include' this file to disable Opportunistic Encryption.<br>
# See /usr/share/doc/freeswan/policygroups.html for details.<br>
#<br>
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $<br>
conn block<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>conn private<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>conn private-or-clear<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>conn clear-or-private<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>conn clear<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>conn packetdefault<br>
auto=ignore<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>#< /etc/ipsec.d/ipsec.his-mine.conf 1<br>
conn his-mine<br>
keyingtries=%forever<br>
authby=rsasig<br>
auto=start<br>
compress=no<br>
left=hispublicip<br>
leftsourceip=192.168.24.254<br>
leftnexthop=%defaultroute<br>
leftsubnet=192.168.24.0/24<br>
right=%defaultroute<br>
rightnexthop=%defaultroute<br>
#<br>
leftcert=cert-his.pem<br>
rightcert=cert-mine.pem<br>
#<br>
leftid="C=SK, ......his"<br>
#rightid="C=SK, ..... mine"<br>
rightid=%fromcert<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I am still getting: we require peer to have ID 'hispublicip', but peer declares 'C=SK, ....... his'<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I am sure I have certificates loaded. When using ipsec barf I also see remote certificate.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I suspect I should have some problem in configuration, but still cannot find any. Do you have any suggestions?<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Thank you.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>-- <br>
Marek Greško<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html>