<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:#000000;"><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: rgb(0, 0, 0);"><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: rgb(0, 0, 0);"><div>hi all,<br>I have problem with openswan, my client can't connect with server. <br>no nat, no firewall in my network<br>i can't see error in my configuration <br>i'm using pluto n netkey in ubuntu desktop 8.04<br>i can execute all the comment bellow without error <br># ipsec verify<br># ipsec showhostkey --output /etc/ipsec.secrets<br><br>this is my conf<br># ipsec.conf<br>
<style>
<!--
_filtered {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered {font-family:"Nimbus Roman No9 L";}
_filtered {font-family:"DejaVu Sans";panose-1:2 11 6 3 3 8 4 2 2 4;}
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Nimbus Roman No9 L", "serif";}
.MsoChpDefault
        {font-size:10.0pt;}
_filtered {margin:2.0cm 2.0cm 2.0cm 2.0cm;}
div.Section1
        {}
-->
</style>
<p class="MsoNormal">version 2.0</p>
<p class="MsoNormal"> config setup</p>
<p class="MsoNormal"><span style=""> </span>interfaces="ipsec0=eth0"</p>
<p class="MsoNormal"><span style=""> </span>uniqueids=yes</p>
<p class="MsoNormal"><span style=""> </span>plutodebug=all</p>
<p class="MsoNormal"><span style=""> </span>nhelpers=0</p>
<p class="MsoNormal"> conn %default</p>
<p class="MsoNormal"><span style=""> </span>keyingtries=1</p>
<p class="MsoNormal"><span style=""> </span>compress=no</p>
<p class="MsoNormal"><span style=""> </span>disablearrivalcheck=no</p>
<p class="MsoNormal"><span style=""> </span>authby=rsasig</p>
<p class="MsoNormal"><span style=""> </span>leftrsasigkey=%cert</p>
<p class="MsoNormal"><span style=""> </span>rightrsasigkey=%cert</p>
<p class="MsoNormal"> conn mommy</p>
<p class="MsoNormal"><span style=""> </span>type=tunnel</p>
<p class="MsoNormal"><span style=""> </span>left=111.111.111.1</p>
<p class="MsoNormal"><span style=""> </span>leftcert=server.pem</p>
<p class="MsoNormal"><span style=""> </span>leftca=cacert.pem</p>
<p class="MsoNormal"><span style=""> </span>right=111.111.111.2</p>
<p class="MsoNormal"><span style=""> </span>rightcert=client.pem</p>
<p class="MsoNormal"><span style=""> </span>rightca=%same</p>
<p class="MsoNormal"><span style=""> </span>auth=esp</p>
<p class="MsoNormal"><span style=""> </span>kayexchange=ike</p>
<p class="MsoNormal"><span style=""> </span>ike=aes128-sha1-modp1536</p>
<p class="MsoNormal"><span style=""> </span>esp=aes128-sha1</p>
<p class="MsoNormal"><span style=""> </span>leftsendcert=always</p>
<p class="MsoNormal"><span style=""> </span>keylife=1h</p>
<p class="MsoNormal"><span style=""> </span>ikelifetime=1h</p>
<p class="MsoNormal"><span style=""> </span>rekey=no</p>
<p class="MsoNormal"><span style=""> </span>auto=add</p>
<p class="MsoNormal"><span style=""> </span>pfs=yes</p>
<p class="MsoNormal"> conn block</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> conn private</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> conn private-or-clear</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> conn clear-or-private</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> conn clear</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> conn packetdefault</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<br>but in: <br># ipsec auto --listcerts<br> i don't see "has private key"<br>#
/var/log/auth.log<br>Jul 14 22:25:14 andi-laptop pluto[4689]: "mommy" #1: unable to locate my private key for RSA Signature<br>Jul 14 22:25:14 andi-laptop pluto[4689]: | complete state transition with (null)<br>Jul 14 22:25:15 andi-laptop pluto[4689]: "mommy" #1: sending notification AUTHENTICATION_FAILED to 111.111.111.1:500<br>btw, i ever try make it CA and cert host:<br># /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em> /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em>/CA.sh -newca<br># /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em> /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em>/CA.sh -newreq<br># /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em> /<em>usr</em>/<em>lib</em>/<em>ssl</em>/<em>misc</em>/CA.sh -sign<br><br>newcert.pem = server.pem <br>newkey = server.key<br><br>b'coz the cert can't load i try make CA based on building virtual private network with openswan.pdf, and nothing changing.<br> <br>I'm searching in
google then find the comment below:<br><span style="font-style: italic;"># openssl x509 -in server.pem -noout -text</span><br style="font-style: italic;"><span style="font-style: italic;"># openssl rsa -in server.key -noout -text</span><br> <br>the comment is not work too. i'm sorry for my bad english.<br><br><br>thank u<br>michank<br></div></div></div></div></div><br>
<hr size=1> Coba Yahoo! Mail baru yang LEBIH CEPAT. <a href="http://id.mail.yahoo.com"> Rasakan bedanya sekarang! </a></body></html>