Hi...<br><br>Thanks for replying Paul. I am using CA that i have placed in /etc/ipsec.d/cacerts/cacert.pem at both end and I am using the below ipsec.conf file at 238 machine<br><br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>config setup<br> plutodebug="control parsing"<br> nat_traversal=yes<br> protostack=netkey<br> <br>conn sample1<br><br> left=192.168.103.238<br> leftcert=/etc/ipsec.d/certs/eastCert.pem<br>
leftsendcert=always<br> leftrsasigkey=%cert<br>
right=192.168.103.139<br>
rightsendcert=always<br> rightrsasigkey=%cert<br> auto=add<br><br><br>I have placed the eastCertpem in /etc/ipsec.d/certs in 192.168.103.238 machine. and I am using the below configuration at other 139 machine<br>
<br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>config setup<br> plutodebug="control parsing"<br> nat_traversal=yes<br> protostack=netkey<br> <br>conn sample1<br><br> left=192.168.103.238<br> leftsendcert=always<br> leftrsasigkey=%cert<br>
right=192.168.103.139<br>
rightcert=/etc/ipsec.d/certs/westCert.pem<br> rightsendcert=always<br> rightrsasigkey=%cert<br> auto=add<br><br>Similarily, I have placed the westCert.pem in /etc/ipsec.d/certs in 192.168.103.139 machine. Now I am not able to connect the ipsec between two. It shows (while trying to up the connection using ipsec auto --up sample1)<br>
<br>104 "sample1" #2: STATE_MAIN_I1: initiate<br>003 "sample1" #2: received Vendor ID payload [Openswan (this version) 2.6.23 ]<br>003 "sample1" #2: received Vendor ID payload [Dead Peer Detection]<br>
003 "sample1" #2: received Vendor ID payload [RFC 3947] method set to=109 <br>106 "sample1" #2: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "sample1" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
108 "sample1" #2: STATE_MAIN_I3: sent MI3, expecting MR3<br>003 "sample1" #2: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000<br>003 "sample1" #2: received and ignored informational message<br>
<br> if I placed both certificate at both machine and specify their corresponding parameter (specifying rightcert at 238 machine and leftcert at 139 machine) in ipsec.conf file than I am able to build up the connection.<br>
<br>I have seen man ipsec.conf and leftsendcert can have values yes|always , no|never and ifasked. leftsendcert can't have value send, showing invalid value. I am using Linux Openswan U2.6.23/K2.6.18-92.el5 (netkey).<br>
<div class="gmail_quote"><br><br>On Mon, Feb 15, 2010 at 8:33 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>On Mon, 15 Feb 2010, neeraj goyal wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Does each ipsec peer should have other ipsec peer certificate before starting ipsec. or other peer will send during<br>
connection time????<br>
</blockquote>
<br></div>
That depends on your configuration. See 'man ipsec.conf' and specifically<br>
the sections on "leftsendcert" and "leftca".<br>
<br>
If you are not using a CA, you should really just put the cert on both ends.<br>
If you are using a CA, you should let leftsendcert= send it for you.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards<br> <br>Neeraj Goyal<br><br>