[Openswan Users] Re: Openswan with X.509 signed by different
andreas.steffen at strongsec.net
Thu Dec 9 08:07:37 CET 2004
The problem is that your Windows client has sends a Certificate
Request message to *swan requesting a certificate issued by
CA A whereas *swan has a certificate issued by CA B. Therefore
the negotiation fails. If you can reconfigure your Windows client
to request either a certificate from CA B or send an empty
Certificate Request then *swan will respond and send its own
WADA Masahiro wrote:
> Jacco wrote:
>>If I remember correctly, the Microsoft documentation says that
>>both sides MUST be using certificates from the same CA.
> I have never heard such information.
> If someone know its document, please tell me.
>>Unless you are a
>>third-party IPsec client and not the native IPsec implementation?
> I tested native IPsec client on WindowsXP and Windows2000.
> The certificate for XP is signed by the VeriSign,
> and the other for 2000 is signed by the openssl private CA.
> They could be connected each other.
> Masahiro Wada
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users