[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Xiaoming Yu xiaoming at us.ibm.com
Thu Jun 17 18:24:21 CEST 2004 

Paul: thanks for all your replies.

But what if the other system is non-Linux platform? I am not sure this way
of generating SA signature is universal, isn't it? Say is there a
corresponding application or command I can run to generate the key on other
platforms?

Xiaoming





                                                                           
             Paul Wouters                                                  
             <paul at xelerance.c                                             
             om>                                                        To 
                                       Xiaoming Yu/Rochester/IBM at IBMUS     
             06/17/2004 05:18                                           cc 
             PM                        giovanni.m at agilemovement.it,        
                                       <users at lists.openswan.org>          
                                                                   Subject 
                                       Re: [Openswan Users]  Re: NAT       
                                       Traversal support with openswan     
                                       (which draft version                
                                       initiator/responder?)               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Thu, 17 Jun 2004, Xiaoming Yu wrote:

> Thanks for the reply from you and Mike. You two basically point to the
same
> conclusion, that is use RSA instead of preshared key. That makes sense
> since the NAT won't alter the RSA signature, while preshared key query
> depends on the IP address that is modified by the NAT box.
>
> My only problem is certificate is more complicated than preshared key,
and
> I haven't fully understand (or read thoroughly) what I should do if the

We did not say X509 certificates. We said "raw rsa keys"

Just run 'ipsec showhostkey --left' (or right) on both ands and put the
output
lines in the conn, so you get something like:

conn connname
        left=193.110.157.5
             leftid=@myleftboxid

leftrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7

        right=193.110.157.1
             rightid=@myrightboxid

rightrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7

        authby=rsasig
        auto=route

Paul
--

<Reverend> IRC is just multiplayer notepad.

More information about the Users mailing list