[Openswan Users] Re: Major Trouble with x.509 certificates and
XP Client
Leonard Tulipan
l.tulipan at mpwi.at
Fri Jun 18 17:41:27 CEST 2004
Paul Wouters wrote:
>On Fri, 18 Jun 2004, Leonard Tulipan wrote:
>
>
>
>>What is your freeswam-cert ?
>>Is that the gateway's certificate.
>>anyways, "find" tells me of these pem-fiiles in /etc/ipsec.d/
>>
>>$ find . -name "*.pem"
>>./cacerts/cacert.pem
>>./certs/gatewayCert.pem
>>./certs/roadwarriorCert.pem
>>./crls/crl.pem
>>
>>ca is the Certificate Authority
>>CRL - Certificate Revocation List
>>Gateway is the openswan server
>>roadwarrior is the windows client
>>
>>Thanks for the input, but doesnt' look like the solution
>>
>>
>
>you can look at ipsec auto --listall to get a list of all the loaded
>certificates and keys. Check there is a 'has private key' belonging to
>the gatewayCert.pem
>
>Paul
>
>
>
Well it has:
[root at firewall root]# ipsec auto --listall|less
000
000 List of Public Keys:
000
000 Jun 18 11:57:24 2004, 1024 RSA Key AwEAAbQjT, until Jun 15 14:30:20
2005 ok
000 ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=gateway'
000 Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 Jun 18 11:57:23 2004, 1024 RSA Key AwEAAaq3Q, until Jun 15 14:33:03
2005 ok
000 ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'
000 Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000
000 List of X.509 End Certificates:
000
000 Jun 18 11:57:23 2004, count: 1
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 serial: 02
000 pubkey: 1024 RSA Key AwEAAaq3Q
000 validity: not before Jun 15 14:33:03 2004 ok
000 not after Jun 15 14:33:03 2005 ok
000 Jun 18 11:57:17 2004, count: 8
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=gateway'
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAbQjT, has private key
000 validity: not before Jun 15 14:30:20 2004 ok
000 not after Jun 15 14:30:20 2005 ok
000
000 List of X.509 CA Certificates:
000
000 Jun 18 11:57:16 2004, count: 1
000 subject: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 serial: 00
000 pubkey: 2048 RSA Key AwEAAb9GT
000 validity: not before Jun 15 14:29:34 2004 ok
000 not after Jun 14 14:29:34 2008 ok
000
000 List of X.509 CRLs:
000
000 Jun 18 11:57:17 2004, revoked certs: 0
000 issuer: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 updates: this Jun 15 14:31:00 2004
000 next Jul 15 14:31:00 2004 ok
Looks, good doesn't it?
I still suspect the windows-side to send something wrong.
Or could it really be iptables, when VPN already works with PSK?
What ports need to be open for NAT-Traversal?
btw: I posted the same question over at the strongswan mailing list. A
few people probably read both, but I suspect the strongswan people are
more fluent with certificates and all.
Cheers
Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040618/d62c16f0/attachment.htm
More information about the Users
mailing list