[Openswan Users] Re: Major Trouble with x.509 certificates and XP Client

Leonard Tulipan l.tulipan at mpwi.at
Fri Jun 18 17:41:27 CEST 2004


Paul Wouters wrote:

>On Fri, 18 Jun 2004, Leonard Tulipan wrote:
>
>  
>
>>What is your freeswam-cert ?
>>Is that the gateway's certificate.
>>anyways, "find" tells me of these pem-fiiles in /etc/ipsec.d/
>>
>>$ find . -name "*.pem"
>>./cacerts/cacert.pem
>>./certs/gatewayCert.pem
>>./certs/roadwarriorCert.pem
>>./crls/crl.pem
>>
>>ca is the Certificate Authority
>>CRL - Certificate Revocation List
>>Gateway is the openswan server
>>roadwarrior is the windows client
>>
>>Thanks for the input, but doesnt' look like the solution
>>    
>>
>
>you can look at ipsec auto --listall to get a list of all the loaded
>certificates and keys. Check there is a 'has private key' belonging to
>the gatewayCert.pem
>
>Paul
>
>  
>
Well it has:

[root at firewall root]# ipsec auto --listall|less
000
000 List of Public Keys:
000
000 Jun 18 11:57:24 2004, 1024 RSA Key AwEAAbQjT, until Jun 15 14:30:20 
2005 ok
000        ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=gateway'
000        Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000 Jun 18 11:57:23 2004, 1024 RSA Key AwEAAaq3Q, until Jun 15 14:33:03 
2005 ok
000        ID_DER_ASN1_DN 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'
000        Issuer 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000
000 List of X.509 End Certificates:
000
000 Jun 18 11:57:23 2004, count: 1
000        subject: 'C=AT, L=Wien, O=5th Mind, CN=roadwarrior'
000        issuer:  'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000        serial:   02
000        pubkey:   1024 RSA Key AwEAAaq3Q
000        validity: not before Jun 15 14:33:03 2004 ok
000                  not after  Jun 15 14:33:03 2005 ok
000 Jun 18 11:57:17 2004, count: 8
000        subject: 'C=AT, L=Wien, O=5th Mind, CN=gateway'
000        issuer:  'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000        serial:   01
000        pubkey:   1024 RSA Key AwEAAbQjT, has private key
000        validity: not before Jun 15 14:30:20 2004 ok
000                  not after  Jun 15 14:30:20 2005 ok
000
000 List of X.509 CA Certificates:
000
000 Jun 18 11:57:16 2004, count: 1
000        subject: 'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000        issuer:  'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000        serial:   00
000        pubkey:   2048 RSA Key AwEAAb9GT
000        validity: not before Jun 15 14:29:34 2004 ok
000                  not after  Jun 14 14:29:34 2008 ok
000
000 List of X.509 CRLs:
000
000 Jun 18 11:57:17 2004, revoked certs: 0
000        issuer:  'C=AT, L=Wien, O=5th Mind, CN=vpn_ca'
000        updates:  this Jun 15 14:31:00 2004
000                  next Jul 15 14:31:00 2004 ok

Looks, good doesn't it?
I still suspect the windows-side to send something wrong.
Or could it really be iptables, when VPN  already works with PSK?

What ports need to be open for NAT-Traversal?

btw: I posted the same question over at the strongswan mailing list. A 
few people probably read both, but I suspect the strongswan people are 
more fluent with certificates and all.

Cheers
Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040618/d62c16f0/attachment.htm


More information about the Users mailing list