[Openswan Users] left/rightsendcert=always questions

Nate Carlson natecars at natecarlson.com
Thu May 13 17:26:30 CEST 2004


Hey guys!

I've been working with 2.1.2 cvs connecting to a SFS 1.99.3 server, if you 
don't recall my previous message.

Ran into a problem where if the certificate wasn't cached on the server 
side (from a different connection from a fs2.04/sfs host), it would reject 
the connection from the Openswan box with the following:

May 13 16:18:53 vpn-gw pluto[7424]: "roadwarrior-colonet"[4] 65.193.16.110 #3: no RSA public key known for '<x509 id>'
May 13 16:18:53 vpn-gw pluto[7424]: "rw"[4] 65.193.16.110 #3: sending notification INVALID_KEY_INFORMATION to 65.193.16.110:500

If I make a connection from a sfs/fs box before hand with that cert, and
it's cached on the gateway, it's no problem. Also, if I add the 
left/rightsendcert=always options to the openswan gateway, it works fine.

Is this actually a bug in Openswan (I'd think that it'd send the cert if
it needed it), or is it a bug in SFS (not asking for the certificate)?

Also, is there more documentation on the Xsendcert option somewhere?

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list