[Openswan Users] X.509 - cannot respond to SA
Antony Gelberg
antony at antgel.co.uk
Wed Feb 2 14:48:43 CET 2005
Hi all,
I've got some sort of mental block over what I'm sure is a pretty
obvious problem. When I try to connect to my openswan host from either
an openswan or Windows (Marcus Muller client) peer, I get the following
(names / ip addresses munged etc):
Feb 2 14:34:14 vpnbox pluto[6874]: "rw"[1] a.b.c.d:4500 #1: cannot
respond to IPsec SA request because no connection is known for
e.f.g.h:4500[C=GB, ST=Dullsville, L=Location, O=John Smith (UK) Ltd,
CN=VPN-Gateway]...a.b.c.d:4500[C=GB, ST=Dullsville, L=Location, O=John
Smith (UK) Ltd, CN=Road Warrior]===192.168.168.10/32
I find this line a bit cryptic - what is the meaning of the ... and ===?
e.f.g.h is the public IP of the openswan host. a.b.c.d is the public IP
address of the peer's router. 192.168.168.10 is the private IP of the
peer (using NAT of course).
I can see that the CNs are different - should they be the same? Here's
a snippet from ipsec.conf on the host:
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
left=%defaultroute
leftsubnet=192.168.0.0/24
leftcert=/etc/ssl/certs/vpnbox_cert.pem
right=%any
rightcert=/etc/ssl/certs/rw_cert.pem
auto=add
pfs=yes
And on the peer:
config setup
interfaces=%defaultroute
nat_traversal=yes
# Add connections here
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn johnsmith
left=82.70.62.108
leftcert=/etc/ipsec.d/certs/vpnbox.johnsmith.co.uk_cert.pem
right=%defaultroute
rightcert=/etc/ipsec.d/certs/rw.vpnbox.johnsmith.co.uk_cert.pem
auto=add
pfs=yes
Any help would be much appreciated.
Antony
More information about the Users
mailing list