[Openswan Users] Re: crlDistributionPoints

david p david2005.p at gmail.com
Tue Jun 7 13:24:37 CEST 2005


> > 1) So when I establish a VPN from a userA to userB only the userB
> > connect itself to my Apache server to download a CRL to check the
> > userA certificate. However the 2 certificates (userA and userB) have
> > the distribution point set :
> >
> >
> > X509v3 extensions:
> > X509v3 CRL Distribution Points:
> > URI:http://195.212.109.205/ca.crl
>>
> > Why only one of the two try to connect thge Apache server ? why the userB
> ?
> It might be a timing issue. Did you set strictcrlpolicy=yes ?
> 
> Paul
> 

hi Paul ,

1)when I set strictcrlpolicy=yes on  my userB there is no problem, the
VPN goes up.
when I set strictcrlpolicy=yes  on my userA I have the following error:

[root at dhcp203 private]# ipsec auto --up testvpnda
104 "testvpnda" #1: STATE_MAIN_I1: initiate
106 "testvpnda" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testvpnda" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "testvpnda" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "testvpnda" #1: no RSA public key known for 'C=fr,
ST=ile-de-france, L=paris, O=toto, CN=user01desuri,
E=ngc1976.m42 at caramail.com'; DNS search for KEY failed (can only query
DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR)
217 "testvpnda" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION

what does it mean ?

2)An other point that  I want to clear up:
with the following conf the VPN from userA ===============>to userB goes up
---------------------------------userB ipsec.conf---------------
config setup
klipsdebug=none
plutodebug=all
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.202
leftcert=user01desuri.crt
right=%any
auto=add
---------------------------------------------------------


---------------------------------userA ipsec.conf---------------

config setup
klipsdebug=none
plutodebug=none
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri,
E=ngc1976.m42 at caramail.com"
auto=add
---------------------------------------------------------

but when I change the conn testvpnda ,in the userA ipsec.conf file, like this 

---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=user01desuri.crt
auto=add
---------------------------------------------------------
or 
---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=%cert
auto=add
---------------------------------------------------------

it give this error

[root at dhcp203 private]# ipsec auto --up testvpnda
104 "testvpnda" #1: STATE_MAIN_I1: initiate
106 "testvpnda" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testvpnda" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "testvpnda" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "testvpnda" #1: we require peer to have ID '195.212.109.202', but
peer declares 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
218 "testvpnda" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

Why I have to specify the "rightid" to make the VPN up ?
why  specify a certificat by "rightcert" does not work ?

what should have change the ipsec.conf files ??

thx 
david


More information about the Users mailing list