[Openswan Users] config question

david p david2005.p at gmail.com
Wed Jun 8 11:00:16 CEST 2005 

 hi all, 

with the following conf the VPN from userA ===============>to userB goes up :
---------------------------------userB ipsec.conf---------------
config setup
klipsdebug=none
plutodebug=all
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.202
leftcert=user01desuri.crt
right=%any
auto=add
---------------------------------------------------------


---------------------------------userA ipsec.conf---------------

config setup
klipsdebug=none
plutodebug=none
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri,
E=ngc1976.m42 at caramail.com"
auto=add
---------------------------------------------------------

but when I change the conn testvpnda ,in the userA ipsec.conf file, like this 

---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=user01desuri.crt
auto=add
---------------------------------------------------------
or 
---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=%cert
auto=add
---------------------------------------------------------

it give this error

[root at dhcp203 private]# ipsec auto --up testvpnda
104 "testvpnda" #1: STATE_MAIN_I1: initiate
106 "testvpnda" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testvpnda" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "testvpnda" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "testvpnda" #1: we require peer to have ID '195.212.109.202', but
peer declares 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
218 "testvpnda" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

Why I have to specify the "rightid" to make the VPN up ?
why  specify a certificat by "rightcert" does not work ?

what should have change the ipsec.conf files ??

thx 
david

More information about the Users mailing list