[Openswan Users] Openswan - Windows native
Toman Arpad
dss at sch.bme.hu
Fri Jun 10 22:52:10 CEST 2005
Hi
I have some configuration difficulties. I would appreciate if someone
could help me.
I am trying to make a transport connection between a Linux box with
Openswan and a Windows with native stack using certificates.
The CA for this is on the Windows machine. (I was able to sign my request
and get a proper key back - so this is not the problem.)
I read the README.x509 file and found this:
"rightrsasigkey parameter set to the magic value %cert , signifying that
the public key will be extracted from a X.509 certificates sent by the
peer"
So i used it, but it seems to me in this case it is totaly uneffective.
The output said:
"issuer cacert not found
X.509 certificate rejected
we require peer to have ID 'a.b.c.d', but peer declares 'CN=k.l.m.n'"
Ok, i thought i change the rightid to CN=k.l.m.n, but as it turned out,
then i will need the peer public key despite the parameter above.
The output said:
"issuer cacert not found
X.509 certificate rejected
no RSA public key known for 'CN=k.l.m.n'"
Config:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug="none"
plutodebug="none"
plutostderrlog="/var/log/openswan.log"
uniqueids="yes"
# add connections here
conn %default
type="transport"
authby="rsasig"
rightrsasigkey="%cert"
left="e.f.g.h"
leftcert="a.pub"
rightca="%same"
auto="start"
conn k.l.m.n
right="k.l.m.n"
rightid="CN=k.l.m.n"
# disable opportunistic encryption
include /etc/ipsec.d/examples/no_oe.conf
Log:
Plutorun started on Fri Jun 10 21:49:29 CEST 2005
Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
Setting port floating to off
port floating activate 0/1
including NAT-Traversal patch (Version 0.6c) [disabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=1654 (fd:4)
Using Linux 2.6 IPsec interface code
Changing to directory '/etc/ipsec.d/cacerts'
loaded CA cert file 'k.ca.cert' (1301 bytes)
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
loaded host cert file '/etc/ipsec.d/certs/e.pub' (2182 bytes)
added connection description "k.l.m.n"
listening for IKE messages
adding interface lo/lo 127.0.0.1:500
adding interface eth0/eth0 152.66.208.63:500
loading secrets from "/etc/ipsec.secrets"
loaded private key file '/etc/ipsec.d/private/e.prv' (963 bytes)
"k.l.m.n" #1: initiating Main Mode
"k.l.m.n" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
"k.l.m.n" #1: ignoring Vendor ID payload [FRAGMENTATION]
"k.l.m.n" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
"k.l.m.n" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"k.l.m.n" #1: I am sending my cert
"k.l.m.n" #1: I am sending a certificate request
"k.l.m.n" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
"k.l.m.n" #1: Main mode peer ID is ID_DER_ASN1_DN:
'CN=k.l.m.n'
"k.l.m.n" #1: issuer cacert not found
"k.l.m.n" #1: X.509 certificate rejected
"k.l.m.n" #1: no RSA public key known for 'CN=k.l.m.n'
"k.l.m.n" #1: sending encrypted notification
INVALID_KEY_INFORMATION to k.l.m.n:500
"k.l.m.n" #1: failed to build notification for spisize=0
Bye
More information about the Users
mailing list