[Openswan Users] Certificates not matching
jerry at tr4.tr2.com
Thu Jun 30 07:37:46 CEST 2005
I'm trying to get a VPN working. It's a Openswan server with a real IP
address talking to a set of Win2K roadwarriers. I'm using X509 certificates,
and the server is also a self-signed CA.
Right now, the windows side is saying "Erorr 792: the L2TP connection attempt
failed because security negotiation timed out"
/Var/log/secure says "trusted_ca returning with failed" and then
"jerry" (IP address of my laptop) #3: no suitable connection for peer 'C=US etc
It looks like an X509 problem. Unfortunately, the whole setup of certificates
and signatures is quite confusing. I can probably just rebuild the whole
certificate setup from scratch, using one of the step-by-step instructions
available on the Net, but would rather understand and troubleshoot.
I looked for the "trusted_ca returning with" message in the pluto source,
and found something about checking a chain of CA's. It kind of looked like
a self-signed CA would always fail to match, and would emit that message.
Does anybody have a hint as to where to look to understand the
CA/Certs/Keys setup in /etc/ipsec.d ( or indeed in /etc/ssl )? To
"understand & troubleshoot" as opposed to "doing the whole thing again by
rote", I would be willing to spend a day or so looking at RFCs etc.
The task of building a CA and creating certs is very time consuming,
and doesn't seem to be very "scriptable", because the programs ask for so
much user input. It would be nice to have a way to edit up a config file
with a text editor, verify that all the passphrases and "Subject" fields
match up, and just let'er rip.
Also, I have found no cogent discussion of the characteristics or
importances of the various passphrases and passwords. Should passphrases
be different for different certs? How about passwords? When I set a password
for a computer/website/whatever I always have to judge whether it's important;
whether it's likely to be compromised by the computer/website/etc; whether
there's money involved; I'm sure everybody else does the same thing.
- Jerry Kaidor ( jerry at tr2.com )
More information about the Users