[Openswan Users] Certificates not matching

Jerome Kaidor jerry at tr4.tr2.com
Thu Jun 30 07:37:46 CEST 2005

Hi folks,

    I'm trying to get a VPN working.  It's a Openswan server with a real IP
address talking to a set of Win2K roadwarriers.  I'm using X509 certificates,
and the server is also a self-signed CA.  

  Right now, the windows side is saying "Erorr 792: the L2TP connection attempt
failed because security negotiation timed out"
  /Var/log/secure says "trusted_ca returning with failed" and then 
"jerry"[3] (IP address of my laptop) #3: no suitable connection for peer 'C=US etc

  It looks like an X509 problem.  Unfortunately, the whole setup of certificates
and signatures is quite confusing.  I can probably just rebuild the whole
certificate setup from scratch, using one of the step-by-step instructions
available on the Net, but would rather understand and troubleshoot.

  I looked for the "trusted_ca returning with" message in the pluto source,
and found something about checking a chain of CA's.  It kind of looked like
a self-signed CA would always fail to match, and would emit that message.

  Does anybody have a hint as to where to look to understand the
CA/Certs/Keys setup in /etc/ipsec.d ( or indeed in /etc/ssl )?  To
"understand & troubleshoot" as opposed to "doing the whole thing again by
rote", I would be willing to spend a day or so looking at RFCs etc.

  The task of building a CA and creating certs is very time consuming,
and doesn't seem to be very "scriptable", because the programs ask for so
much user input.  It would be nice to have a way to edit up a config file
with a text editor, verify that all the passphrases and "Subject" fields
match up, and just let'er rip.

  Also, I have found no cogent discussion of the characteristics or
importances of the various passphrases and passwords.  Should passphrases
be different for different certs?  How about passwords?  When I set a password
for a computer/website/whatever I always have to judge whether it's important; 
whether it's likely to be compromised by the computer/website/etc; whether
there's money involved;  I'm sure everybody else does the same thing.

                    - Jerry Kaidor ( jerry at tr2.com )

More information about the Users mailing list