[Openswan Users] testing very simple openswan architecture
Paul Wouters
paul at xelerance.com
Tue May 3 19:40:54 CEST 2005
On Tue, 3 May 2005, david wrote:
> I read the documentation strongsec/freeswan and the how-to from Nate Carlson but I think I do not understand how to configure the ipsec.conf files for the two hosts.
>
> HostA and hostB are directky linked.
>
> --------------------HostA certificat files----------------------
> /etc/openswan/ipsec.d/private/user01des.key
> /etc/openswan/ipsec.d/certs/user01des.crt
> /etc/openswan/ipsec.d/cacerts/ca.crt
>
> -----------------------------end-----------------------------------
>
> --------------------HostB certificat files----------------------
> /etc/openswan/ipsec.d/private/user02des.key
> /etc/openswan/ipsec.d/certs/user02des.crt
> /etc/openswan/ipsec.d/cacerts/ca.crt
>
> -----------------------------end-----------------------------------
>
> user01des.crt and user02.crt are signed by the ca.crt
> For all the keys, the length is 1024 with DES3.
>
>
>
>
>
> -------------------host A ipsec.conf file------------------------
> config setup
> klipsdebug=none
> plutodebug=all
>
> # Add connections here
> conn %default
> keyingtries=0
> authby=rsasig
>
>
> # sample VPN connection
> conn testvpnda
> left=195.212.109.202
> leftcert=user01des.crt
> right=195.212.109.203
> rightrsasigkey=%cert
> auto=add
>
> ------------------------------end-------------------------------------
>
> I put the same configuration for hostA et hostB.
That wont work, unless you changed leftcert/rightcert. Both ends need to
load only their own certificate.
Helpful command: ipsec auto --listall
Check to see if your certificate loaded it has a private key loaded, and
the root CA loaded on both ends.
Paul
More information about the Users
mailing list