[Openswan Users] Stuck with rekeying problem, initiated QM from Openswan

Steffen Becker becker at informatik.uni-oldenburg.de
Sun May 22 12:25:14 CEST 2005


Hi,

> I assume that you have used the following Howto?
> http://www.elminster.com/xoops/modules/phpwiki/index.php/Ipcop
> L2tpRemoteAccessServer
> In that case your ipsec.conf probably looks like this:
Yes, you are right. I used that HowTo with the only difference that my L2TPD
is not running on the IPCop machine. But as L2TP works fine, I asume that
this is not the problem.
Btw. I also disabled all NAT related entries as I have not NAT'ed
connections to the IPCop machine... So I asume it is also not related to NAT
issues...
 
> I assume the root certificate has been created in 
> /var/ipcop/ca/cacert.pem?
Yes, I have two root CAs put into /var/ipcop/ca. And Openswan lists both of
them during startup in the logs... And in  my posted oakley.log you can see
that openswan sends the right certificate based ID to Windows during the
rekey initiation... 

>>  5-18: 18:57:45:791:d6c Zertifikatsbasierte Identität.
Peerantragsteller
>> C=DE, S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB,
>> CN=ipcop.zuhause.xx  Peer-SHA-Fingerabdruck
My IPCop Cert...

>> afee433ca7589b1da3579ce4ff424e63b6ae953e  Peer, der die
>> Zertifizierungsstelle ausstellt: C=DE, S=Niedersachsen, L=Oldenburg,
O=Uni
>> Oldenburg, OU=StB, CN=IPSec WLAN Root CA,
>> E=becker at informatik.uni-oldenburg.de  Stammzertifizierungsstelle C=DE,
My WLAN Root CA...

>> S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB, CN=IPSec WLAN Root
>> CA, E=becker at informatik.uni-oldenburg.de  Eigener Antragsteller C=DE,
>> S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB, CN=sam.zuhause.xx
And my XP machine called sam.zuhause.xx

Additionally, it must have picked them up right, because otherwise I would
have been unable to initate the connection at all, didn't I? The problem
happens after 1 hour when the rekeying should take place....

> Do you see Openswan pick it up? Did you have to copy it to
> /etc/ipsec.d/cacerts? What if you add rightca=%same?
Ok, I test rightca=%same on Monday and report if it helps...

Thanks for your thoughts!

Steffen



------------------------------------------------------------------------
Dipl. Wirtsch. Inform. Steffen Becker, DFG Junior Research Group "Palladio",
Fk 2, Department of Computing Science, Software Engineering Group 
CvO Universität Oldenburg / OFFIS, Escherweg 2, D-26121 Oldenburg
Email: becker at informatik.uni-oldenburg.de
URL: http://se.informatik.uni-oldenburg.de
Voice: +49 441 9722-582 (-501, secr.) Fax: +49 441 9722-502
------------------------------------------------------------------------



More information about the Users mailing list