[Openswan Users]

[Paul Wouters]

On Wed, 19 Apr 2006, Christian Horn wrote:

> I try to connect with OpenSwan to a Checkpoint FW-1
> using rsasig from a smartcard. From windows the SecureRemote-
> client does this.
>
> The connection-attempt comes this far:
> pluto[6206]: "fcl" #1: initiating Main Mode
> pluto[6206]: "fcl" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> pluto[6206]: "fcl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> pluto[6206]: "fcl" #1: I am sending my cert
> pluto[6206]: "fcl" #1: I am sending a certificate request
> pluto[6206]: "fcl" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> pluto[6206]: "fcl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> pluto[6206]: "fcl" #1: discarding duplicate packet; already STATE_MAIN_I3
> pluto[6206]: "fcl" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> pluto[6206]: "fcl" #1: received and ignored informational message
>
> Looking at the last packet packet i get from the other side
> ('type NO_PROPOSAL_CHOSEN' in log) i see '[23] User unknown'.
> I use the same key for authentication as from windows, checked
> the key-serial with the windows-client and pkcs15-tool/openssl.
>
> But the Subject of the cert under windows is different from
> what it is here, if that is the problem the 'User unknown' for
> my attempts from OpenSwan would make sense.

Are you sure it is the DN that is the issue here? And not perhaps another
setting in your conn, such as a missing pfs=no ?

> How to override the Subject from the cert that is read from smart-
> card and sent to the other side then?
> Using
>         leftid="cn-as-seen-on-windows-client"
>         leftcert=%smartcard0:02
>         leftrsasigkey=%cert
> doesnt change it.

I am not sure, but I would imagine overriding the data on the smartcard
would not be the way to resolve this problem.

Paul