[Openswan Users] openswan/smartcard to fw-1 tunnel

Christian Horn chorn at fluxcoil.net
Fri Apr 21 09:25:41 CEST 2006

On Wed, Apr 19, 2006 at 05:03:32PM +0200, Paul Wouters wrote:
> On Wed, 19 Apr 2006, Christian Horn wrote:
> > I try to connect with OpenSwan to a Checkpoint FW-1
> > using rsasig from a smartcard. From windows the SecureRemote-
> > client does this.
> >
> > pluto[6206]: "fcl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > pluto[6206]: "fcl" #1: discarding duplicate packet; already STATE_MAIN_I3
> > pluto[6206]: "fcl" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> > pluto[6206]: "fcl" #1: received and ignored informational message
> Are you sure it is the DN that is the issue here? And not perhaps another
> setting in your conn, such as a missing pfs=no ?

pfs=no was set, after a 'cleanup of old certs and stuff' the FW-1 accepts
my authorization and i can build up the tunnel.

The FW-1 tunnel-endpoints here apparently do not send their cert over,
i need to get and specify it for each FW-1.

Other thing is, the SecureRemote-client under windows gets a large
(>100kb) topology-file here with instructions what networks to route
to what firewall, i will try to use that xfrm-stuff to set those
policies with openswan.

Thanks for answering, Christian.

More information about the Users mailing list