[Openswan Users]
Paul Wouters
paul at xelerance.com
Sun Apr 30 19:08:54 CEST 2006
On Sat, 29 Apr 2006, sean dai wrote:
> I was able to bring up X.509-based (w/o using CA)
> IPsec connection between the two linux boxes. But
> when I started to use a certificate authority, after
> doing "service ipsec start" on the west, and "service
> ipsec start; ipsec auto --up west-east" on the east, I
> got the following error message on the east (similar
> error message in west too, I think):
> 10.0.1.1 #1: Main mode peer ID is ID_DER_ASN1_DN:
> 'C=ca, ST=ontario, O=xelerance, OU=support staff,
> CN=east, E=east at xelerance.com'
> Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
> 10.0.1.1 #1: no crl from issuer "C=ca, ST=ontario,
> L=toronto, O=xelerance, OU=support staff, CN=xelerance
> root ca, E=ca at xelerance.com" found (strict=no)
> Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
> 10.0.1.1 #1: no suitable connection for peer 'C=ca,
> ST=ontario, O=xelerance, OU=support staff, CN=east,
> E=east at xelerance.com'
Can you show ipsec auto --listall from that end, so we can
see if the certificates and private key loaded properly?
> conn west-east
> left=10.0.1.20
> leftcert=/etc/ipsec.d/certs/westcert.pem
> rightrsasigkey=%cert
> right=%any
> rightid="C=ca, ST=ontario, L=toronto,
> O=xelerance, OU=support staff, CN=east,
> e=east at xelerance.com"
> type=tunnel
> auto=add
You don't need to put in the rightid, it will come from the certificate.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list