[Openswan Users] windows client behind nat
Jacco de Leeuw
jacco2 at dds.nl
Wed Oct 25 09:53:19 EDT 2006
Nicolelli wrote:
> this is my output.txt for the command ipsec barf
> conn nico
> rightcert=/etc/ipsec.d/certs/mrcyano.graphimedia.it.pem
This means that only 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
CN=mrcyano.graphimedia.it' is allowed in, ....
> Oct 25 11:04:31 omnia pluto[17362]: "nico"[1] 87.14.169.244 #1:
> no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro,
> O=nicolan, CN=scaricatore.intranet.it'
... but the other guy is connecting. Change it to
rightcert=/etc/ipsec.d/certs/scaricatore.graphimedia.it.pem
or check out the other X.509 parameters such as rightid.
Other points of interest:
> config setup
> nat_traversal=yes
I would recommend
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/16
because 10.0.0.0/16 is your internal subnet on eth0.
> 000 List of X.509 CA Certificates:
> 000 subject: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan'
> 000 validity: not before Oct 19 20:15:21 2006 ok
> 000 not after Oct 19 20:15:21 2007 ok
This is a relatively short time for a CA certificate, and may
come to haunt you in one year's time.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list