[Openswan Users] windows client behind nat
Nicolelli Federico
nico at tcpsas.com
Wed Oct 25 11:33:34 EDT 2006
Jacco de Leeuw ha scritto:
> Nicolelli wrote:
>
>> this is my output.txt for the command ipsec barf
>
>> conn nico
>> rightcert=/etc/ipsec.d/certs/mrcyano.graphimedia.it.pem
>
> This means that only 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
> CN=mrcyano.graphimedia.it' is allowed in, ....
>
>> Oct 25 11:04:31 omnia pluto[17362]: "nico"[1] 87.14.169.244 #1:
>> no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro,
>> O=nicolan, CN=scaricatore.intranet.it'
>
> ... but the other guy is connecting. Change it to
> rightcert=/etc/ipsec.d/certs/scaricatore.graphimedia.it.pem
>
> or check out the other X.509 parameters such as rightid.
>
> Other points of interest:
>
>> config setup
>> nat_traversal=yes
>
> I would recommend
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/16
> because 10.0.0.0/16 is your internal subnet on eth0.
>
>> 000 List of X.509 CA Certificates:
>> 000 subject: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan'
>> 000 validity: not before Oct 19 20:15:21 2006 ok
>> 000 not after Oct 19 20:15:21 2007 ok
>
> This is a relatively short time for a CA certificate, and may
> come to haunt you in one year's time.
>
> Jacco
Thanks Jacco,
i've made a mistake creating my CA! in my openssl.cnf i wrote 365 instead of
3650....i will create a new one!
and i made a mistake with certificates too!!!
so i made a lot of mistakes :), now i'll try again with a correct configuration
More information about the Users
mailing list