[Openswan Users] PSK works, certificates not
paul at xelerance.com
Tue Jul 17 13:24:14 EDT 2007
On Tue, 17 Jul 2007, Arno Lehmann wrote:
> Quite basic at the moment:
> I have an internal network, 192.168.0.0/24, where I run a server that
> will become a VPN gateway. This is "balrog" at 192.168.0.22.
> A test client "phoenix" is at .88. This machine runs MS Windows Vista
> conn intern-cert
> (the defaults are unchanged from the PSK setup, and the connection
> itself is also similar to the working PSK one.
> I created a (sub) CA (I'm using tinyCA for other certificate handling
> already) and created two certificates, one for the VPN server, and one
> for the windows client.
> I packaged the windows one as a pkcs12 file and installed it on that
How did you install it? Double clicking won't work properly.
> When I keep the gateway certificate protected by a password, and have
> a line like ": RSA <keyfile> "password" in ipsec.secrets, I get these
> > Jul 17 01:18:05 balrog pluto: loading secrets from "/etc/ipsec.secrets"
> > Jul 17 01:18:05 balrog pluto: could not open private key file '/etc/ipsec.d/private/ITS-VPN.pem'
> > Jul 17 01:18:05 balrog pluto: "/etc/ipsec.secrets" line 14: error loading RSA private key file
> > Jul 17 01:18:05 balrog ipsec__plutorun: 003 "/etc/ipsec.secrets" line 14: error loading RSA private key file
that's odd. Are you using any odd characters in the secret?
> If I unlock the key file (and comment out the line in ipsec.secrets),
> I get no messages in the log.
You still need to put the keyfile in there, just leave out the "password" section.
You can see with ipsec auto --listall what x509 bits have been loaded by pluto.
> The malformed payload message is, as far as I understand after much
> reading, more or less only an artifact of an unencrypted message sent
> because encryption could not be established.
Yes, windows is bad in that way.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users