[Openswan Users] PSK works, certificates not
Paul Wouters
paul at xelerance.com
Tue Jul 17 13:24:14 EDT 2007
On Tue, 17 Jul 2007, Arno Lehmann wrote:
> Quite basic at the moment:
> I have an internal network, 192.168.0.0/24, where I run a server that
> will become a VPN gateway. This is "balrog" at 192.168.0.22.
> A test client "phoenix" is at .88. This machine runs MS Windows Vista
> business.
> conn intern-cert
> authby=rsasig
> rightrsasigkey=%cert
> leftcert=ITS-VPN.pem
> left=192.168.0.22
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> rightca=%same
> auto=add
>
> (the defaults are unchanged from the PSK setup, and the connection
> itself is also similar to the working PSK one.
>
> I created a (sub) CA (I'm using tinyCA for other certificate handling
> already) and created two certificates, one for the VPN server, and one
> for the windows client.
>
> I packaged the windows one as a pkcs12 file and installed it on that
> machine.
How did you install it? Double clicking won't work properly.
> When I keep the gateway certificate protected by a password, and have
> a line like ": RSA <keyfile> "password" in ipsec.secrets, I get these
> messages:
>
> > Jul 17 01:18:05 balrog pluto[13311]: loading secrets from "/etc/ipsec.secrets"
> > Jul 17 01:18:05 balrog pluto[13311]: could not open private key file '/etc/ipsec.d/private/ITS-VPN.pem'
> > Jul 17 01:18:05 balrog pluto[13311]: "/etc/ipsec.secrets" line 14: error loading RSA private key file
> > Jul 17 01:18:05 balrog ipsec__plutorun: 003 "/etc/ipsec.secrets" line 14: error loading RSA private key file
that's odd. Are you using any odd characters in the secret?
> If I unlock the key file (and comment out the line in ipsec.secrets),
> I get no messages in the log.
You still need to put the keyfile in there, just leave out the "password" section.
You can see with ipsec auto --listall what x509 bits have been loaded by pluto.
> The malformed payload message is, as far as I understand after much
> reading, more or less only an artifact of an unencrypted message sent
> because encryption could not be established.
Yes, windows is bad in that way.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list