[Openswan Users] PSK works, certificates not

Arno Lehmann al at its-lehmann.de
Thu Jul 19 18:17:24 EDT 2007

Hello, again,

18.07.2007 01:34,, Arno Lehmann wrote::
> Hi,
> 18.07.2007 01:11,, Paul Wouters wrote::
>> On Wed, 18 Jul 2007, Arno Lehmann wrote:
>>> That works:
>>>> balrog:~ # ipsec auto --listall
>>>> 000
>>>> 000 List of Public Keys:
>>>> 000
>>>> 000 Jul 17 11:39:30 2007, 4096 RSA Key AwEAAfYjK, until Jul 16 11:04:36 2008 ok
>> Ahh, 4096 bit keys cause IKE fragmentation, and will run into additional problems.
>> Stick to 1024 until there is IKEv2 support.
> I read about that, but my observations revealed only udp packets of 
> 500 to 600 bytes length... anyway, I'll try that tomorrow. And thanks 
> for the suggestion!

Ok, I did that. And it works now.

Though I can not be sure that the key length was the factor that 
counted here, because I restarted the whole setup with a new sub-CA, 
new VPN gateway certificate, and so on, so it is possible that I fixed 
my certificates/CA setup at the same time :-)

I'll simply put a big fat line saying "do everything with 1kBits in 
tinyCA" into my VPN documentation ;-)

Thank you for your support,


Arno Lehmann
IT-Service Lehmann

More information about the Users mailing list