[Openswan Users] PSK works, certificates not
Arno Lehmann
al at its-lehmann.de
Thu Jul 19 18:17:24 EDT 2007
Hello, again,
18.07.2007 01:34,, Arno Lehmann wrote::
> Hi,
>
> 18.07.2007 01:11,, Paul Wouters wrote::
>> On Wed, 18 Jul 2007, Arno Lehmann wrote:
>>
>>> That works:
>>>> balrog:~ # ipsec auto --listall
>>>> 000
>>>> 000 List of Public Keys:
>>>> 000
>>>> 000 Jul 17 11:39:30 2007, 4096 RSA Key AwEAAfYjK, until Jul 16 11:04:36 2008 ok
>> Ahh, 4096 bit keys cause IKE fragmentation, and will run into additional problems.
>> Stick to 1024 until there is IKEv2 support.
>
> I read about that, but my observations revealed only udp packets of
> 500 to 600 bytes length... anyway, I'll try that tomorrow. And thanks
> for the suggestion!
Ok, I did that. And it works now.
Though I can not be sure that the key length was the factor that
counted here, because I restarted the whole setup with a new sub-CA,
new VPN gateway certificate, and so on, so it is possible that I fixed
my certificates/CA setup at the same time :-)
I'll simply put a big fat line saying "do everything with 1kBits in
tinyCA" into my VPN documentation ;-)
Thank you for your support,
Arno
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
More information about the Users
mailing list