[Openswan Users] WG: Problems connecting to IPSec server
Jacco de Leeuw
jacco2 at dds.nl
Sat Sep 22 07:39:50 EDT 2007
Martin Krellmann wrote:
> - I think all certs are from the same CA... I set the ipsec up after a
> reinstallation of the system, so I had to configure a new CA an regenerated
> all certificates. I've even generated a new client certificate.
Make sure they are all issued by the same CA.
When you create a new CA, it is still a different CA even if the name stays
the same as the first CA. After all, a new private key is generated.
> The Oakley.log tells me that there is somewhere a private key missing, but
> I can't get where.
Check with MMC:
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#ImportingCertificates
Verify in the properties of the imported cert that it says: "This certificate
has a private key associated with it". If not, import it again or use
certimport (ftp://ftp.openswan.org/openswan/windows/certimport/).
> Does both sides need all keys?
No, they only need their own private key, not the other side's.
They do need the root cert but not its private key.
> Oakley.log is attached (the other one is in a extreme weired format ;) )
>
> 9-22: 17:31:17:375:940 Zertifikatbasierte Identit<E4>t. Peerantragsteller
> Peer-SHA-Fingerabdruck 00000000000000000000000 00000000000000000 Peer, der
> die Zertifizierungsstelle ausstellt: Stammzertifizierungsstelle Eigener
> Antragsteller C=DE, S=Thueringen, L=Trusetal, O=Krellmann,
> CN=vpngate.trusetal.krellmann.net, E=martin at krellmann.net Eigener
> SHA-Fingerabdruck 6 e5f83f0c04da39f76b5dde8f0700f774c24ca65
> Peer-IP-Adresse: 192.168.10.253
Does the cert of the Windows client have the same CN as the cert of the
server? If so, change it.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list