[Openswan Users] Ipsec with RSA key
Paul Wouters
paul at xelerance.com
Fri Aug 29 14:15:36 EDT 2008
On Fri, 29 Aug 2008, Rajitha Reddy wrote:
> I am trying to test Openswan Server and Client with RSA key instead of PSK.
> I am seeing the following error:
>
> state transition function for STATE_MAIN_R0 failed: NO_PROPOSAL_CHOSEN
That means your proposals don't match on both ends.
> next event EVENT_SO_DISCARD in 0 seconds for #4
This means you enabled debug information, which is not needed to diagnose
configuration errors :)
> conn server
>
> left=192.168.3.38
> leftrsasigkey=0sAQN2
> authby=rsasig
> right=192.168.3.32
> rightrsasigkey=0sAQO
> auto=add
>
> Client:
>
> conn client
> left=192.168.3.32
> leftrsasigkey=0sAQO
> right=192.168.3.38
> rightrsasigkey=0sAQN2
> authby=rsasig
> auto=add
> leftprotoport=icmp
> rightprotoport=icmp
You need to either remove or add the protoport statements on both ends, but
not have them at one but not the other.
> My /etc/ipsec.secrets has the RSA key on both server and client machines. Can you please let me know what I am
> missing here?
You should only have the private RSA key on one endpoint, not both. This is not
a shared secret, it is a public/private keypair, and the private part should not
be shared with the other host.
Paul
More information about the Users
mailing list