[Openswan Users] Ipsec with RSA key
Rajitha Reddy
RReddy at mocana.com
Fri Aug 29 15:10:11 EDT 2008
Hi Paul,
Thanks for the information.
I included the protoport information in the default connection for both server and client. And also, corrected the ipsec.conf to include the same ike and esp algorithms on both server and client. This worked.
Thanks again.
Regards,
Rajitha.
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Friday, August 29, 2008 11:16 AM
To: Rajitha Reddy
Cc: users at openswan.org
Subject: Re: [Openswan Users] Ipsec with RSA key
On Fri, 29 Aug 2008, Rajitha Reddy wrote:
> I am trying to test Openswan Server and Client with RSA key instead of PSK.
> I am seeing the following error:
>
> state transition function for STATE_MAIN_R0 failed: NO_PROPOSAL_CHOSEN
That means your proposals don't match on both ends.
> next event EVENT_SO_DISCARD in 0 seconds for #4
This means you enabled debug information, which is not needed to diagnose
configuration errors :)
> conn server
>
> left=192.168.3.38
> leftrsasigkey=0sAQN2
> authby=rsasig
> right=192.168.3.32
> rightrsasigkey=0sAQO
> auto=add
>
> Client:
>
> conn client
> left=192.168.3.32
> leftrsasigkey=0sAQO
> right=192.168.3.38
> rightrsasigkey=0sAQN2
> authby=rsasig
> auto=add
> leftprotoport=icmp
> rightprotoport=icmp
You need to either remove or add the protoport statements on both ends, but
not have them at one but not the other.
> My /etc/ipsec.secrets has the RSA key on both server and client machines. Can you please let me know what I am
> missing here?
You should only have the private RSA key on one endpoint, not both. This is not
a shared secret, it is a public/private keypair, and the private part should not
be shared with the other host.
Paul
More information about the Users
mailing list