[Openswan Users] Ipsec with RSA key

Rajitha Reddy RReddy at mocana.com
Thu Sep 4 18:08:19 EDT 2008


I am successfully able to test Openswan Server and Client with RSA key.

I am now trying to test my xauth client with Openswan Server using certificate instead of PSK. My client sends over a certificate in .der format. This is not liked by the openswan server I think. Is there a way I can convert the certificate in .der format to the RSA key format?


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Friday, August 29, 2008 12:10 PM
To: Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users] Ipsec with RSA key

Hi Paul,

Thanks for the information.

I included the protoport information in the default connection for both server and client. And also, corrected the ipsec.conf to include the same ike and esp algorithms on both server and client. This worked.

Thanks again.


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Friday, August 29, 2008 11:16 AM
To: Rajitha Reddy
Cc: users at openswan.org
Subject: Re: [Openswan Users] Ipsec with RSA key

On Fri, 29 Aug 2008, Rajitha Reddy wrote:

> I am trying to test Openswan Server and Client with RSA key instead of PSK.
> I am seeing the following error:
> state transition function for STATE_MAIN_R0 failed: NO_PROPOSAL_CHOSEN

That means your proposals don't match on both ends.

> next event EVENT_SO_DISCARD in 0 seconds for #4

This means you enabled debug information, which is not needed to diagnose
configuration errors :)

> conn server
> left=
> leftrsasigkey=0sAQN2
> authby=rsasig
> right=
> rightrsasigkey=0sAQO
> auto=add
> Client:
> conn client
> left=
> leftrsasigkey=0sAQO
> right=
> rightrsasigkey=0sAQN2
> authby=rsasig
> auto=add
> leftprotoport=icmp
> rightprotoport=icmp

You need to either remove or add the protoport statements on both ends, but
not have them at one but not the other.

> My /etc/ipsec.secrets has the RSA key on both server and client machines. Can you please let me know what I am
> missing here?

You should only have the private RSA key on one endpoint, not both. This is not
a shared secret, it is a public/private keypair, and the private part should not
be shared with the other host.

Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:

More information about the Users mailing list