[Openswan Users] cert problem with new 2.6.21 version

[weirauch at checkmobile.de]

thank you paul! and thank you jorge (who got me on the right track)
finally everything works (the private key must go into ipsec.secrets etc, 
etc)
(you know that much much better than i do :-)

so if you ever are in hamburg (germany) you are heartly invited to a very 
big beer (or two, or more :-) (they serve wine here as well...)
what a relief to get something going after so many unsuccessfull 
attempts!!
thanks a lot for the great work!
regards,
philipp




From:
Paul Wouters <paul at xelerance.com>
To:
weirauch at checkmobile.de
Cc:
Users at openswan.org
Date:
07.04.2009 20:05
Subject:
Re: [Openswan Users] cert problem with new 2.6.21 version



On Tue, 7 Apr 2009, weirauch at checkmobile.de wrote:

> Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> unable to locate my private key for RSA Signature

Is your private key in /etc/ipsec.d/private/  ?
Do you have an entry for it in /etc/ipsec.secrets ?
If the key file is password protected, did you specify the password in 
ipsec.secrets?
Are you sure the public cert plus the private key belong together
  and are not from different key/cert installs?

> conn l2tp-X.509

>        authby=rsasig
>        left=87.XXX.XXX.140
>        leftcert=/etc/ipsec.d/certs/vpncm_mcert.pem

>        rightcert=/etc/ipsec.d/certs/macpwneu.pem

> content of /etc/ipsec.d/certs
>
> -rw-r--r--  1 root root 1094 Apr  7 15:21 macpwneu.pem
> -rw-r--r--  1 root root 1139 Mar  5 09:50 vpncm_mcert.pem
>
> and in /etc/ipsec.d/cacerts
> is the ca key with which those two keys were signed.

Note that loading the REMOTE certificate by specifying a file
as you did for rightcert= will bypass all CA checks. The key
is considerd "trusted" because you got it from disk.

You can use ipsec auto --listall to debug this further.

Paul