[Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338‏

Marcos Hacker mfhacker at hotmail.com
Fri May 15 18:57:42 EDT 2009

Hi Paul,

Thanks for the information. We ended up having to put
the Netgear's (right) public certificate on our Linux (left) machine
and specify it as part of the "rights" parameters . We were expecting
messages 5 & 6 to contain the certificate. Should ISAKMP messages 5
& 6 contain the certificates? Is there a way to decrypt message 5
& 6 payloads? 

In message 4, we see the "Certificate
Request Payload" coming from the Netgear (right) in addition the CA
field within the Certificate Request Payload is empty. Accortding to
RFC 4945 (http://tools.ietf.org/html/rfc4945#page-13), this is valid
but a rare case. Could OpenSWAN be expecting something populted in this

If message 6 does contain certificates (as we expect),
is there a chance OpenSWAN 2.6.19 is not parsing and using the
certificate properly.

Here's our command string:

ipsec whack --name vpn_tunnel 
--ike 3des-md5-modp1024 
--esp 3des-md5 
--dpdaction hold 
--ikelifetime 28800 
--nexthop %direct 
--updown "ipsec _updown" 
--sendcert always 
--cert /etc/ipsec.d/clientcert.pem                    <-- Linux (left) public certificate
--ca "/C=US/ST=Florida/O=Corp/OU=/CN=Device" 
--nexthop %direct 
--updown "ipsec _updown" 
--sendcert always 
--ipseclifetime 3600 
--rekeymargin 540 
--keyingtries 1 
--cert /etc/ipsec.d/sn00032_1024.pem              <-- Netgear (right) public certificate
--ca "/C=US/ST=Florida/O=Corp/OU=Group/CN=Device"

I appreciate the help Paul! 


Hotmail® has a new way to see what's up with your friends.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090515/fdb58a26/attachment.html 

More information about the Users mailing list