[Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338
Marcos Hacker
mfhacker at hotmail.com
Fri May 15 18:57:42 EDT 2009
Hi Paul,
Thanks for the information. We ended up having to put
the Netgear's (right) public certificate on our Linux (left) machine
and specify it as part of the "rights" parameters . We were expecting
messages 5 & 6 to contain the certificate. Should ISAKMP messages 5
& 6 contain the certificates? Is there a way to decrypt message 5
& 6 payloads?
In message 4, we see the "Certificate
Request Payload" coming from the Netgear (right) in addition the CA
field within the Certificate Request Payload is empty. Accortding to
RFC 4945 (http://tools.ietf.org/html/rfc4945#page-13), this is valid
but a rare case. Could OpenSWAN be expecting something populted in this
field?
If message 6 does contain certificates (as we expect),
is there a chance OpenSWAN 2.6.19 is not parsing and using the
certificate properly.
Here's our command string:
ipsec whack --name vpn_tunnel
--encrypt
--tunnel
--ike 3des-md5-modp1024
--esp 3des-md5
--compress
--dpdaction hold
--ikelifetime 28800
--rsasig
--host 130.168.1.3
--client 172.16.2.3/32
--nexthop %direct
--updown "ipsec _updown"
--sendcert always
--cert /etc/ipsec.d/clientcert.pem <-- Linux (left) public certificate
--ca "/C=US/ST=Florida/O=Corp/OU=/CN=Device"
--to
--host 130.168.1.2
--id 130.168.1.2
--client 10.10.10.0/24
--nexthop %direct
--updown "ipsec _updown"
--sendcert always
--ipseclifetime 3600
--rekeymargin 540
--keyingtries 1
--cert /etc/ipsec.d/sn00032_1024.pem <-- Netgear (right) public certificate
--ca "/C=US/ST=Florida/O=Corp/OU=Group/CN=Device"
I appreciate the help Paul!
marcos
_________________________________________________________________
Hotmail® has a new way to see what's up with your friends.
http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090515/fdb58a26/attachment.html
More information about the Users
mailing list