[Openswan Users] strange openswan 2.6 errors

Marek Greško gresko at thr.sk
Thu May 28 08:52:22 EDT 2009 

Dňa Po 11. Máj 2009 ste napísali:
> On Mon, 11 May 2009, Marek Greško wrote:
> > I have
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> > only in the default section and
> > leftid=%fromcert
> > rightid=%fromcert
> > only in the tunnel definition. I expect the defaults are loaded prior to
> > tunnel definition. Isn't it?
>
> You can't have all certs and all ids come in via IKE. You need to point to
> one cert on disk at least for the local end, so you need at least one of
> leftcert=filename / rightcert=filename
>
> > I also do not want to have fromcert in the id, just testing it because of
> > Paul's suggestion. I would like to use full id string (Subject DN) there.
>
> You can specify that with rightid=, but you need to use %fromcert on the
> side that you load from disk locally (eg with leftcert=filename)
>
> Paul

I am still struggling with the issue with no luck. Here is modified part of 
ipsec barf containing the config file dump:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        #plutodebug="control parsing"
        #plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,
%v4:!192.168.24.0/24
        oe=off
        nhelpers=0
        interfaces="%defaultroute"

#< /etc/ipsec.d/aa-default.conf 1
conn %default
        keyingtries=%forever
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        #auto=start


#< /etc/ipsec.d/aa-no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

#< /etc/ipsec.d/ipsec.his-mine.conf 1
conn his-mine
        keyingtries=%forever
        authby=rsasig
        auto=start
        compress=no
        left=hispublicip
        leftsourceip=192.168.24.254
        leftnexthop=%defaultroute
        leftsubnet=192.168.24.0/24
        right=%defaultroute
        rightnexthop=%defaultroute
        #
        leftcert=cert-his.pem
        rightcert=cert-mine.pem
        #
        leftid="C=SK, ......his"
        #rightid="C=SK, ..... mine"
        rightid=%fromcert


I am still getting: we require peer to have ID 'hispublicip', but peer 
declares 'C=SK, ....... his'

I am sure I have certificates loaded. When using ipsec barf I also see remote 
certificate.

I suspect I should have some problem in configuration, but still cannot find 
any. Do you have any suggestions?

Thank you.


-- 
Marek Greško

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090528/dd20724e/attachment.html

More information about the Users mailing list