[Openswan Users] strange openswan 2.6 errors

Marek Greško gresko at thr.sk
Thu May 28 10:19:08 EDT 2009


Dňa Št 28. Máj 2009 Marek Greško napísal:
> Dňa Po 11. Máj 2009 ste napísali:
> > On Mon, 11 May 2009, Marek Greško wrote:
> > > I have
> > > leftrsasigkey=%cert
> > > rightrsasigkey=%cert
> > > only in the default section and
> > > leftid=%fromcert
> > > rightid=%fromcert
> > > only in the tunnel definition. I expect the defaults are loaded prior
> > > to tunnel definition. Isn't it?
> >
> > You can't have all certs and all ids come in via IKE. You need to point
> > to one cert on disk at least for the local end, so you need at least one
> > of leftcert=filename / rightcert=filename
> >
> > > I also do not want to have fromcert in the id, just testing it because
> > > of Paul's suggestion. I would like to use full id string (Subject DN)
> > > there.
> >
> > You can specify that with rightid=, but you need to use %fromcert on the
> > side that you load from disk locally (eg with leftcert=filename)
> >
> > Paul
>
> I am still struggling with the issue with no luck. Here is modified part of
> ipsec barf containing the config file dump:
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots. # klipsdebug=none
>         #plutodebug="control parsing"
>         #plutodebug="all"
>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>         protostack=netkey
>         nat_traversal=yes
>        
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,
> %v4:!192.168.24.0/24
>         oe=off
>         nhelpers=0
>         interfaces="%defaultroute"
>
> #< /etc/ipsec.d/aa-default.conf 1
> conn %default
>         keyingtries=%forever
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         #auto=start
>
>
> #< /etc/ipsec.d/aa-no_oe.conf 1
> # 'include' this file to disable Opportunistic Encryption.
> # See /usr/share/doc/freeswan/policygroups.html for details.
> #
> # RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
> conn block
>     auto=ignore
>
> conn private
>     auto=ignore
>
> conn private-or-clear
>     auto=ignore
>
> conn clear-or-private
>     auto=ignore
>
> conn clear
>     auto=ignore
>
> conn packetdefault
>     auto=ignore
>
> #< /etc/ipsec.d/ipsec.his-mine.conf 1
> conn his-mine
>         keyingtries=%forever
>         authby=rsasig
>         auto=start
>         compress=no
>         left=hispublicip
>         leftsourceip=192.168.24.254
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.24.0/24
>         right=%defaultroute
>         rightnexthop=%defaultroute
>         #
>         leftcert=cert-his.pem
>         rightcert=cert-mine.pem
>         #
>         leftid="C=SK, ......his"
>         #rightid="C=SK, ..... mine"
>         rightid=%fromcert
>
>
> I am still getting: we require peer to have ID 'hispublicip', but peer
> declares 'C=SK, ....... his'
>
> I am sure I have certificates loaded. When using ipsec barf I also see
> remote certificate.
>
> I suspect I should have some problem in configuration, but still cannot
> find any. Do you have any suggestions?
>
> Thank you.

I found the solution. I should comment out the leftcert line on the right 
side.

M.

-- 
Marek Greško

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090528/a82df883/attachment-0001.html 


More information about the Users mailing list