[Openswan Users] Cisco ASA and Openswan roadwarrior with X509 certificate

Jan Chrastina janochrastina at gmail.com
Sun Aug 1 19:07:15 EDT 2010 

Hello,

I would like to use openswan to connect like roadwarrior to corporate
network. Windows clients use Cisco VPN Client with Active Directory personal
certificate + Xauth for authentication. Cisco ASA 5500 is a corporate
gateway. Can anybody help me how to configure openswan?

Why openswan cannot identify with either end of the connection?
Why list of CA is empty?

I exported my personal Active Directory certificate from Windows with
private key to pfx file. Then I exported certificate and private key to
separate files using openssl. CA certificate file
/etc/ipsec.d/certs/workca_b64.cer contains 2 certificates to fits hierarchy:
root CA and subordinate CA. File /etc/ipsec.d/certs/domainuser.pem contains
user certificate without private key. Private key file is in
/etc/ipsec.d/private/domainuser.key .

conn Work
        left=%defaultroute
        authby=rsasig
        ike=aes128-md5;modp2048
        leftxauthclient=yes
        leftcert=domainuser.pem
        leftca=workca_b64.cer
        leftid=%fromcert
        leftrsasigkey=%cert
        leftsendcert=always
        leftxauthusername=domainuser
        leftmodecfgclient=yes
        right=11.22.33.44
        rightsubnet=10.0.0.0/8
        remote_peer_type=cisco

[root at aspire ipsec.d]# more /etc/ipsec.secrets
: RSA domainuser.key ""
include /etc/ipsec.d/*.secrets

[root at aspire ipsec.d]# ipsec addconn Work
002 loading certificate from domainuser.pem
002   loaded host cert file '/etc/ipsec.d/certs/domainuser.pem' (3353 bytes)
002   no subjectAltName matches ID '%fromcert', replaced by subject DN
002 added connection description "Work"

[root at aspire ipsec.d]# ipsec auto --up Work
022 "Work": We cannot identify ourselves with either end of this connection.

ipsec auto --listcacerts does not show anything
ipsec auto --listcerts shows domainuser certificate signed by subordinate CA

[root at aspire ipsec.d]# ipsec --version
Linux Openswan U2.6.25/K2.6.33.3-85.fc13.i686 (netkey)

Thanks.
Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100802/2a58d170/attachment.html

More information about the Users mailing list