[Openswan Users] no suitable connection for peer - using multiple CAs
Paul Wouters
paul at xelerance.com
Mon Feb 15 10:21:02 EST 2010
On Sun, 7 Feb 2010, Bob Miller wrote:
> I now want to create a net-to-net tunnel between these two gateways.
>
> As best as I can tell, the certs are all loading up fine, --listall
> shows what I expect to see, the CAs both show as being loaded in the
> logs on both sides. However, I get an error like so on which ever side
> receives a connection initiation:
>
> Main mode peer ID is ID_FQDN: '@gatelian.computerisms.ca'
> no suitable connection for peer '@gatelian.computerisms.ca'
> sending encrypted notification INVALID_ID_INFORMATION to
> 207.189.252.14:500
Looks like the leftid/rightid's are not matching up.
> My config is duplicated on both sides as follows:
> leftrsasigkey=%cert
> rightrsasigkey=%cert
I personally would use the simpler raw RSA keys for a static gateway
to gateway tunnel, without using X.509.
> conn computerisms-ctfn
> left=199.247.135.194
> leftnexthop=199.247.135.193
> leftsubnet=192.168.150.0/24
> leftcert=/etc/ipsec.d/certs/fw-ctfn.ctfn.ca.pem
> leftsourceip=192.168.150.1
> right=207.189.252.14
> rightnexthop=207.189.252.13
> rightsubnet=192.168.25.0/24
> rightcert=/etc/ipsec.d/certs/gatelian.computerisms.ca.pem
The leftcert/rightcert should be the gateway machine certs, not
the CA certs.
> rightsourceip=192.168.25.1
> auto=start
> leftca=/etc/ipsec.d/cacerts/CTFN.Root.Authority
> rightca=/etc/ipsec.d/cacerts/Computerisms.Root.Certificate
> rightid=@gatelian.computerisms.ca
> leftid=@fw-ctfn.ctfn.ca
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> The leftid is not a resolvable dns name, but both rightid and leftid
> match the CN in their respective certs.
the left/rightid= lines that start with a "@" are just strings, not
hostnames. They should work fine.
Try and see if the conn loaded properly using ipsec auto --add computerisms-ctfn
on both sides.
Paul
More information about the Users
mailing list