[Openswan Users] query

neeraj goyal 007.neeraj at gmail.com
Tue Feb 16 00:49:01 EST 2010 

Hi...

Thanks for replying Paul. I am using CA that i have placed in
/etc/ipsec.d/cacerts/cacert.pem at both end and I am using the below
ipsec.conf file at 238 machine



version    2.0    # conforms to second version of ipsec.conf specification

config setup
    plutodebug="control parsing"
    nat_traversal=yes
    protostack=netkey

conn sample1

        left=192.168.103.238
        leftcert=/etc/ipsec.d/certs/eastCert.pem
        leftsendcert=always
        leftrsasigkey=%cert
        right=192.168.103.139
        rightsendcert=always
        rightrsasigkey=%cert
        auto=add


I have placed the eastCertpem in /etc/ipsec.d/certs in 192.168.103.238
machine. and I am using the below configuration at other 139 machine

version    2.0    # conforms to second version of ipsec.conf specification

config setup
    plutodebug="control parsing"
    nat_traversal=yes
    protostack=netkey

conn sample1

        left=192.168.103.238
        leftsendcert=always
        leftrsasigkey=%cert
        right=192.168.103.139
        rightcert=/etc/ipsec.d/certs/westCert.pem
        rightsendcert=always
        rightrsasigkey=%cert
        auto=add

Similarily, I have placed the westCert.pem in /etc/ipsec.d/certs in
192.168.103.139 machine. Now I am not able to connect the ipsec between two.
It shows (while trying to up the connection using ipsec auto --up sample1)

104 "sample1" #2: STATE_MAIN_I1: initiate
003 "sample1" #2: received Vendor ID payload [Openswan (this version) 2.6.23
]
003 "sample1" #2: received Vendor ID payload [Dead Peer Detection]
003 "sample1" #2: received Vendor ID payload [RFC 3947] method set to=109
106 "sample1" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sample1" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "sample1" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sample1" #2: ignoring informational payload, type
INVALID_KEY_INFORMATION msgid=00000000
003 "sample1" #2: received and ignored informational message

 if I placed both certificate at both machine and specify their
corresponding parameter (specifying rightcert at 238 machine and leftcert at
139 machine) in ipsec.conf file than I am able to build up the connection.

I have seen man ipsec.conf and leftsendcert can have values yes|always ,
no|never and ifasked. leftsendcert can't have value send, showing invalid
value. I am using Linux Openswan U2.6.23/K2.6.18-92.el5 (netkey).


On Mon, Feb 15, 2010 at 8:33 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Mon, 15 Feb 2010, neeraj goyal wrote:
>
>  Does each ipsec peer should have other ipsec peer certificate before
>> starting ipsec. or other peer will send during
>> connection time????
>>
>
> That depends on your configuration. See 'man ipsec.conf' and specifically
> the sections on "leftsendcert" and "leftca".
>
> If you are not using a CA, you should really just put the cert on both
> ends.
> If you are using a CA, you should let leftsendcert= send it for you.
>
> Paul
>



-- 
Regards

Neeraj Goyal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100216/25b74ded/attachment.html

More information about the Users mailing list