Strange that the subject Distinguished Name (DN) of your mailhost certificate seems to be identical to the DN of the CA.
Could you enable debugging by setting
klipsdebug=none plutodebug=all
in ipsec.conf and then after you tried to start up the connection generate a barf:
ipsec barf > barf.txt
end mail it to me. Also the output of
ipsec auto --listall
could be helpful.
Regards
Andreas
Antony Gelberg wrote:
On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote:
may be you need this in your ipsec.conf to disable OE
Thanks to you and Andreas, that worked great. I'm now getting this in my /var/log/auth.log: Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'
Here's my current ipsec.conf (excluding the OE disable part): conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert
conn mailhost-rw type=transport left=195.54.235.74 leftcert=mailhostCert.pem leftprotoport=17/0 right=%any rightprotoport=17/1701 auto=add keyingtries=1 pfs=no
I have tried generating a new CA, certificate, and key, but no joy. I must be very close now, but still no cigar. This might be useful as well:
mailhost:/usr/local/sslca# ipsec auto --status 000 interface ipsec0/eth1 195.54.235.74 000 000 debug none 000 000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]:17/0...%any:17/1701 000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'...'%any' 000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted 000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict 000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict 000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, 000 000
If there is any more log info that would be useful, please let me know what to post.
A _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Zürichweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
