Strange that the subject Distinguished Name (DN) of your mailhost
certificate seems to be identical to the DN of the CA.
Could you enable debugging by setting
klipsdebug=none
plutodebug=all
in ipsec.conf and then after you tried to start up the connection
generate a barf:
ipsec barf > barf.txt
end mail it to me. Also the output of
ipsec auto --listall
could be helpful.
Regards
Andreas
Antony Gelberg wrote:
On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote:
may be you need this in your ipsec.conf to disable OE
Thanks to you and Andreas, that worked great. I'm now getting this in
my /var/log/auth.log:
Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'
Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'
Here's my current ipsec.conf (excluding the OE disable part):
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn mailhost-rw
type=transport
left=195.54.235.74
leftcert=mailhostCert.pem
leftprotoport=17/0
right=%any
rightprotoport=17/1701
auto=add
keyingtries=1
pfs=no
I have tried generating a new CA, certificate, and key, but no joy. I
must be very close now, but still no cigar. This might be useful as
well:
mailhost:/usr/local/sslca# ipsec auto --status
000 interface ipsec0/eth1 195.54.235.74
000
000 debug none
000
000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
[EMAIL PROTECTED]:17/0...%any:17/1701
000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
[EMAIL PROTECTED]'...'%any'
000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted
000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2, 5_000-2-2, flags=-strict
000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5,
5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000
If there is any more log info that would be useful, please let me know
what to post.
A
_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
--
=======================================================================
Andreas Steffen e-mail: [EMAIL PROTECTED]
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
