My new box has the same /etc/myname. I copied: /etc/iked/ca/ca.crt /etc/iked/certs/1.2.3.4.crt /etc/iked/crls/ca.crl /etc/ssl/vpn/*
What did I do wrong/miss? Windows shows error 13826: Failed to verify signature. On Sun, 10 Nov 2019 13:30:24 -0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote: > On 2019-11-10, Radek <r...@int.pl> wrote: > > Hi Stuart, > > I have played around with copying them across but no luck (I get error > > 13801 in win7). I don't know what I'm doing wrong. > > > > Do I need to set the same hostname (/etc/myname) in new box to make old > > certs working? > > > > In my *old* box certs were created as below: > > [1]ikectl ca vpn create #(CN = hostname) > > [2]ikectl ca vpn install > > [3]ikectl ca vpn certificate 1.2.3.4 create > > [4]ikectl ca vpn certificate 1.2.3.4 install > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > > [6]ikectl ca vpn certificate rdk.6501.rac export > > > > What steps do I need to re-run and what exactly files should be > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in > > new box? > > Oh, I understood from your email that you were just replacing it > like-for-like. > If you change the hostname then yes you'll need to a certificate with the > new hostname, but then of course you will need to change clients to connect > to the new name. > > > > > > On Fri, 8 Nov 2019 11:59:56 -0000 (UTC) > > Stuart Henderson <s...@spacehopper.org> wrote: > > > >> On 2019-11-08, radek <r...@int.pl> wrote: > >> > Hello, > >> > > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > >> > generate new iked certificates in every new installation or there is a > >> > way to move and use "old" certificates in new install? Road warriors > >> > would be happy with that. > >> > > >> > Thank you for guiding me on this journey. > >> > > >> > >> Just copy them across. > >> > >> > > > > > -- Radek
