[ previous ] [ next ] [ threads ]
 
 From:  "Naber, Peter" <peter dot naber at alfa dot de>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  asn1dn identifier
 Date:  Thu, 24 Nov 2005 15:42:57 +0100
Hi,

i try to build a tunnel between m0n0wall and openswan ipsec with x509 certificates but I got a
problem with the Identifier.
I think the m0n0wall needs the identifer "asn1dn" or similar that the identification will work
correctly in combination with openswan certificate authentication. 
This identifer have to fill automatically with the Subject of the certificate or the user of the
m0n0wall will have the chance to declare the Subject DN of the certificate in a text field.
Is this possible or will this feature violate a RFC ??
regards,

Peter Naber

------------- cut here ---------------------

Logfile of openwan ipsec:

Oct  7 15:11:53 lnx pluto[32311]: |    match_id a=@alfa.test.org
Oct  7 15:11:53 lnx pluto[32311]: |             b=C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems
GmbH, OU=System House, CN=alfa.test.org, SN=5
Oct  7 15:11:53 lnx pluto[32311]: |    results  fail                                                
                             


-------- openswan ipsec config -----------
conn x509test
       type=tunnel
       authby=rsasig
       keyingtries=0
       left=xx.xx.xx.xx
       leftsubnet=xx.xx.xx.xx/255.255.255.0
       leftrsasigkey=%cert
       right=%any
       rightid="C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems GmbH, OU=System House,
CN=alfa.test.org/emailAddress=peter dot naber at xx dot de"
       rightrsasigkey=%cert
       rightcert=/etc/ipsec.d/certs/alfa.pem
       keylife=2h
       ikelifetime=1h
      
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
       esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
       auto=add
       pfs=yes