[ previous ] [ next ] [ threads ]
 
 From:  "TIC. Jefe Div. Sistemas (Enrique Maldonado)" <enrique at directemar dot cl>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec with w0n0wall
 Date:  Thu, 7 Jul 2005 15:55:35 -0400
Have you any record in the log about racoon?

In your file you have the identity of the local m0n0 and the ip of the
remote gateway identical (192.168.100.253), that is correct only if you are
using the same certificate in both machines, and that's not good anyway.

One very important think when you are using X.509 certificates is have the
identity defined in the configuration matching with the identity inside the
certificate.  For example if you have:
> <myident>
>     <address>192.168.100.253</address>
> </myident>

In your configuration file and see inside the certificate with openssl
using:

# openssl x509 -in hostcertificate.crt -noout -text
At the end of the displayed data you have to see:

        X509v3 extensions:
            X509v3 Subject Alternative Name: critical
            IP Address:192.168.100.253

Regards,

Enrique M.

> -----Mensaje original-----
> De: Christian Hollaender [mailto:christian dot hollaender at gmail dot com] 
> Enviado el: Thursday, July 07, 2005 11:19 AM
> Para: m0n0wall at lists dot m0n0 dot ch
> Asunto: [m0n0wall] IPSec with w0n0wall
> 
> Hi!
> 
> I am running version 1.2b9  and I can't see a racoon running. 
> I usr the following ipsec configuration:
> 
> <ipsec>
>                 <enable/>
>                 <tunnel>
>                         <interface>opt1</interface>
>                         <local-subnet>
>                                 <network>lan</network>
>                         </local-subnet>
>                         <remote-subnet>192.168.1.0/24</remote-subnet>
>                         
> <remote-gateway>192.168.100.253</remote-gateway>
>                         <p1>
>                                 <mode>aggressive</mode>
>                                 <myident>
>                                         
> <address>192.168.100.253</address>
>                                 </myident>
>                                
> <encryption-algorithm>3des</encryption-algorithm>
>                                 <hash-algorithm>sha1</hash-algorithm>
>                                 <dhgroup>2</dhgroup>
>                                 <lifetime/>
>                                 <pre-shared-key/>
>                                 <private-key>[our private 
> key]</private-key>
>                                 <cert>[Here is a certificate]</cert>
>                                 <peercert/>
>                                
> <authentication_method>rsasig</authentication_method>
>                         </p1>
>                         <p2>
>                                 <protocol>esp</protocol>
>                                
> <encryption-algorithm-option>3des</encryption-algorithm-option>
>                                
> <encryption-algorithm-option>blowfish</encryption-algorithm-option>
>                                
> <encryption-algorithm-option>cast128</encryption-algorithm-option>
>                                
> <encryption-algorithm-option>rijndael</encryption-algorithm-option>
>                                
> <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
>                                
> <hash-algorithm-option>hmac_md5</hash-algorithm-option>
>                                 <pfsgroup>0</pfsgroup>
>                                 <lifetime/>
>                         </p2>
>                         <descr>J Router</descr>
>                 </tunnel>
>                 <cacert>
>                         <ident>own</ident>
>                         <cert>[Here is a certificate]</cert>
>                 </cacert>
>         </ipsec>
> 
> What do I else need to get the racoon running?
> 
> thanks in advance
> 
> Christian
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>