[ previous ] [ next ] [ threads ]
 
 From:  Alex Neuman van der Hans <alex at nkpanama dot com>
 To:  "Naber, Peter" <peter dot naber at alfa dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] X509 Tunnel m0n0wall to openswan
 Date:  Fri, 07 Oct 2005 18:25:10 -0500 
Naber, Peter wrote:

>Hi,
>
>i try to build a tunnel between m0n0wall and openswan ipsec with x509 certificates.
>I got a problem with the Identifier.
>I try domain and fdqn as a identifier, but the items are different:
>What can I do ??
>
>regards,
>
>Peter Naber
>
>------------- cut here ---------------------
>
>Logfile of openwan ipsec:
>
>Oct  7 15:11:53 lnx pluto[32311]: |    match_id a=@alfa.test.org
>Oct  7 15:11:53 lnx pluto[32311]: |             b=C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems
GmbH, OU=System House, CN=alfa.test.org, SN=5
>Oct  7 15:11:53 lnx pluto[32311]: |    results  fail                                               
                              
>
>
>-------- openswan ipsec config -----------
>conn x509test
>       type=tunnel
>       authby=rsasig
>       keyingtries=0
>       left=xx.xx.xx.xx
>       leftsubnet=xx.xx.xx.xx/255.255.255.0
>       leftrsasigkey=%cert
>       right=%any
>       rightid="C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems GmbH, OU=System House,
CN=alfa.test.org/emailAddress=peter dot naber at xx dot de"
>       rightrsasigkey=%cert
>       rightcert=/etc/ipsec.d/certs/alfa.pem
>       keylife=2h
>       ikelifetime=1h
>      
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
>       esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
>       auto=add
>       pfs=yes                                                                                     
                                    
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>
Use a psk instead? Works for me... :)