[ previous ] [ next ] [ threads ]
 From:  "Naber, Peter" <peter dot naber at alfa dot de>
 To:  "Alex Neuman van der Hans" <alex at nkpanama dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] X509 Tunnel m0n0wall to openswan
 Date:  Mon, 10 Oct 2005 10:10:44 +0200

i use the Certificates for dynamic IP Adresses, so certificates are necessary for me.
I test the m0n0wall for the first time and I didn't know so much of the product. 
At the weekend I have research at g*ggle and find some possible solutions for the problem.
I think the m0n0wall needs the identifer "asn1dn" or similar. This identifer must fill with the
Subject of the certificate or the user of the m0n0wall will have the chance to declare the dn of the
certificate in a text field.
Where can I find the wishlist for m0n0wall on the net to append this extra function for the next
version ?-)


Peter Naber

-----Ursprüngliche Nachricht-----
Von: Alex Neuman van der Hans [mailto:alex at nkpanama dot com]
Gesendet: Samstag, 8. Oktober 2005 01:25
An: Naber, Peter
Cc: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] X509 Tunnel m0n0wall to openswan

Naber, Peter wrote:

>i try to build a tunnel between m0n0wall and openswan ipsec with x509 certificates.
>I got a problem with the Identifier.
>I try domain and fdqn as a identifier, but the items are different:
>What can I do ??
>Peter Naber
>------------- cut here ---------------------
>Logfile of openwan ipsec:
>Oct  7 15:11:53 lnx pluto[32311]: |    match_id a=@alfa.test.org
>Oct  7 15:11:53 lnx pluto[32311]: |             b=C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems
GmbH, OU=System House, CN=alfa.test.org, SN=5
>Oct  7 15:11:53 lnx pluto[32311]: |    results  fail                                               
>-------- openswan ipsec config -----------
>conn x509test
>       type=tunnel
>       authby=rsasig
>       keyingtries=0
>       left=xx.xx.xx.xx
>       leftsubnet=xx.xx.xx.xx/
>       leftrsasigkey=%cert
>       right=%any
>       rightid="C=DE, ST=Hessen, L=Frankfurt, O=alfa-it Systems GmbH, OU=System House,
CN=alfa.test.org/emailAddress=peter dot naber at xx dot de"
>       rightrsasigkey=%cert
>       rightcert=/etc/ipsec.d/certs/alfa.pem
>       keylife=2h
>       ikelifetime=1h
>       esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
>       auto=add
>       pfs=yes                                                                                     
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Use a psk instead? Works for me... :)