From: Ruma C. <rch...@no...> - 2005-09-09 06:22:39
|
Hi, I have tested a similar scenario and it seems to work. A part of the racoon.conf configuration is copied below. remote anonymous { exchange_mode main; certificate_type x509 "server_cert.pem" "server_key.pem"; peers_certfile x509 "client_certificate.pem" verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } Differences in line 1 and line 4, compared to your configuration, can be noticed. I have copied peer's certificate file to "/etc/cert" of the server. Similarly, the certificate file of the server (server_cert.pem) should be copied in the /etc/cert of the client and similar configurational changes apply in the client side as well. The rest of the configuration is similar to what you have done. In this case everything seem to be working as expected. >>> <hui...@ho...> 08/30/05 5:52 AM >>> Hello! I test racoon using x509 certificate between two matchine in trsport mode.I use IPV6 address.Server's address is 3ffe:302:2700::2, Client's address is 3ffe:302:2700::4. In both side, run setkey -f setkey.conf racoon -F -f racoon.conf After client run ping6 server's address,server got following message: 2005-08-26 10:44:04: INFO: begin Identity Protection mode. 2005-08-26 10:44:14: NOTIFY: the packet is retransmitted by 3ffe:302:2700::4[500]. 2005-08-26 10:44:24: NOTIFY: the packet is retransmitted by 3ffe:302:2700::4[500]. 2005-08-26 10:44:34: NOTIFY: the packet is retransmitted by 3ffe:302:2700::4[500]. 2005-08-26 10:44:35: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:302:2700::4->3ffe:302:2700::2 2005-08-26 10:44:35: INFO: delete phase 2 handler. 2005-08-26 10:44:44: NOTIFY: the packet is retransmitted by 3ffe:302:2700::4[500]. 2005-08-26 10:44:47: ERROR: no configuration found for 3ffe:302:2700::2. 2005-08-26 10:44:47: ERROR: failed to begin ipsec sa negotication. I donnot know why it say no configuration for 3ffe:302:2700::2. Following is some message server's racoon.conf path certificate "/etc/cert"; remote 3ffe:0302:2700::2 { exchange_mode main; certificate_type x509 "hacert.pem" "hakey.pem"; verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } server's setkey.conf spdadd 3ffe:0302:2700::2/64 3ffe:0302:2700::4/64 any -P out ipsec esp/transport//require; spdadd 3ffe:0302:2700::4/64 3ffe:0302:2700::2/64 any -P in ipsec esp/transport//require; In client,I reverse IP address ,take out passive on and change client's certificate instead. cd /etc/cert ls -la drwxr-xr-x 2 root root 4096 8 25 09:28 . drwxr-xr-x 5 root root 4096 8 25 08:36 .. lrwxrwxrwx 1 root root 10 8 25 08:50 5daae32b.0 ->cacert.pem lrwxrwxrwx 1 root root 7 8 25 09:27 5daae32b.r0 ->crl.pem -rw-r--r-- 1 root root 1147 8 25 08:46 cacert.pem -rw-r--r-- 1 root root 471 8 25 08:53 crl.pem -rw-r--r-- 1 root root 3390 8 25 08:36 mncert.pem -rw-r--r-- 1 root root 887 8 26 10:24 mnkey.pem |