Menu
▾
▴
Re: [leaf-user] openswan
|
From: Erich T. <eri...@th...> - 2008-04-24 12:55:31
|
Tom Tom Hendrickx wrote: > Hey > > Citeren Erich Titl <eri...@th...>: > >> Tom >> >> Tom Hendrickx wrote: >>> Hi! thanks Charles for your reply, but I fear it didn't helped.. >>> >>> the subnet for the roadwarrior I got from here : >>> http://wiki.openswan.org/index.php/Openswan/ExtrudedSubnetRoadWarrior >> This example only shows an extruded subnet consisting of a _single_ >> address, not a subnet. _And_ it uses the %defaultroute and the %any >> as addresses for the right party, e.g. the road warrior. Now the keys >> in this case come from DNS, which might not be the case in your >> environment. >> > Indeed, I work with selfmade certificats and keys.. RSA keys made by tinyCA2 This should not be a problem. > > >> Please have a look at the auth.log and/or ipsec barf to see what >> state your connection is in . >> > and looking at ipsec barf, the keys seems to be the problem.. > on both sides it says: > loading secrets from "/etc/ipsec.secrets" > "/etc/ipsec.secrets" line 2: unrecognized key format: client-key.pem Well, there is a defined format for ipsec.secrets with X.509 certificates. In my case it is : RSA gatekeeper.key > > and after this at the authentication, it's unable to find the key for > RSA Signature.. no surprise :-) > > for configuring secrets I followed: > http://leaf.sourceforge.net/doc/bucu-openswan.html > > and in secrets I have : ": client-key.pem test" This is wrong, see above. > > for making my keys I followed: > http://leaf.sourceforge.net/doc/bucu-tinyca.html > Actually the original documentation is at openswan.org. I must admit it is kind of terse :-) Some of the configuration stuff is difficult to come by, there is always http://www.freeswan.org/ cheers Erich |
