On Saturday 25 January 2003 05:02 pm, Victor B. Berdin wrote:
> Hello everyone,
>
> How do you guys go about with subnet-2-subnet VPN Interop
> between Dachstein1.0.2 and WIN2K? If I were to use
> "fwscert" extracted RSA keys from my serverkey.pem (since
> FSwan lower than 1.96 does not support the RSA cert key
> line declaration in ipsec.secrets), and place the p12 cert extract
> of my clientcert.pem on the WIN2K side, I'm assuming that my
> DS ipsec.conf and ipsec.secrets should look like this:
>
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> keyingtries=0
> left=<DS external IP>
> leftsubnet=<DS internal net/nmask>
> leftnexthop=<DS GW>
> pfs=yes
>
> conn WIN2K
> authby=rsasig
> leftrsasigkey=<fswcert -l -c servercert.pem>
> leftid="C=PH, ST=MLA, L=MKT, O=DG, ...
> right=<WIN2K external IP>
> rightsubnet=<WIN2K internal net/nmask>
> rightid="C=PH, ST=MLA, L=MKT, O=DG, ...
> auto=start
Where's your "rightnexthop="???
Where's "authby=" ???
Possibly other missing options....
> ...and that my ipsec.secrets should look like this:
> : RSA {
>
> Modulus: 0xAC9ED09EFD9BB372E786...
> PublicExponent: 0x010001
> PrivateExponent: 0xA8C7B3F5F0C45F8637...
> Prime1: 0xDBB216C4EE5BE5E6E7...
> Prime2: 0xC92545EB78766E8D8C4...
> Exponent1: 0x8F1A8CEC501AFA411330...
> Exponent2: 0x9770A6A9D872625DD3E6...
> Coefficient: 0x7A92B6B9707FC9704C575...
> }
>
> Is there something wrong with my settings above?
Check a RSA key on a linux box..... I think you'll find a different format
than what you have posted. I doubt this format will work at all using a
key from a cert, but you have other missing required informaion in your
setup. "ipsec barf" will provide more information about the failure(s) to
connect. I would highly suggest getting this to work with PSK first and
make sure everything else works rather than attempting everything
first...... there are tons of errors that can be easy to make outside of
the authentication method.
--
~Lynn Avants
Linux Embedded Appliance Firewall developer
http://leaf.sourceforge.net
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
