Hi,
thanks for answering to Mitja and you.
On Sat, 07.03.2009 at 19:28:09 +0100, Heinrich Rebehn
<reb...@ant.uni-bremen.de> wrote:
> Am 06.03.2009 um 22:56 schrieb Toni Mueller:
>> 223644.842092 Plcy 30 keynote_cert_obtain: failed to open "/etc/
>> isakmpd/keynote//u...@road-warrior/credentials"
>> 223644.842516 Default get_raw_key_from_file: monitor_fopen ("/etc/
>> isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission
>> denied
>
> ?? Permission denied? Could this be the problem?
No, it couldn't. These files don't exist.
I was able to find my own errors so far, as that now the correct
certificate gets used. This is what I have, and had, for several years
now. The problem was a missing semicolon in isakmpd.policy.
I still get "no policy" errors while in state "INFO encrypted", which
are imho hard to debug. If anyone has tips to share, I'd be very
grateful.
What I want to achieve (from my isakmpd.policy):
Conditions: app_domain == "IPsec policy"
&& esp_present == "yes"
&& esp_enc_alg == "aes"
&& phase_1 == "main"
&& phase1_group_desc == "5"
&& esp_encapsulation == "tunnel"
&& ah_present == "no"
&& esp_auth_alg == "hmac-sha2-512"
&& esp_key_length == "256"
&& pfs == "yes"
&& some-checks-on-the-remote-ids -> "true";
But I don't know if Linux supports them all. OpenBSD <-> OpenBSD worked
just fine...
Kind regards,
--Toni++
