We have asked this same question on the openswan and strongswan mail lists but we wanted to also apprise the openca community of this issue and solicit their feedback.
We have been having problems connecting a roadwarrior running 2.6sec with racoon to a *swan device (CyberGuard SG570) using certificates issued by OpenCA sub CAs even if they both use certificates from the same sub CA. In other words, our PKI has a root CA which has certified secondary CAs. The certs for the user and gateway were issued from these sub CAs. There errors from the *swan side were not very descriptive -- just a statement that the certificate was invalid (my apologies but I deleted the error messages before sending this e-mail). However, if the *swan side initiated, we got more descriptive errors on the 2.6sec side. It complained about not finding the CA certificate at depth(1). That gave us the clue about hierarchy. We reissued the certs from the root CA and all worked perfectly. Has anyone else experienced this? Can anyone explain why it happens? Is it possible to use *swan with sub CAs? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
