I also forgot to mention the hardware on the right is a Cisco ASA 5505.
Would it be possible to authenticate to the gateway if I have the left
side has the CA cert that signed the right's identity cert?
Thanks for the help!
Mark
-Original Message-
From: Andreas Steffen [mailto:andreas.
Got it, thanks a lot.
On Wed, Jun 30, 2010 at 5:08 PM, Martin Willi wrote:
>
> > ipsec pki --gen > caKey.der" on my device(PPC architecture), it takes
> > about 15mins to generate out the RSA private key
>
> In the default configuration, the key is generated with random data
> from /dev/random.
> ipsec pki --gen > caKey.der" on my device(PPC architecture), it takes
> about 15mins to generate out the RSA private key
In the default configuration, the key is generated with random data
from /dev/random. If your kernel does not have enough entropy, the read
blocks.
If you prefer to generate
Hi,
> but it's not, IDx' is actually IDType | RESERVED | IDData.
I see.
> Fixing this properly would probably need quite some changes
Yes, it indeed would. I don't know if this is really worth the effort
for this hypothetical test case. Especially as it is currently a MUST to
have them set to z
Hi Richard,
I found the reason for this failure. The only thing from the IKE_AUTH request,
that affects the computation of the AUTH value is the ID as in prf(Sk_px, IDx').
Now I somehow assumed IDx' is just the Identification Data of the IDx payload,
but it's not, IDx' is actually IDType | RESERV
Strongswan 4.3.6, I try "ipsec pki --gen > caKey.der" on my device(PPC
architecture), it takes about 15mins to generate out the RSA private key,
while "openssl genrsa -out cakey.pem 2048" can generate the private key in 1
second, does strongswan support PKI certificates generation very well?