Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Sucha Singh wrote: > Hi Andreas, > > Reviewing the above settings I added the following line to the ipsec.conf: > > ike=3des-sha1-md5-modp1024 > > I then get the following errors: > > 002 "test" #1: initiating Main Mode > 003 "test" #1: no IKE algorithms for this connection (check ike algorithm > string) > 003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike > selection?) > > Was I right to add the above setting That setting looks wrong to me. You probably want: ike=3des-sha1-modp1024 or ike=3des-md5-modp1024 or both ike=3des-sha1-modp1024,3des-md5-modp1024 Dimitris Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Certificates in cacerts directory
ABULIUS, MUGUR (MUGUR) wrote: >> If rightca is specified then we only request certificates issued by rightca. >> Otherwise we send certificate requests for all CAs contained in >> /etc/ipsec.d/cacerts/ > > If "rightca=" is specified, then it is required that a certificate matching > the specified > DN to be present locally in "/etc/ipsec.d/cacerts/" ? > Yes, since RFC 4306 defines that the SHA-1 hash over the publicKeyInfo of the CA certificate is sent in the CERTREQ payload, we must look up the CA certificate based on the distinguished name and compute the hash. > Best regards > Mugur Best regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Certificates in cacerts directory
ABULIUS, MUGUR (MUGUR) wrote: >> If rightca is specified then we only request certificates issued by rightca. >> Otherwise we send certificate requests for all CAs contained in >> /etc/ipsec.d/cacerts/ > > If "rightca=" is specified, then it is required that a certificate matching > the specified > DN to be present locally in "/etc/ipsec.d/cacerts/" ? I guess yes. I mean strongSwan has to read the certificate from somewhere. You could also create a ca section as described at http://wiki.strongswan.org/projects/strongswan/wiki/CaSection if you want to store the certificate in a non-default location. -Daniel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Certificates in cacerts directory
> If rightca is specified then we only request certificates issued by rightca. > Otherwise we send certificate requests for all CAs contained in > /etc/ipsec.d/cacerts/ If "rightca=" is specified, then it is required that a certificate matching the specified DN to be present locally in "/etc/ipsec.d/cacerts/" ? Best regards Mugur ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users