If you are using the checkpoint certificate then it must contain
the CheckPoint's IP address as a subjectAltName.
Regards
Andreas
Eugene Kotlyarov wrote:
Hi
Could someone tell me whats wrong with my setup?
I have following error
002 checkpoint-openswan #4: initiating Main Mode
104 checkpoint-openswan #4: STATE_MAIN_I1: initiate
106 checkpoint-openswan #4: STATE_MAIN_I2: sent MI2, expecting MR2
002 checkpoint-openswan #4: we have a cert and are sending it upon request
108 checkpoint-openswan #4: STATE_MAIN_I3: sent MI3, expecting MR3
003 checkpoint-openswan #4: discarding duplicate packet; already
STATE_MAIN_I3
002 checkpoint-openswan #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254'
002 checkpoint-openswan #4: crl not found
002 checkpoint-openswan #4: certificate status unknown
003 checkpoint-openswan #4: no RSA public key known for 'x.x.119.254'
217 checkpoint-openswan #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION
002 checkpoint-openswan #4: sending encrypted notification
INVALID_KEY_INFORMATION to x.x.119.254:500
My configuration is
conn checkpoint-openswan
type=tunnel
# Left side is Check Point
left=x.x.119.254
leftcert=checkpoint_ca_cert.pem
#tried setting this options also
#leftid=O=c..
#leftrsasigkey=%cert
#extracted with fswcert tool
leftrsasigkey=0x0103...
leftsubnet=10.45.0.111/32
leftsendcert=no
# Right side is OpenSwan
right=77.50.36.0
# As an alternative, the file itself can be specified
rightcert=checkpoint_cl_cert.pem
rightrsasigkey=%cert
authby=rsasig
auto=start
# Optional specify encryption/hash methods for phase 1 2
ike=3des-md5-modp1024
esp=aes-sha1
# Disable Perfect Forward Secrecy, if not working proper
pfs=no
# Optional enable compression (if working)
#compress=yes
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users