subject:"Re\: \[strongSwan\] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN"

Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN

2009-04-07 Thread Eugene Kotlyarov

Andreas Steffen wrote:
 If you are using the checkpoint certificate then it must contain
 the CheckPoint's IP address as a subjectAltName.
 
But there is no IP address. I converted my .p12 sertificate to PEM format 
using openssl and it contains three parts
Bag Attributes
 friendlyName: internal_ca
 localKeyID: E7 ...
subject=/O=cpmng..b3s9qc
issuer=/O=cpmng..b3s9qc
-BEGIN CERTIFICATE-

which I guess is Checkpoints sertificate

Bag Attributes
 friendlyName: CN=Ekot,OU=users,O=cpmng..b3s9qc
 localKeyID: A8 ...
subject=/O=cpmng..b3s9qc/OU=users/CN=EKot
issuer=/O=cpmng..b3s9qc
-BEGIN CERTIFICATE-


which is my sertificate and my private key with the same header.

What should I do to use this certificates with strongswan?



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN

2009-04-06 Thread Andreas Steffen

If you are using the checkpoint certificate then it must contain
the CheckPoint's IP address as a subjectAltName.

Regards

Andreas

Eugene Kotlyarov wrote:
 Hi
 
 Could someone tell me whats wrong with my setup?
 I have following error
 
 002 checkpoint-openswan #4: initiating Main Mode
 104 checkpoint-openswan #4: STATE_MAIN_I1: initiate
 106 checkpoint-openswan #4: STATE_MAIN_I2: sent MI2, expecting MR2
 002 checkpoint-openswan #4: we have a cert and are sending it upon request
 108 checkpoint-openswan #4: STATE_MAIN_I3: sent MI3, expecting MR3
 003 checkpoint-openswan #4: discarding duplicate packet; already 
 STATE_MAIN_I3
 002 checkpoint-openswan #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254'
 002 checkpoint-openswan #4: crl not found
 002 checkpoint-openswan #4: certificate status unknown
 003 checkpoint-openswan #4: no RSA public key known for 'x.x.119.254'
 217 checkpoint-openswan #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION
 002 checkpoint-openswan #4: sending encrypted notification 
 INVALID_KEY_INFORMATION to x.x.119.254:500
 
 My configuration is
 
 conn checkpoint-openswan
  type=tunnel
  # Left side is Check Point
  left=x.x.119.254
  leftcert=checkpoint_ca_cert.pem
  #tried setting this options also
  #leftid=O=c..
  #leftrsasigkey=%cert
  #extracted with fswcert tool
  leftrsasigkey=0x0103...
  leftsubnet=10.45.0.111/32
  leftsendcert=no
  # Right side is OpenSwan
  right=77.50.36.0
  # As an alternative, the file itself can be specified
  rightcert=checkpoint_cl_cert.pem
  rightrsasigkey=%cert
  authby=rsasig
  auto=start
  # Optional specify encryption/hash methods for phase 1  2
  ike=3des-md5-modp1024
  esp=aes-sha1
  # Disable Perfect Forward Secrecy, if not working proper
  pfs=no
  # Optional enable compression (if working)
  #compress=yes

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN

Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN

2 matches

Site Navigation

Mail list logo

Footer information