On Wed, 17 Dec 2014, Phil Daws wrote:
Made the changes but still it fails to connect after stage 2 and hitting the
message:
"fwl01-aaa" #1: no suitable connection for peer
Now you might be done to cryptographic configuration. Check the subnets=
and authby= and type= and ike=/esp= settings to see if they match the
other end.
A more detailed log might reveal more.
Paul
followed by the certificate subject details. On both left and right sides I
have the certficates and keys within
the NSS as I issued them.
certutil -L -d /etc/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
fwl01-aaa u,u,u
MY CA T,c,c
fwl01-bbb u,u,u
Any thoughts on what I may still be doing wrong please ? Thank you.
----- Original Message -----
From: "Paul Wouters" <[email protected]>
To: "Phil Daws" <[email protected]>
Cc: [email protected]
Sent: Tuesday, 16 December, 2014 9:19:41 PM
Subject: Re: [Swan] Unknown RSA Key
On Tue, 16 Dec 2014, Phil Daws wrote:
> am new to libreswan and attempting to set up an IPSEC tunnel between two
subnets. The issue am facing is that
when I bring up the connection I see:
>
> "network1" #28: no RSA public key known for 'CN=fwl01.bbb'
>
> yet if I check the NSS database the certificate is there and the CN is
correct. This is how my connection
looks:
>
> conn network1
> leftid="CN=fwl01.aaa"
> leftrsasigkey=%cert
> leftcert="fwl01-aaa"
> rightid="CN=fwl01.bbb"
That's most likely wrong. Unless you set the "friendly_name" on the
PKCS#12 import to "CN=fwl01.bbb" instead of "CN=fwl01.bbb".
I assume you are left, and only have the left certificate and its CA in
your nss, You would write:
leftid=%fromcert
leftcert=fwl01-aaa
leftrsasigkey=%cert
#rightid does not need to be specified
rightrsasigkey=%cert
# optionally:
leftsendcert=always
See also:
https://libreswan.org/wiki/Using_NSS_with_libreswan
https://libreswan.org/wiki/Migrating_from_Openswan
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
