Thank you all for all your help My hunch is that the failure relates to subjectAltName I'll be taking all comments into account and update you as soon as I have something working
Thank you all Noam Singer On Tue, Feb 2, 2016 at 9:07 AM, Tuomo Soini <[email protected]> wrote: > On Mon, 1 Feb 2016 15:02:41 +0200 > Noam Singer <[email protected]> wrote: > > > Hello > > > > I am trying to set an IPSec connection with certificates (same CA for > > both certs), but my connection does not pass the STATE_MAIN_I3 state. > > > > Is there a way to better troubleshoot the PKI failures > > Am I doing something wrong? > > > > I would appreciate any help. > > > > Thanks in advance > > > > > > > > I have setup the following configuration > > > > Using LibreSwan 3.15 > > Libreswan - No capital letters in word. > > > > /etc/ipsec.secrets: > > ------------------- > > 54.194.188.148 54.194.210.197 : RSA globalCertificate > > This line is not needed or used with certificates, remove it to get rid > of warning about unused config option. > > > > /etc/ipsec.conf: > > ---------------- > > config setup > > plutodebug = all > > plutodebug=none is only sensible option. Do this first to get readable > and understandable logs. Those are debug options, enable those only if > somebody here requests you to enable debugging options. > > Also note: "plutodebug = all" is not correct line. Spaces are not > allowed on random places in config file. > > > include /etc/ipsec.d/*.conf > > > > > > /etc/ipsec.d/connST603.conf: > > ---------------------------- > > Config format issue here too. No " = ". > > > conn connST603 > > authby = rsasig > > auto = start > > dpdaction = restart > > dpddelay = 30 > > dpdtimeout = 120 > > esp = aes128-sha1 > > With libreswan, option name is phase2alg= > > phase2alg=aes128-sha1 > > > forceencaps = yes > > You don't want forceencaps=yes without very very good reason like > broken firewall rule blocking ESP (IP proto 50) traffic. > > > ike = aes128-sha1 > > Same about diffie-hellman group belongs to here. > > > ikelifetime = 86400s > > left = %defaultroute > > leftcert = globalCertificate > > leftid = 54.194.188.148 > > leftrsasigkey = %cert > > leftsubnets = 172.24.128.0/24 > > Here is one subnet only. Do not use leftsubnets, use leftsubnet= > > > lifetime = 28800s > > Unrecognized option, lifetime. We have ikelifetime= for phase1 > > > pfs = no > > right = 54.194.210.197 > > rightid = 54.194.210.197 > > This rightid only works if remote ceriticate has IP type subjectAtlName > in their certificate. I'm quite sure they don't hae anything like that > there. Usually rightid=%fromcert works if remote end offers certificate > subject as ID. So use rightid=%fromcert and leftid=%fromcert. And if > certificates are from same ca, I'd use rightca=%same for added security. > > > rightsubnets = 172.24.131.0/24 > > Again, rightsubnet= because you only have one subnet listed. > > Below I can see from your cert there is no subjectAltName= specified so > your only possible ID type is ID_DER_ASN1_DN also known as ceritificate > subject. > > > type = tunnel > > > > ** I also tried using leftid="CN=...", but got similar results > > The certificates look fine to me > > > > The signed certificate: > > ----------------------- > > -- > Tuomo Soini <[email protected]> > Foobar Linux services > +358 40 5240030 > Foobar Oy <http://foobar.fi/> > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
