If you are using the checkpoint certificate then it must contain
the CheckPoint's IP address as a subjectAltName.

Regards

Andreas

Eugene Kotlyarov wrote:
> Hi
> 
> Could someone tell me whats wrong with my setup?
> I have following error
> 
> 002 "checkpoint-openswan" #4: initiating Main Mode
> 104 "checkpoint-openswan" #4: STATE_MAIN_I1: initiate
> 106 "checkpoint-openswan" #4: STATE_MAIN_I2: sent MI2, expecting MR2
> 002 "checkpoint-openswan" #4: we have a cert and are sending it upon request
> 108 "checkpoint-openswan" #4: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "checkpoint-openswan" #4: discarding duplicate packet; already 
> STATE_MAIN_I3
> 002 "checkpoint-openswan" #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254'
> 002 "checkpoint-openswan" #4: crl not found
> 002 "checkpoint-openswan" #4: certificate status unknown
> 003 "checkpoint-openswan" #4: no RSA public key known for 'x.x.119.254'
> 217 "checkpoint-openswan" #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> 002 "checkpoint-openswan" #4: sending encrypted notification 
> INVALID_KEY_INFORMATION to x.x.119.254:500
> 
> My configuration is
> 
> conn checkpoint-openswan
>          type=tunnel
>          # Left side is Check Point
>          left=x.x.119.254
>          leftcert=checkpoint_ca_cert.pem
>          #tried setting this options also
>          #leftid="O=c.."
>          #leftrsasigkey=%cert
>          #extracted with fswcert tool
>          leftrsasigkey=0x0103...
>          leftsubnet=10.45.0.111/32
>          leftsendcert=no
>          # Right side is OpenSwan
>          right=77.50.36.0
>          # As an alternative, the file itself can be specified
>          rightcert=checkpoint_cl_cert.pem
>          rightrsasigkey=%cert
>          authby=rsasig
>          auto=start
>          # Optional specify encryption/hash methods for phase 1 & 2
>          ike=3des-md5-modp1024
>          esp=aes-sha1
>          # Disable Perfect Forward Secrecy, if not working proper
>          pfs=no
>          # Optional enable compression (if working)
>          #compress=yes

======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to