If you are using the checkpoint certificate then it must contain the CheckPoint's IP address as a subjectAltName.
Regards Andreas Eugene Kotlyarov wrote: > Hi > > Could someone tell me whats wrong with my setup? > I have following error > > 002 "checkpoint-openswan" #4: initiating Main Mode > 104 "checkpoint-openswan" #4: STATE_MAIN_I1: initiate > 106 "checkpoint-openswan" #4: STATE_MAIN_I2: sent MI2, expecting MR2 > 002 "checkpoint-openswan" #4: we have a cert and are sending it upon request > 108 "checkpoint-openswan" #4: STATE_MAIN_I3: sent MI3, expecting MR3 > 003 "checkpoint-openswan" #4: discarding duplicate packet; already > STATE_MAIN_I3 > 002 "checkpoint-openswan" #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254' > 002 "checkpoint-openswan" #4: crl not found > 002 "checkpoint-openswan" #4: certificate status unknown > 003 "checkpoint-openswan" #4: no RSA public key known for 'x.x.119.254' > 217 "checkpoint-openswan" #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION > 002 "checkpoint-openswan" #4: sending encrypted notification > INVALID_KEY_INFORMATION to x.x.119.254:500 > > My configuration is > > conn checkpoint-openswan > type=tunnel > # Left side is Check Point > left=x.x.119.254 > leftcert=checkpoint_ca_cert.pem > #tried setting this options also > #leftid="O=c.." > #leftrsasigkey=%cert > #extracted with fswcert tool > leftrsasigkey=0x0103... > leftsubnet=10.45.0.111/32 > leftsendcert=no > # Right side is OpenSwan > right=77.50.36.0 > # As an alternative, the file itself can be specified > rightcert=checkpoint_cl_cert.pem > rightrsasigkey=%cert > authby=rsasig > auto=start > # Optional specify encryption/hash methods for phase 1 & 2 > ike=3des-md5-modp1024 > esp=aes-sha1 > # Disable Perfect Forward Secrecy, if not working proper > pfs=no > # Optional enable compression (if working) > #compress=yes ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users