Hello, you only show the configuration files and the output of ipsec statusall but I need the log file in order to see why the connection doesn't come up.
Regards Andreas On 07/22/2010 01:47 PM, depinder singh deol wrote: > ---------- Forwarded message ---------- > From: depinder singh deol<[email protected]> > Date: Thu, 22 Jul 2010 17:13:28 +0530 > Subject: error in establishing an ikev1 session on pluto using certs > and ocsp server . > To: [email protected] > > hi team , > > i m trying to establish an ikev1 session using pluto daemon tool > between two users:user1 and user2 using certs and using ocsp server > for certificate revocation status verification. > > topology: > CA > / \ > user1 user2 > I have configured CA and ocsp server on user 2 machine using commands: > > private key of CA -- openssl genrsa -out cakey.pem 4096 > CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out > cacert.pem > > openssl commands for generating cert for user1 and getting it signed > by CA's private key(cakey.pem): > generating private key for user1 -- openssl genrsa -out user1.key 4096 > generating cert request for user1 from CA-- openssl req -new -key > user1.key -out user1cert.pem > getting cert of user1 signed by CA using its private key -- openssl > x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem > -set_serial 01 -out user1cert.pem > > and similar commands for generating user2 cert and key and getting it > signed by CA by setting -set_serial 02 in the above openssl commands. > i have also made changes in the openssl.cnf file under the [usr_cert] section > that are: > on user2 in /usr/local/ssl/openssl.cnf > extendedKeyUsage=OCSPSigning > authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456 > on user 1 /etc/pki/tls/openssl.cnf > only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456 > other is same as user2 .uri is user2's ip address through which user 1 > is connected to user2. > > i have configured ocsp server on the user2 machine which i have > configured to act as a CA using openssl command: > starting the ocsp server : openssl ocsp -index index.txt -CA > cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem > > My cacert is in the /usr/local/etc/ipsec.d/cacerts and > /usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the > ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/ > i have also made changes in the ipsec.secrets file: > on user1: > : RSA user1.key "passphrase" > and similarly for user2 on user2 machine . > > when i run ipsec.conf using ipsec start command which calls ipsec > starter which in turn starts pluto and ipsec up 59--60 which tells > pluto daemon to start the 59--60<connection name> and check the > status of ikev1 session using ipsec statusall cmd. it shows up an > error: > > Status of IKEv1 pluto daemon (strongSwan 4.3.2): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth0/eth0 10.76.91.59:500 > 000 %myid = (none) > 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp > 000 debug options: > raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore > 000 "59--60": 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO, > OU=STG-IOS, CN=USER1, [email protected]]...10.76.91.60[c=in, > ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2, > [email protected]]===10.76.91.0/24; unrouted; eroute owner: #0 > 000 "59--60": CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, > [email protected]'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, > [email protected]' > 000 "59--60": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: > 540s; rekey_fuzz: 100%; keyingtries: 1 > 000 "59--60": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; > interface: eth0; > 000 "59--60": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > > Please help me to resolve this error. > Please find the user1 and user2 IPSEC configuration files in the attachments. > > Regards > Depinder -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
