Hello Gary, it is not goo practice to load the peer certificate (i.e. rightcert locally). Better copy the CA certificate which signed the peer certificate and issued all other certificates into the /etc/ipsec.d/cacerts/ directory so that trust can be established.
Regards Andreas On 02/24/2011 08:04 PM, Gary Smith wrote: >> The error message >> >> : 15[IKE] received AUTHENTICATION_FAILED notify error >> >> means that the authentication failed on the remote side. >> Please check the logs of the peer. >> >> Andreas > > Andreas, > > I've sorted a few things on this end. It appears that TinyCA was putting the > email address as the altName by default so there was no match. Anyway, that > issue has been fixed. > > I received an error on connect this time saying that it couldn't validate > each others cert so I copied the left cert to the right machine, and vice > versa and tweaked the .conf file to look like this: > > conn fre-lin > left=x.x.x.x > leftcert=left-cert.pem > leftid=@left > leftsubnet=leftlocal/21 > leftfirewall=yes > right=y.y.y.y > rightcert=right-cert.pem > rightid=@right > rightsubnet=rightlocal/21 > auto=add > > Is this the correct way to handle the problem of finding the correct cert for > the right (by explicitly adding it to the connection)? > > I can ping both sides of the tunnel now (that is the local vpn internal IP) > so I guess it's working. > > Gary Smith ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
