'[strongSwan] strongswan and Netscreen - Any help appreciated'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] strongswan and Netscreen - Any help appreciated
From:       andreas.steffen () strongswan ! org (Andreas Steffen)
Date:       2006-06-22 20:51:52
Message-ID: 449AE6AC.4040401 () strongswan ! org
[Download RAW message or body]

Have you defined

  rightid=XXX.YYY.ZZZ.aaa ?

where right is the peer side.

Andreas

Ernst Lehmann wrote:
> Andreas Steffen wrote:
>> Hi Ernst,
> 
> Hi Andreas,
> 
> thanks for the quick response.
> 
>>   rightid="XXX.YYY.ZZZ.aaa"
>>
>> is not accepted because this ID_IPV4_ADDR is
>> not contained as a subjectAltName in the certificate
>>
>>   rightcert=fw1.testcert.de-cert.pem
>>
>> This leads to the error
>>
>>> Jun 21 12:44:14 sulaco pluto[26572]:
>>   no subjectAltName matches ID 'XXX.YYY.ZZZ.aaa', replaced by subject DN
>>
>> i.e. the actual ID becomes
>>
>> 'ST=Testland, L=Teststadt, O=TESTing, OU=Testing,
>>  CN=XXX.YYY.ZZZ.aaa, CN=0097042006000012, CN=rsa-key,
>>  CN=netscreen.test.net, CN=netscreen.test.net'
>>
>> The netscreen peer sends its ID_IPV4_ADDR
> 
> So I generated a certificate with subjectAltName IP, but now I get:
> 
> Jun 22 12:47:02 sulaco pluto[28906]: "central-netscreen" #87: Peer ID is
> ID_IPV4_ADDR: 'XXX.YYY.ZZZ.aaa'
> Jun 22 12:47:02 sulaco pluto[28906]: "central-netscreen" #87: we require
> peer to have ID 'ST=Testland, L=Teststadt, O=TESTing, OU=Testing,
> CN=XXX.YYY.ZZZ.aaa, CN=0097042006000012, CN=rsa-key,
> CN=netscreen.test.net, CN=netscreen.test.net', but peer declares
> 'XXX.YYY.ZZZ.aaa'
> Jun 22 12:47:02 sulaco pluto[28906]: "central-netscreen" #87: sending
> encrypted notification INVALID_ID_INFORMATION to XXX.YYY.ZZZ.aaa:500
> 
> What now ?
> 
> Thanks in advance.
> 
> 
>>> Jun 21 12:44:20 sulaco pluto[26572]: "central-netscreen" #167:
>>   Peer ID is ID_IPV4_ADDR: 'XXX.YYY.ZZZ.aaa'
>>
>> but because it is not contained in the certificate there
>> will be no trustworthy public key for it.
>>
>> Workaround:
>>
>> Create a new certificate for the netscreen host containing
>> the IP address as a subjectAltName. If you are using openssl
>> then include
>>
>>   subjectAltName=IP:XXX.YYY.ZZZ.aaa
>>
>> in openssl.cnf before the openssl ca .. signing operation.
>>
>> Regards
>>
>> Andreas
>>
> 
> [....]


-- 
======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic