[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] =?utf-8?q?Cannot_set_ID_to_FQDN_with_certificate_loa?=
From: <strongswan () dinplug ! com>
Date: 2008-08-06 15:28:08
Message-ID: 20080806152808.28999.qmail () thehosting123 ! com
[Download RAW message or body]
Hi everyone,
I am trying to setup a GW which will use certs to authenticate it's self and EAP for \
the peer (RW) authentication. I created my own self signed cert (see details below) \
and included the subjectAltName=FQDN but cannot get rid of the strongSwan error \
message: 03[CFG] peerid sgw.myco.com not confirmed by certificate, defaulting to \
subject DN
I also tried to set the subjectAltName to DNS:FQDN but this did not help.
I want the IDr in the AUTH to be of type ID_FQDN not ID_DER_ASN1_DN as it is at the \
moment.
Can anyone help?
Many thanks,
Ian.
01[DMN] starting charon (strongSwan Version 4.2.5)
01[KNL] listening on interfaces:
01[KNL] eth0
01[KNL] 192.168.50.135
01[KNL] fe80::215:c5ff:feaf:3d4d
01[KNL] dummy0
01[KNL] 10.10.1.1
01[KNL] fe80::d4c3:1dff:fef1:73d8
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] loaded private key file '/usr/src/ca/sslcert/private/cakey.pem'
01[JOB] spawning 16 worker threads
> charon (3363) started
03[CFG] received stroke: add connection 'rw-eapsim'
03[LIB] loaded certificate file '/usr/src/ca/sslcert/cacert.pem'
03[CFG] peerid sgw.myco.com not confirmed by certificate, defaulting to subject DN
03[CFG] added configuration 'rw-eapsim': 192.168.50.135[O=MyCo Ltd, OU=SW, L=Swindon, \
ST=Wiltshire, C=GB, CN=sgw.myco.com, \
subjectAltName=sgw.myco.com]...0.0.0.0[*@outandabout.com]
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c0:5d:ee:59:86:37:6e:19
Signature Algorithm: md5WithRSAEncryption
Issuer: O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, \
CN=sgw.myco.com/subjectAltName=sgw.myco.com Validity
Not Before: Aug 6 15:38:54 2008 GMT
Not After : Aug 6 15:38:54 2009 GMT
Subject: O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, \
CN=sgw.myco.com/subjectAltName=sgw.myco.com Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:00:84:cd:30:ce:90:84:51:19:5a:ec:68:e8:
60:f7:9b:e1:79:a9:a9:0b:2c:99:28:1f:96:15:13:
76:61:88:42:3f:a6:dc:d9:f9:87:38:7f:62:9a:f5:
e8:9c:01:94:a0:3e:07:b4:94:00:9d:bc:4b:5d:3a:
6e:0b:f5:d0:fd:23:77:fb:c3:d8:96:c9:54:06:f3:
a0:76:bf:c7:17:94:dd:56:b8:cb:4c:d8:e8:89:35:
ff:16:57:16:5d:f7:59:a7:cf:77:a4:bd:d2:c2:88:
36:36:79:52:48:8c:30:c4:12:a5:b6:0f:27:8d:43:
d5:7e:59:c7:db:32:57:a4:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
88:89:45:FC:10:82:A4:9D:8D:A1:B3:0C:13:0F:50:AD:5A:88:F5:BA
X509v3 Authority Key Identifier:
keyid:88:89:45:FC:10:82:A4:9D:8D:A1:B3:0C:13:0F:50:AD:5A:88:F5:BA
DirName:/O=MyCo \
Ltd/OU=SW/L=Swindon/ST=Wiltshire/C=GB/CN=sgw.myco.com/subjectAltName=sgw.myco.com \
serial:C0:5D:EE:59:86:37:6E:19
Signature Algorithm: md5WithRSAEncryption
54:b4:ed:93:3c:9d:08:07:03:6b:91:7b:cc:42:ea:c2:f9:c8:
83:19:72:0a:77:59:52:1a:82:b4:0a:9f:21:1b:c1:04:e0:b4:
66:eb:7f:10:ef:eb:c5:71:74:97:5e:51:02:d8:b5:95:bd:6f:
a7:5c:52:1e:ed:86:a2:8a:8b:da:ab:6c:a0:98:1f:5b:51:e6:
46:fe:6a:a5:6f:a3:a1:70:61:fa:ce:0e:a5:8e:b0:c2:46:3f:
49:a0:23:65:0d:5f:e8:9e:eb:4e:4e:2e:b2:e5:f6:e0:2c:fd:
77:0e:3c:4d:1d:a0:76:9a:78:b8:b5:1f:43:c1:e2:c8:89:ab:
34:0a
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutodebug=all
charondebug=all
strictcrlpolicy=no
nat_traversal=yes
plutostart=no
conn %default
ikelifetime`m
keylife m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eapsim
authby=rsasig
eap=sim
left2.168.50.135
leftsubnet.10.0.0/16
leftcert=/usr/src/ca/sslcert/cacert.pem
leftid=@sgw.myco.com
right=%any
rightid=*@outandabout.com
rightsendcert=never
autod
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic