Re: [strongSwan] ipsec up host-host

Wed, 11 Mar 2009 13:13:16 -0700 

hello..
I did the same thing u told. but in that case it is showing same "received
AUTHENTICATION_FAILED notify error". plz take a look at moon(ishan)
"ipsec.conf"

ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
         crlcheckinterval=600
         strictcrlpolicy=no
         plutostart=no

# Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2


# Sample VPN connections
conn host-host
          left=192.168.3.3
          leftcert=ishanCert.pem
          leftid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
          right=192.168.3.4
          rightid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E=
abhis...@gmail.com"
          auto=start
-------------------------------

as shown in README (quick start-> host-host) left should be i.e.
left=%defaultroute. what does this mean.

Is it default route (gateway)?  if it is wrong plz tell me how to remove the
error "no default route - cannot cope with %defaultroute!!! " at the time
when i start ipsec i.e. "ipsec start".
actually i remove this error by setting up sun(abhishek) etho as
192.168.3.4/255.255.255.0 (default route: 192.168.3.4). and moon(ishan) eth0
as 192.168.3.3/255.255.255.0 (default route 192.168.3.3). is this a wrong
setup?

with regards
Abhishek Kumar


On Wed, Mar 11, 2009 at 8:53 PM, Daniel Mentz <
danielml+mailinglists.strongs...@sent.com<danielml%2bmailinglists.strongs...@sent.com>
> wrote:

> Thanks for this data.
>
> First of all, the DN
>
> C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
> ishansharm...@gmail.com
>
> does NOT match
>
> C=AU, O=Mincom Pty. Ltd., CN=ishan
>
> If you want to use wildcards, then you have to specify them explicitly.
> Otherwise you have to name all RDNs explicitly. Let's take a look at
> ipsec.conf at sun (=abhishek):
>
> conn host-host
>          left=192.168.3.3
>          leftcert=abhishekCert.pem
>          leftid="C=AU, O=Mincom Pty. Ltd., CN=ishan"
>          right=192.168.3.4
>          rightid="C=AU, O=Mincom Pty. Ltd., CN=abhishek"
>          auto=add
>
>
> Which side is local and which is remote? I guess that right is local
> because the local IP address of eth0 is 192.168.3.4. You need to specify the
> local certificate with rightcert= in this case. Talking about the left side:
> You set leftid to ishan and the leftcert to abhishek. This is inconsistent.
> Also, you don't need to set leftcert= at all, because abhishek gets the
> certificate of ishan during negotiation via IKEv2.
>
> Try this:
>
> conn host-host
>          left=192.168.3.3 # remote
>          leftid="C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
> ishansharm...@gmail.com"
>          right=192.168.3.4 # local
>          rightcert=abhishekCert.pem # local
>          auto=add
>
> Regards,
> Daniel
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to