[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Paul Wouters
paul at nohats.ca
Wed Sep 17 08:10:14 EEST 2014
On Tue, 16 Sep 2014, Enrico Brunetta wrote:
> /etc/ipsec.secrets:
> : RSA enrico
That should be the "friendly name" as used in the pkcs#12 export. On the
server that would not be "enrico".
>> Did your certificates load? run ipsec auto --listall and look for the
>> CAcert and the vpn.bitproductions.com cert.
>
> root at ip-172-31-48-104:~# ipsec auto --listall
> 000
> 000 List of RSA Public Keys:
> 000
> 000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
> 000 ID_FQDN '@vpn.bitproductions.com'
More likely, the friendly name is vpn.bitproductions.com?
Note the "no private key", which shows that libreswan does not know how
to find the private key of the certificate it is told to use.
> 000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
> 000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
Here "no private key" is fine, because it is the CA and the vpn server
does not need to have the CA key :)
I think you might need:
: RSA "vpn.bitproductions.com"
or:
: RSA "VPN Server"
But you know best what you used as the friendly_name for the export :)
Paul
More information about the Swan
mailing list