Hi Vitaly, a guess would be a problem with your certificates. You could try to replace the CA based solution by localy stored certificates: remove all left/rightid and -rsasigkey and add left/rightcert conn %default type=tunnel keyingtries=1 keyexchange=ike ikelifetime=240m keylife=20m # leftrsasigkey=%cert leftcert=leftgatway.cer left=%defaultroute leftupdown=/etc/ipsec.updown # leftid=@left.gateway.fqdn.name # rightrsasigkey=%cert pfs=yes compress=yes auth=esp authby=rsasig # sample connection conn sample right=x.y.z.149 rightsubnet=10.0.0.0/24 # rightid=@right.gateway.fqdn.name rightcert=right.cer # Right security gateway and subnet behind it. auto=start Then store the certificates in the /etc/ipsec.d directory and try again. In case this works you could review your CA structure. A good paper ist http://www.twi.ch/~sna/strongsec/freeswan/install.htm otherwise you could try to go back to preshared secrets discribed in the freeswan dokumentation to verify basic functionality of your VPN. hope this helps, Thomas Vitaly Shishakov wrote:
Dear all. i need to establish an IPsec tunnel between two networks. both gateways use FW2. i did everything like it is described in http://www.nadmm.com/show.php?story=articles/vpn.inc (in respect to my case, of cource) but i get the following errors:
Mar 21 19:53:09 cmp240b Pluto[13782]: "sample" #1: responding to Main Mode Mar 21 19:53:09 cmp240b Pluto[13782]: "sample" #1: Peer ID is ID_FQDN: '@cmpd2.phys.msu.su' Mar 21 19:53:09 cmp240b Pluto[13782]: "sample" #1: no RSA public key known for '@cmpd2.phys.msu.su'
below is sample of one of mine ipsec.conf. (updown script borrowed from a link in the above article)
# basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
# defaults for subsequent connection descriptions conn %default type=tunnel keyingtries=1 keyexchange=ike ikelifetime=240m keylife=20m leftrsasigkey=%cert left=%defaultroute leftupdown=/etc/ipsec.updown leftid=@left.gateway.fqdn.name rightrsasigkey=%cert pfs=yes compress=yes auth=esp authby=rsasig
# sample connection conn sample right=x.y.z.149 rightsubnet=10.0.0.0/24 rightid=@right.gateway.fqdn.name # Right security gateway and subnet behind it. auto=start
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ArcStyler - the Architectural IDE for MDA/J2EE/EJB -> CyberOne Award 2001 -> Winner Crossroads A-List Award 2001 -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner 2001 -> Free trial-version at http://www.ArcStyler.com -> Made with ArcStyler http://www.NewWaveSearchables.com ----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 ----------------------------------------------------------------------