Differences between version 12 and previous revision of IPSecConfiguration.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 12 | Last edited on Wednesday, November 19, 2003 9:38:11 am | by MichaelBordignon | Revert |
| Older page: | version 11 | Last edited on Wednesday, November 19, 2003 9:34:57 am | by MichaelBordignon | Revert |
@@ -15,9 +15,9 @@
__Note:__ While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!
__Next Note:__ If you are wanting to interoperate with Windows 2000/XP, make sure that
-* a) The PKCS (.p12) certificate which you export is added to the __local machine__ and not the __current user__. This is the first mistake I made. Otherwise, you'll get something like
+* a) The PKCS (.p12) certificate which you export (with the following command: openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12)
is added to the __local machine__ and not the __current user__. This is the first mistake I made. Otherwise, you'll get something like
auth.log.0:Nov 13 15:26:08 peer pluto[[21342]: "remote-win2k-2"[[2] 166.179.32.102 #2: encrypted
Informational Exchange message is invalid because it is for incomplete ISAKMP SA
* b) If there are any stateful firewalls in between the road warrior and the internal machine, make sure you allow ESP (protocol 50), with something like
