VPN Lan-to-Lan – Error 111 [Resolved]

Home Page Forums Network Management ZeroShell VPN Lan-to-Lan – Error 111 [Resolved]

This topic contains 0 replies, has 0 voices, and was last updated by  jeanb 8 years ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #42946

    jeanb
    Member

    I try to mount a VPN Lan-to-Lan with X509 authentication.

    With “Remote CN: zeroshell.example.com”, it works fine.

    With my own certificates, it doesnt’t work.

    Here is the configuration for Lan-to-Lan:
    – Remote Host: 4.0.0.1 (4.0.0.2 on the other host)
    – Port: UDP
    – Role: Server (Client on the other host)
    – Compression: No
    – Encryption: Yes
    – Authentication: X.509
    – Remote CN: vpn1.soc.fr (or VPN1.SOC.FR) It’s the only modification I make when I’ve selected my own certificate.
    – PSK: the “old” key is grey
    – Gateway: Auto
    – Parameters: no parameters

    Below, in “X.509 Authentication”, the certificate is “status: ok”: here are some details:
    – Subject: C=FR, ST=France, L=Bordeaux, O=Entreprise Test, OU=Usine de Toulouse, CN=vpn1.soc.fr
    – Validity:
    . Not Before: Apr 13 12:21:34 2011 GMT
    . Not After : Apr 12 12:21:34 2012 GMT
    . X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
    . X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication

    I use (at the moment) the same certificate for the two hosts.

    For the two hosts, the date is the same (I hope): System -> Setup -> Time -> System Time : I see the same date and time (System Time : Thu Apr 14 10:24:50 CEST 2011 ) but they are not synchronise with a web server because I’m in tests without Internet connection.

    This date and time is in “validity period” for the certificate.

    In Lan-to-Lan log I see:
    11:14:13 TUN/TAP device VPN00 opened
    11:14:13 UDPv4 link local (bound): [undef]:1195
    11:14:13 UDPv4 link remote: 1.2.3.5:1195
    11:14:13 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

    I don’t see where is the problem, and how to advance.

    Thanks for all.

    #51690

    jeanb
    Member

    I’ve found…

    My own certificate has:
    – Certificate purposes:
    . SSL client : No
    . SSL server : Yes

    If I change to:
    . SSL client : yes,
    it works.

    How to do that ?

    In my scripts, when I sign certificate using “openssl ca -config file_config”, I use a config file.

    In this config file, I’ve to add: “client”:
    nsCertType = client, server, objsign

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.