- This topic is empty.
April 14, 2011 at 9:22 am #42946jeanbMember
I try to mount a VPN Lan-to-Lan with X509 authentication.
With “Remote CN: zeroshell.example.com”, it works fine.
With my own certificates, it doesnt’t work.
Here is the configuration for Lan-to-Lan:
– Remote Host: 188.8.131.52 (184.108.40.206 on the other host)
– Port: UDP
– Role: Server (Client on the other host)
– Compression: No
– Encryption: Yes
– Authentication: X.509
– Remote CN: vpn1.soc.fr (or VPN1.SOC.FR) It’s the only modification I make when I’ve selected my own certificate.
– PSK: the “old” key is grey
– Gateway: Auto
– Parameters: no parameters
Below, in “X.509 Authentication”, the certificate is “status: ok”: here are some details:
– Subject: C=FR, ST=France, L=Bordeaux, O=Entreprise Test, OU=Usine de Toulouse, CN=vpn1.soc.fr
. Not Before: Apr 13 12:21:34 2011 GMT
. Not After : Apr 12 12:21:34 2012 GMT
. X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
. X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
I use (at the moment) the same certificate for the two hosts.
For the two hosts, the date is the same (I hope): System -> Setup -> Time -> System Time : I see the same date and time (System Time : Thu Apr 14 10:24:50 CEST 2011 ) but they are not synchronise with a web server because I’m in tests without Internet connection.
This date and time is in “validity period” for the certificate.
In Lan-to-Lan log I see:
11:14:13 TUN/TAP device VPN00 opened
11:14:13 UDPv4 link local (bound): [undef]:1195
11:14:13 UDPv4 link remote: 220.127.116.11:1195
11:14:13 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
I don’t see where is the problem, and how to advance.
Thanks for all.April 14, 2011 at 9:58 am #51690jeanbMember
My own certificate has:
– Certificate purposes:
. SSL client : No
. SSL server : Yes
If I change to:
. SSL client : yes,
How to do that ?
In my scripts, when I sign certificate using “openssl ca -config file_config”, I use a config file.
In this config file, I’ve to add: “client”:
nsCertType = client, server, objsign
- You must be logged in to reply to this topic.