[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

Karim 'Kasi Mir' Senoucci kasi.mir at melzone.de
Sat Aug 14 03:20:41 CEST 2004 

Hello all,
On Fri, 13 Aug 2004 trevor-os at thennion.demon.co.uk wrote:

[...]
>I have a Win2k system working from behind a NAT firewall, but the XP systems
>are all directly connected to the Internet. I am using SuperFreeSwan 1.99.8
>on the gateway.

Can you tell me how the configuration for the NATed machine differs from
the XP ones, what you did to the firewall to ensure the IPSec pachages
go through, and what, if any, special entries in the ipsec.conf on the
gateway you made for the Win2k machine? Im using SuperFreeSwan 1.99.8,
too, so it would be interesting for me to find out *how* exactly other
people got the VPN working behind firewalls.

[...]
>I would suggest you look at upgrading the gateway as has been suggested, but
>also resolving why the XP machine complains about the certificate.

At the moment, the latter is my first priority, as all the replies I've
got so far suggest that the problem lies on the XP side of the VPN, so
that upgrading to OpenSwan seems to be sensible by itself, but not a
likely remedy to my problems.

[...]
>Use the MMC to obtain the details that should be in the conf file.
>
>On the XP machine, in the ipsec.conf file, the rightca=" " should contain the
>Issuer details from your personal certificate.

Just to recapitulate my status quo, in case anything got overlooked so
far:

In my MMC, there is my machine certificate in

"Konsolenstamm\Zertifikate (Lokaler Computer)\Personal\Certificates"

It is listed as:

| [General]
|
| * All application policies
|
| Issued to: KasiTest
| Issued by: kassandra.21st-hq.de
| Valid from 13.08.2004 to 05.03.2008
|
| You have a private key that corresponds to this certificate.

| [Details]
|
| Version                  V3
| Serial Number            16
| Signature Algorithm      md5RSA
| Issuer                   CN = kassandra.21st-hq.de
|                          OU = VPN Authority
|                          O = Synaptec Software & Consulting GmbH
|                          L = Hamburg
|                          C = DE
| Valid from               Freitag, 13. August 2004 01:40:38
| Valid to                 Mittwoch, 5. März 2008 01:40:38
| Subject                  CN = KasiTest
|                          OU = VPN Authority
|                          O = Synaptec Software & Consulting GmbH
|                          L = Hamburg
|                          C = DE
| Public key               RSA (1024 bits)
| Key Usage                Digital Signature, Non-Repudiation, Key Encipherment (e0)
| Basic Constraints        Subject Type=End Entity
|                          Path Length Constraint=None
| Thumbprint algorithm     sha1
| Thumbprint               aa 69 36 89 6f 73 d2 c1 e4 47 ef d3 67 2b ef 4f e7 29 b9 c6

| [Certification Path]
|
| * kassandra.21st-hq.de
| |
| ---* KasiTest
|
| Certificate Status:
| This certificate is OK.

The CA Certificate lies in:

"Konsolenstamm\Zertifikate (Lokaler Computer)\Trusted Root Certification
  Authorities\Certificates"

It is listed as:

| [General]
|
| * All issuance policies
| * All application policies
|
| Issued to: kassandra.21st-hq.de
| Issued by: kassandra.21st-hq.de
| Valid from 18.07.2004 to 17.07.2008

| [Details]
|
| Version                  V3
| Serial number            00
| Signature Algorithm      md5RSA
| Issuer                   CN = kassandra.21st-hq.de
|                          OU = VPN Authority
|                          O = Synaptec Software & Consulting GmbH
|                          L = Hamburg
|                          C = DE
| Valid from               Sonntag, 18. Juli 2004 13:21:21
| Valid to                 Donnerstag, 17. Juli 2008 13:21:21
| Subject                  CN = kassandra.21st-hq.de
|                          OU = VPN Authority
|                          O = Synaptec Software & Consulting GmbH
|                          L = Hamburg
|                          C = DE
| Public key               RSA (2048 Bits)
| Key Usage                Certificate Signing,
|                          Off-line CRL Signing,
|                          CRL Signing (06)
| Basic Constraints        Subject Type=CA
|                          Path Length Constraint=None
| Thumbprint algorithm     sha1
| Thumbprint               9c 43 b4 09 84 54 a4 71 f3 38 da 6f 86 2c fe fc d0 d9 3c b4

| [Certification Path]
|
| * kassandra.21st-hq.de
|
| This certificate is OK.

Both certs were never moved in any way; they were added via
"Automatically select the certificate store based on the type of
certificate" and appeared in the above places.

My WinXP ipsec.conf looks like this

| conn XP-p2n
|  network=lan
|  auto=start
|  left=%any
|  right=kassandra.21st-hq.de
|  rightsubnet=192.168.168.0/24
|  rightca="C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de"
|  pfs=yes

| conn XP-p2p
|   network=lan
|   auto=start
|   left=%any
|   right=kassandra.21st-hq.de
|   rightca="C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de"
|   pfs=yes

Do you find anything odd or wrong with this? If so, please let me know.

[...]
>Hope you get it fixed - please post how you do get it fixed so that others can
>learn from this.

I will do so, as soon as the thing's working properly. Thanks for the
help.

Greetings
Karim Senoucci

More information about the Users mailing list