[Openswan Users] fc3 linux ipsec client w/ X.509 certificates and Astaro 5.2

Antonio Enriquez ntonyo at gmail.com
Tue Mar 29 14:41:54 CEST 2005 

I have been trying to configure an ipsec connection w/ a Fedora 3
laptop with an 802.11b card and Astaro (ASL) 5.2, using  X.509
certificates.  "louie" has an 802.11b card and uses the gateway to get
to the internet via the cable modem.  I have windows ipsec clients
working with no problems.  The Roadwarrior connection I want to
implement looks like this:


louie                                      gateway              Cable Modem

192.168.0.146-----802.11b-----192.168.0.254-----------> Internet

 

ASL 5.2:

Created IPSEC Connection:
 

Name: louie

Type: Roadwarrior

IPSEC Policy: AES_PFS_COMP

Auto Packet Filter: On

Local Endpoint: Internal

Remote Endpoint: Any

Local Subnet: None

Remote Subnet: None

L2TP Encapsulation: None

Keys: X.509:louie

Created CA on ASL box

Created and signed X.509 DN from CERT/CSR body for:

louie and gateway

Imported keys, CA and gateway cert to louie

modified ipsec.conf file

version 2

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

config setup
        nat_traversal=yes

# openswan tunnel configuration

conn road
        left=192.168.0.146
        leftcert=louie.pem
        right=192.168.0.254
        rightcert=gateway.pem
        rightsubnet=0.0.0.0/0
        auto=add

 
Restarted ipsec service

# service ipsec restart

Start ipsec connection

# ipsec auto --verbose  --up road

002 "road" #1: initiating Main Mode
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "road" #1: enabling possible NAT-traversal with method RFC XXXX
(NAT-Traversal)
002 "road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "road" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
002 "road" #1: I am sending my cert
002 "road" #1: I am sending a certificate request
002 "road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "road" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=us, ST=VA,
L=Loudoun, O=None, OU=None, CN=gateway, E=asd-pix at aol.com'
002 "road" #1: no crl from issuer "C=us, ST=VA, L=Loudoun, O=None,
OU=None, CN=Loudoun, E=asd at aol.com" found (strict=no)
002 "road" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
002 "road" #1: ISAKMP SA established
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established
002 "road" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
117 "road" #2: STATE_QUICK_I1: initiate
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "road" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
000 "road" #2: starting keying attempt 2 of an unlimited number, but
releasing whack

Log file from gateway/ASL box

pluto[26541]: "D_louie_0"[2] 192.168.0.146 #2: sent MR3, ISAKMP SA established
pluto[26541]: "D_louie_0"[2] 192.168.0.146 #2: cannot respond to IPsec
SA request because no connection is known for
0.0.0.0/0===192.168.0.254[C=us, ST=CA, L=Los Angeles, O=None, OU=None,
CN=gateway, E=asd-pix at aol.com]...192.168.0.146[C=US, ST=Berkshire,
L=Newbury, O=My Company Ltd, CN=louie, E=asd at aol.com]
pluto[26541]: "D_louie_0"[2] 192.168.0.146 #2: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.0.146:500
pluto[26541]: "D_louie_0"[2] 192.168.0.146 #2: Quick Mode I1 message
is unacceptable because it uses a previously used Message ID
0x203a44fc (perhaps this is a duplicated packet)

The error bothering me is:

pluto[26541]: "D_louie_0"[2] 192.168.0.146 #2: cannot respond to IPsec
SA request because no connection is known for
0.0.0.0/0===192.168.0.254[C=us, ST=CA, L=Los Angeles, O=None, OU=None,
CN=gateway, E=asd-pix at aol.com]...192.168.0.146[C=US, ST=Berkshire,
L=Newbury, O=My Company Ltd, CN=louie, E=asd at aol.com]

I can't figure out why the linux ipsec client does not work, when the
windows clients work fine.  Any help is greatly appreciated.

Thanks,

Antonio

More information about the Users mailing list