<br><font size=3><tt>Hi All,<br>
<br>
I'm currently in the middle of setting up an IPSec connection which will
<br>
have a road warrior (running Windows XP) connecting to a Redhat 9.0 box
<br>
(kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature
)</tt></font>
<br>
<br><font size=3><tt>Network wise it looks like this:</tt></font>
<br>
<br>
<br><font size=3><tt>Road warrior(windows XP)--NAT Device (Cisco router)--internet---Redhat
box( with iptables,openswan-1.0.8)--internal network (internal workstation
which is required to be accessed)</tt></font>
<br>
<br><font size=3><tt>what's more about access control, for roadworrior,
on the cisco router , there is no restriction for internal clients ; on
the linux box ,UDP 500, ESP(50),AH(51) had been allowed from and to the
internet , accepted by output, input, and forward chain in iptables .</tt></font>
<br>
<br>
<br><font size=3><tt>I've set up the IPSec connection using the snap-in
in MMC ,When I ping from the Windows box, it shows <br>
"Negotiating IP Security", followed by request timed out. It
doesn't matter <br>
how long I try, I keep getting request timed out.</tt></font>
<table width=100%>
<tr>
<td width=100%>
<table align=left>
<tr>
<td colspan=2><font size=3>To verify that I have rightca set properly,
follow these instructions:</font></table>
<br></table>
<br>
<table width=100%>
<tr>
<td width=100%>
<table align=left>
<tr>
<td colspan=2><font size=3>Load the IPSec MMC you created earlier<br>
- Click IP Security Policies; double-click on the FreeSwan tunnel<br>
- Double-click roadwarrior-Host filter<br>
- Click on the 'Authentication Methods' tab<br>
- Click 'Add', then 'Use a certificate from this CA'<br>
- Click Browse, find your CA<br>
- Copy/paste the text in the grayed-out box into your ipsec.conf</font>
<br>
<br><font size=3>It should be right , but I still get the </font><font size=3><tt>request
timed out</tt></font><font size=3> ! :)</font>
<br>
<br><font size=3>I move on to my linux gateway ( redhat linux 9.0) and
debug with ipsec barf command :</font>
<br><font size=3>it shows the following information :</font>
<br><font size=3>Feb 1 00:39:48 localhost pluto[319]: adding interface
ipsec0/eth0 218.106.186.84</font>
<br><font size=3>Feb 1 00:39:48 localhost pluto[319]: adding interface
ipsec0/eth0 218.106.186.84:4500</font>
<br><font size=3>Feb 1 00:39:48 localhost pluto[319]: loading secrets
from "/etc/ipsec.secrets"</font>
<br><font size=3>Feb 1 00:39:48 localhost pluto[319]: loaded
private key file '/etc/ipsec.d/private/gateway.ensemble.com.key' (1683
bytes)</font>
<br><font size=3>Feb 1 00:40:55 localhost pluto[319]: packet from
219.239.37.131:58868: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]</font>
<br><font size=3>Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: responding to Main Mode from unknown peer 219.239.37.131:58868</font>
<br><font size=3>Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: transition from state (null) to state STATE_MAIN_R1</font>
<br><font size=3>Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN, ST=BJ,
L=BJ, O=Ensemble International, OU=System department, CN=WINHOST, E=coffeeboy7411@ensemble.com.cn'</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: deleting connection "roadworrior-net"
instance with peer 219.239.37.131</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: sent MR3, ISAKMP SA established</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: responding to Quick Mode</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: transition from state (null) to state STATE_QUICK_R1</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2</font>
<br><font size=3>Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: IPsec SA established</font>
<br><font size=3>Feb 1 01:36:26 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #3: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
to replace #2</font>
<br><font size=3>Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed
in quick_outI1. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:36:26 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #4: initiating Main Mode to replace #1</font>
<br><font size=3>Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed
in main_outI1. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed
in EVENT_RETRANSMIT. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed
in EVENT_RETRANSMIT. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed
in EVENT_RETRANSMIT. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed
in EVENT_RETRANSMIT. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:37:36 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #4: max number of retransmissions (2) reached STATE_MAIN_I1.
No acceptable response to our first IKE message</font>
<br><font size=3>Feb 1 01:37:36 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #3: max number of retransmissions (2) reached STATE_QUICK_I1</font>
<br><font size=3>Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: ISAKMP SA expired (LATEST!)</font>
<br><font size=3>Feb 1 01:40:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #1: sendto on eth0 to 219.239.37.131:58868 failed
in delete notify. Errno 1: Operation not permitted</font>
<br><font size=3>Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: IPsec SA expired (LATEST!)</font>
<br><font size=3>Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868: deleting connection "roadworrior-net" instance
with peer 219.239.37.131</font>
<br><font size=3>+ _________________________ date</font>
<br><font size=3>+ date</font>
<br><font size=3>Tue Feb 1 04:56:48 CST 2005</font>
<br>
<br><font size=3>IPsec SA is indeed established, but</font><font size=3><tt>
I couldn't ping the <br>
internal box behind Redhat gateway from the Roadworrior. pings in
both directions can not work properly.</tt></font>
<br>
<br><font size=3><tt>I hope some one out there will have suggestions on
solving this, as I'm <br>
beginning to tear my hair out. I just paste ipsec.conf on linux side and
ipsec.conf windows xp side here for solving problem .</tt></font>
<br>
<br><font size=3><tt>linux side ipsec.conf:</tt></font>
<br>
<br><font size=3><tt>config setup</tt></font>
<br><font size=3><tt> </tt></font>
<br><font size=3><tt> interfaces="ipsec0=eth0"</tt></font>
<br><font size=3><tt> nat_traversal=yes</tt></font>
<br><font size=3><tt> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</tt></font>
<br><font size=3><tt> klipsdebug=none</tt></font>
<br><font size=3><tt> plutodebug=none</tt></font>
<br><font size=3><tt> plutoload=%search</tt></font>
<br><font size=3><tt> plutostart=%search</tt></font>
<br><font size=3><tt> plutowait=no</tt></font>
<br><font size=3><tt> uniqueids=yes</tt></font>
<br><font size=3><tt>conn %default</tt></font>
<br>
<br><font size=3><tt> keyingtries=1</tt></font>
<br><font size=3><tt> compress=yes</tt></font>
<br><font size=3><tt> disablearrivalcheck=no</tt></font>
<br><font size=3><tt> authby=rsasig</tt></font>
<br><font size=3><tt> leftrsasigkey=%cert</tt></font>
<br><font size=3><tt> rightrsasigkey=%cert</tt></font>
<br>
<br><font size=3><tt>conn roadworrior-net</tt></font>
<br><font size=3><tt> left=68.106.186.85</tt></font>
<br><font size=3><tt> leftnexthop=68.106.186.81</tt></font>
<br><font size=3><tt> leftsubnet=192.168.0.0/16</tt></font>
<br><font size=3><tt> leftcert=gateway.semble.com.pem</tt></font>
<br><font size=3><tt> right=%any</tt></font>
<br><font size=3><tt> rightsubnet=vhost:%no,%priv</tt></font>
<br><font size=3><tt> auto=add</tt></font>
<br><font size=3><tt> pfs=yes</tt></font>
<br>
<br>
<br><font size=3><tt>windows side ipsec.conf</tt></font>
<br><font size=3><tt>conn roadwarrior</tt></font>
<br><font size=3><tt> left=68.106.186.85</tt></font>
<br><font size=3><tt> leftsubnet=192.168.0.0/16</tt></font>
<br><font size=3><tt> right=%any</tt></font>
<br><font size=3><tt> rightca="C=CN, S=BJ, L=BJ, O=semble International,
OU=System department, CN=FIREWALL, E=lidong.li@ensemble.com.cn"</tt></font>
<br><font size=3><tt> network=auto</tt></font>
<br><font size=3><tt> auto=start</tt></font>
<br><font size=3><tt> pfs=yes</tt></font>
<br><font size=3><tt><br>
<br>
<br>
</tt></font>
<br></table>
<br></table>
<br>
<br>
<br>
<br><font size=3><tt><br>
<br>
</tt></font>
<br>
<br>
<br><font size=2 face="sans-serif">Tony<br>
<br>
Best Regards,<br>
<br>
</font>
<br>
<br>
<br><font size=2 face="sans-serif"><br>
</font>