<br><font size=3>Hi,</font>
<br>
<br><font size=3>I've got some trouble to get OpenSwan to work in an XP
Roadwarrior environment. <br>
<br>
<br>
Server: latest debian Sarge Network installation, 2.6.8 Kernel, Client
XP SP2 fully patched, no XP Firewall, Markus Müllers ipsec.exe, X509 Certificates
made by openssl/CA.pl. The server has its own external interface with static
internet connection and fixed address bound as default route.</font>
<br>
<br><font size=3>ipsec.conf Server:<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
# basic configuration<br>
config setup<br>
interfaces=%defaultroute<br>
klipsdebug=none<br>
plutodebug=none<br>
conn %default<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
left=%defaultroute<br>
leftcert=vpngatecert.pem leftid="C=DE/ST=NRW/L=HERZOGENRATH/O=xxxxx/CN=VPNxxxxx"<br>
right=%any<br>
keyingtries=1<br>
conn x509-roadwarrior<br>
auto=add<br>
conn x509-net-roadwarrior<br>
leftsubnet=192.168.2.0/24<br>
auto=add</font>
<br><font size=3>#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
ipsec.conf Client:<br>
conn VPN<br>
right=%any<br>
left=212.xxx.xxx.xxx<br>
leftsubnet=192.168.2.0/24<br>
leftca="C=DE, ST=NRW, L=HERZOGENRATH, O=xxxxx, CN=VPNxxxxx"<br>
network=auto<br>
auto=start<br>
rekey=1800S/30000K<br>
authmode=MD5<br>
pfs=yes<br>
<br>
Start Server:<br>
Aug 11 09:46:29 t4ac00 pluto[6651]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)<br>
Aug 11 09:46:29 t4ac00 pluto[6651]: including NAT-Traversal patch (Version
0.6c) [disabled]<br>
Aug 11 09:46:29 t4ac00 pluto[6651]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)<br>
Aug 11 09:46:29 t4ac00 pluto[6651]: Using Linux 2.6 IPsec interface code<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory '/etc/ipsec.d/cacerts'<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded CA cert file 'cacert.pem' (1054
bytes)<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: Could not change to directory '/etc/ipsec.d/aacerts'<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory '/etc/ipsec.d/ocspcerts'<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory '/etc/ipsec.d/crls'<br>
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded crl file 'crl.pem' (434 bytes)<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file '/etc/ipsec.d/certs/vpngatecert.pem'
(3329 bytes)<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description "x509-net-roadwarrior"<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file '/etc/ipsec.d/certs/vpngatecert.pem'
(3329 bytes)<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description "x509-roadwarrior"<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: listening for IKE messages<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth2/eth2 192.168.2.1<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth1/eth1 172.xxx.xxx.xxx<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth0/eth0 212.xxx.xxx.xxx<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo 127.0.0.1<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo ::1<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: loading secrets from "/etc/ipsec.secrets"<br>
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded private key file '/etc/ipsec.d/private/vpnxxxxreq.pem'
(1586 bytes)<br>
<br>
when we start ipsec on the XP client with direct connection to the internet
an ping:<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: ignoring
Vendor ID payload [FRAGMENTATION]<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 0<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: ignoring
Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: responding to Main Mode from unknown peer 62.246.73.238<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: transition from state (null) to state STATE_MAIN_R1<br>
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=HERZOGENRATH,
O=xxxxx, CN=VPNyy'<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: deleting connection "x509-net-roadwarrior"
instance with peer 62.246.73.238 {isakmp=#0/ipsec=#0}<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: I am sending my cert<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: sent MR3, ISAKMP SA established<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: responding to Quick Mode<br>
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: transition from state (null) to state STATE_QUICK_R1<br>
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: IPsec SA established {ESP=>0x8fda5747 <0x7c91c54b}<br>
<br>
Everything looks fine, SA established, so I try to ping a machine behind
the Gateway. Here's the icmp logging of the INPUT, OUTPUT and FORWARD chain,
eth0 ist 212.., eth2 is 192.168.2.1:</font>
<br>
<br><font size=3>Aug 11 09:52:24 t4ac00 kernel: INPUT LOG: IN=eth0 OUT=
MAC=00.... SRC=62.246.73.238 DST=212.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00
TTL=117 ID=5225 PROTO=ESP SPI=0x7c91c54b </font>
<br><font size=3>Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth0 OUT=eth2
SRC=62.246.73.238 DST=192.168.2.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=26899
PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=768 <br>
Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth2 OUT=eth0 SRC=192.168.2.10
DST=62.246.73.238 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=734 PROTO=ICMP TYPE=0
CODE=0 ID=1024 SEQ=768 <br>
<br>
Like yoe see, paket arrives by ESP protocol, will be converted to icmp
pong, goes out. A icmp ping responses from 192.168.2.10 with the destination
62.246.73.238 which ist the actual transient client IP adress. And then
nothing. Result: in the client we see some request time out; additionaly
there is NO incoming traffic from the network.</font>
<br>
<br><font size=3>Beneath this, there are later some UDP/500 interaction
between client and server and nothing more. If anyone argued about the
firewall as reason: it's the same without. And the functioning UDP/500
communication between client and server shows, that both can reach each
other. Oakley log at XP looks too long for posting but ok (or even I can't
read it the appropriate way...).</font>
<br>
<br><font size=3>Anyone any idea? I use this test-equip for several tests
in fw and ipsec, everything else is totally ok...</font>
<br>
<br><font size=3>Greetings,</font>
<br><font size=3>Guenter</font>