<br><br><b><i>>Arno Lehmann <al@its-lehmann.de></i></b> wrote:<br><br>>Hello,<br><br>>this is my first post to the list, so please be patient if I ask a FAQ <br>(I did look through the archives, and used google, but couldn't find <br>answers to my problem that solved them...)<br><br>>Ok, my setup:<br><br>>Quite basic at the moment:<br>>I have an internal network, 192.168.0.0/24, where I run a server that <br>will become a VPN gateway. This is "balrog" at 192.168.0.22.<br><br>>A test client "phoenix" is at .88. This machine runs MS Windows Vista <br>business.<br> <br>>I set up the server with Linux Openswan U2.4.6/K2.6.18.8-0.3-default <br>(netkey) (as distributed by SuSE's OpenSuse 10.2). My first tests used <br>PSK authentication and worked fine, mostly following jacco's manual.<br><br>>Then I went on to try certificates, which will be a requirement later. <br>(And, most probably, I'll have to fight with NAT and having the server
<br>listening to different networks, and all this sort of fun - later)<br><br>>I created a connection in ipsec.conf like this:<br><br>>config setup<br> >interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"<br> >klipsdebug=<br> >plutodebug=<br> >manualstart=<br> >syslog=<br> >plutowait=yes<br> >nhelpers=0<br> ># <br><br>Just disable klipsdebug, plutodebug, mannualstart, syslog or gives options yes or no but not leave blanck.<br><br><br>>virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v<br>>4:!192.168.0.0/24,%v4:!192.168.37.0/24<br> ># nat_traversal=yes<br><br>>conn intern-cert<br> >authby=rsasig<br> >rightrsasigkey=%cert<br> >leftcert=ITS-VPN.pem<br> >left=192.168.0.22<br> >leftprotoport=17/1701<br> >right=%any<br> >rightprotoport=17/1701<br>
>rightsubnet=vhost:%no,%priv<br>>rightca=%same<br> >auto=add<br><br>Here you have to specify <br>leftrsasigkey=%cert<br>leftsubnet=192.168.0.0/24<br><br><br>>(the defaults are unchanged from the PSK setup, and the connection <br>>itself is also similar to the working PSK one.<br><br>>I created a (sub) CA (I'm using tinyCA for other certificate handling <br>already) and created two certificates, one for the VPN server, and one <br>for the windows client.<br><br>>I packaged the windows one as a pkcs12 file and installed it on that <br>machine.<br><br>>I copied the server-related files to the vpn gateway <br>(/etc/ipsec.d/certs, .../cacerts, .../private - certificate, CA <br>certificate, private key for certificate, respectivels) and restarted <br>the ipsec subsystem.<br><br>>When I keep the gateway certificate protected by a password, and have <br>a line like ": RSA "password" in ipsec.secrets, I get these <br>messages:<br><br>you have to
specify this thing in ipsec.secrets file<br>: RSA ITS-VPN.key "password"<br>This ITS-VPN.key is key file which is copied to private folder. This solve that key not found problem.<br><br><br>>> Jul 17 01:18:05 balrog pluto[13311]: loading secrets from "/etc/ipsec.secrets"<br>>> Jul 17 01:18:05 balrog pluto[13311]: could not open private key file '/etc/ipsec.d/private/ITS-VPN.pem'<br>>> Jul 17 01:18:05 balrog pluto[13311]: "/etc/ipsec.secrets" line 14: error loading RSA private key file<br>>> Jul 17 01:18:05 balrog ipsec__plutorun: 003 "/etc/ipsec.secrets" line 14: error loading RSA private key file<br><br>>If I unlock the key file (and comment out the line in ipsec.secrets), I get no messages in the log.<br><br>>When I start the connection from the windows client, I quickly get a <br>message that the connection could not be established, with a result <br>code of 810, which would indicate a certificate problem, I think.<br><br>>On the
server side, in the log, I find lines like<br><br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: next payload type of ISAKMP Hash Payload has an unknown value: 51<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: malformed payload in packet<br>>> Jul 17 01:23:03 balrog pluto[14159]: "intern-cert"[1] 192.168.0.88 #1: sending notification PAYLOAD_MALFORMED to
192.168.0.88:500<br><br>>The malformed payload message is, as far as I understand after much <br>reading, more or less only an artifact of an unencrypted message sent <br>because encryption could not be established.<br><br>>After much trial and error, and not getting anywhere, I tried the <br>CA.sh script to set up the CA and create certificates, but without any <br>success - the problem persists. I even deleted the whole CA for the <br>VPN and recreated it to make sure I did not accidentially use the <br>wrong files or anything... (I admit this is close to the usual <br>windows-related advice to reinstall, but I *am* getting desperate ;-)<br><br>Just to make certificate refer http://www.natecarlson.com/linux/ipsec-x509.php guide. Also make crl.pem file. then follow http://www.jacco2.dds.nl/networking/vista-openswan.html to go ahead.<br><br>>By now, I think that windows, for some reason, does not like my <br>certificates.<br><br>>Unfortunately, I don't know
what I'm doing wrong :-(<br><br>>Any hints from some of you, perhaps?<br><br>>-- <br>>Arno Lehmann<br>>IT-Service Lehmann<br>>www.its-lehmann.de<br><br><br><br>Regards,<br><br>Dhaval<br><br><p>
<hr size=1><a href="http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50">Pinpoint customers </a>who are looking for what you sell.
<p> 
<hr size=1>Luggage? GPS? Comic books? <br>
Check out fitting <a href="http://us.rd.yahoo.com/evt=48249/*http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz"> gifts for grads</a> at Yahoo! Search.