[Openswan Users] Re: WinXP with Certificates and NAT-T
Leonard Tulipan
l.tulipan at mpwi.at
Mon Jun 14 17:25:29 CEST 2004
So, I updated to openswan 2.1.2
This is my ipsec.conf in openswan:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=GatewayCert.pem
auth=esp
leftsendcert=always
conn auto_1086343201_0
right=%any
left=%defaultroute
leftsubnet=192.168.118.0/24
rightcert=RoadWarrior1Cert.pem
rightsubnet=192.168.0.151/32
authby=rsasig
auto=add
pfs=yes
leftupdown=/usr/local/lib/ipsec/_updown_ncp
This is the ipsec.conf from the Müller IPSEC Tool
conn lan_roadwarrior
left=%any
right=200.200.200.200
rightsubnet=192.168.118.0/255.255.255.0
rightca="CN=VPN,O=Schneller Scharau 5th Mind,L=Wien,C=AT"
network=lan
auto=start
authmode=MD5
pfs=yes
Log:
Jun 14 15:31:26 firewall pluto[8079]: Starting Pluto (Openswan Version
2.1.2 X.509-1.4.8 PLUTO_USES_KEYRR)
Jun 14 15:31:26 firewall pluto[8079]: including NAT-Traversal patch
(Version 0.6c)
Jun 14 15:31:26 firewall pluto[8079]: Using KLIPS IPsec interface code
Jun 14 15:31:26 firewall pluto[8079]: Changing to directory
'/etc/ipsec.d/cacerts'
Jun 14 15:31:26 firewall pluto[8079]: loaded cacert file 'cacert.pem'
(1180 bytes)
Jun 14 15:31:26 firewall pluto[8079]: Changing to directory
'/etc/ipsec.d/crls'
Jun 14 15:31:26 firewall pluto[8079]: loaded crl file 'crl.pem' (633
bytes)
Jun 14 15:31:27 firewall pluto[8079]: loaded host cert file
'/etc/ipsec.d/certs/GatewayCert.pem' (1005 bytes)
Jun 14 15:31:27 firewall pluto[8079]: loaded host cert file
'/etc/ipsec.d/certs/RoadWarrior1Cert.pem' (1009 bytes)
Jun 14 15:31:27 firewall pluto[8079]: added connection description
"auto_1086343201_0"
Jun 14 15:31:27 firewall pluto[8079]: listening for IKE messages
Jun 14 15:31:27 firewall pluto[8079]: adding interface ipsec0/ppp0
200.200.200.200
Jun 14 15:31:27 firewall pluto[8079]: adding interface ipsec0/ppp0
200.200.200.200:4500
Jun 14 15:31:27 firewall pluto[8079]: loading secrets from
"/etc/ipsec.secrets"
Jun 14 15:31:27 firewall pluto[8079]: loaded private key file
'/etc/ipsec.d/private/GatewayKey.pem' (963 bytes)
Jun 14 15:31:48 firewall pluto[8079]: packet from 60.60.60.60:500:
Informational Exchange is for an unknown (expired?) SA
Jun 14 15:31:57 firewall pluto[8079]: packet from 60.60.60.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun 14 15:31:57 firewall pluto[8079]: packet from 60.60.60.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jun 14 15:31:57 firewall pluto[8079]: packet from 60.60.60.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 14 15:31:57 firewall pluto[8079]: "auto_1086343201_0"[1] 60.60.60.60
#1: responding to Main Mode from unknown peer 60.60.60.60
Jun 14 15:31:57 firewall pluto[8079]: "auto_1086343201_0"[1] 60.60.60.60
#1: transition from state (null) to state STATE_MAIN_R1
Jun 14 15:31:57 firewall pluto[8079]: "auto_1086343201_0"[1] 60.60.60.60
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: pe
er is NATed
Jun 14 15:31:57 firewall pluto[8079]: "auto_1086343201_0"[1] 60.60.60.60
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 14 15:33:07 firewall pluto[8079]: "auto_1086343201_0"[1] 60.60.60.60
#1: max number of retransmissions (2) reached STATE_MAIN_R2
Any ideas? what does the "unknown (expired?) SA" mean? the certificate
should be valid till 2005:
subject= /C=AT/L=Wien/O=Schneller Scharau 5th Mind/CN=RoadWarrior1
notBefore=Mar 26 13:18:26 2004 GMT
notAfter=Mar 26 13:18:26 2005 GMT
Any help appreciated.
btw. with a changed ipsec.conf I was able to make a connection with
Pre-Shared Keys, but as you see, I have my troubles with x.509
Cheers
Leonard
More information about the Users
mailing list