[Openswan Users] Windows XP Roadwarrior (FreeSWAN 2.05 + x509 patch): IPsec policy problem

Jeannot Langlois jlanglois at actares.com
Fri Jun 18 13:08:48 CEST 2004 

Hello all,


I've been experimenting with Windows 2000 and Windows XP roadwarriors 
connecting to a FreeSWAN 2.05 IPsec gateway lately.

The FreeSWAN gateway is running Linux Kernel 2.4.26, FreeSWAN 2.05 + the 
x509 certificates patch.
Both Windows 2000 and Windows XP versions I use are fully updated using 
the latest Windows Update patches (i.e. all latest service packs are 
installed).  IPsec tunnels are using 802.11b wireless interfaces 
(altough I don't think this matters in this case).

So far, I've been able to get a Windows 2000 road warrior to 
successfully establish an IPsec tunnel with the FreeSWAN 2.05 gateway.

I tried both methods: 

1-Using the ipsec.exe tool from Mark Mueller and an ipsec.conf file - it 
worked;
and
2-using MMC directly -- which is graphical and easier and doesn't 
require and ipsec.conf file -- it worked. 

That's great.  So I know that the standard "IPsec tunnel" policy I've 
defined in MMC with two rules works great (tunnel mode, 192.168.89.10 is 
the Windows 2000 road warrior, 192.168.89.1 is the freeswan gateway, I 
use PFS, MD5 authentication, 3DES encryption, etc).
I even turned on Oakley debugging in Windows 2000 and checked the 
FreeSWAN gateway's logs to confirm that everything is ok.  
"ipsecmon.exe" returned correct informations about the established SA.


As this setup worked nicely (using a sniffer I could confirm that only 
encrypted ESP packets are visible indeed on tunnel endpoints), I tried 
the exact same procedure but using a Windows XP host this time (IP = 
192.168.89.11, others settings being identical to the previous Windows 
2000 setup).

Unfortunately, I couldn't get the Windows XP host to establish an IPsec 
tunnel with the FreeSWAN gateway.  Using a sniffer on the FreeSWAN 
gateway side I noticed that no packets are actually getting out of the 
Windows XP host, so the problem has to be with the Windows XP machine, 
not the FreeSWAN gateway.  This time, both MMC and the ipsec.exe utility 
failed to establish the IPsec tunnel - I could never ping the FREESWAN 
Gateway from the Windows XP host (it keep displaying "Negotiating IP 
security" many times and all pings were lost), and I got the following 
message when attempting to load the ipsec.exe utility:

---------------------------------<SNIP>------------------------------

C:\IPSEC>ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection rw:
        MyTunnel     : 192.168.89.11
        MyNet        : 192.168.89.11/255.255.255.255
        PartnerTunnel: 192.168.89.1
        PartnerNet   : 192.168.89.1/255.255.255.255
        CA (ID)      : C=CA,L=Amos,O=Actares Inc,OU=Security,CN=certifica...
        PFS          : y
        Auto         : start
        Auth.Mode    : MD5
        Rekeying     : 3600S/50000K
Error 0xcbbb0012 occurred:

The authentication method specified is invalid or unsupported.


v1.51 Copyright(c) 1998-2001, Microsoft Corporation
USAGE:
ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr
         -a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p
         -1f MMFilterList -1e SoftSAExpirationTime -soft -confirm
         [-dialup OR -lan]
         {-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o}
ipseccmd \\machinename show filters policies auth stats sas all

BATCH MODE:
ipseccmd -file filename
         File must contain regular ipseccmd commands,
         all these commands will be executed in one shot.

For extended usage, run: ipseccmd -?
Fehler bei Command: ipseccmd -w REG -p FreeSwan -r Host-rw -t 192.168.89.1 -f 19
2.168.89.11/255.255.255.255=192.168.89.1/255.255.255.255 -n ESP[MD5,3DES]3600S/5
0000KPFS -a CERT:"C=CA,L=Amos,O=Actares Inc,OU=Security,CN=certificates,emailAdd
ress=security at actares.com" -lan -1p > NUL:
Error 0xcbbb0012 occurred:

The authentication method specified is invalid or unsupported.



v1.51 Copyright(c) 1998-2001, Microsoft Corporation
USAGE:
ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr
         -a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p
         -1f MMFilterList -1e SoftSAExpirationTime -soft -confirm
         [-dialup OR -lan]
         {-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o}
ipseccmd \\machinename show filters policies auth stats sas all


BATCH MODE:
ipseccmd -file filename
         File must contain regular ipseccmd commands,
         all these commands will be executed in one shot.

For extended usage, run: ipseccmd -?
Fehler bei Command: ipseccmd -w REG -p FreeSwan -r rw-Host -t 192.168.89.11 -f 1
92.168.89.1/255.255.255.255=192.168.89.11/255.255.255.255 -n ESP[MD5,3DES]3600S/
50000KPFS -a CERT:"C=CA,L=Amos,O=Actares Inc,OU=Security,CN=certificates,emailAd
dress=security at actares.com" -lan -1p > NUL:
        Activating policy...
Error converting policy: 0x5


C:\IPSEC>

---------------------------------<SNIP>------------------------------



Here's my ipsec.conf file (identical on both Windows 2000 and XP hosts):

---------------------------------<SNIP>------------------------------

conn rw
        left=%any
        right=192.168.89.1
	rightca="C=CA,L=Amos,O=Actares Inc,OU=Security,CN=certificates,emailAddress=security at actares.com"
        network=auto
        auto=start
        pfs=yes

---------------------------------<SNIP>------------------------------


*NOTHING* gets logged to the Oakley log from the Windows XP machine 
(except when deleting and refreshing IPsec tunnel policies, of course.

On *BOTH* Windows 2000 and Windows XP machines, running "netdiag 
/test:ipsec /v" and "netdiag /test:ipsec /debug" returns correct values 
and indicate the the "IPsec tunnel" policy I've defined in MMC is Active 
and InUse (as expected).


On the Windows XP host, I went to "TCP/IP properties", clicked 
"Advanced", went to the "Options" tab, and noticed that there is *NO* 
"IP Security" option in the menu. 

On the Windows 2000 host however, in "TCP/IP properties" >> "Advanced" 
 >> "Options" I can clearly see BOTH "TCP/IP Filtering" and "IP 
Security" options.  The latter allows me to use the "IPsec tunnel" 
policy I've defined in MMC.

Could something be missing in my Windows XP installation which prevents 
the "IP security" option from showing up in the "Options" tab?

Could this cause the errors displayed by ipsec.exe ?

Any ideas about this issue?  Have you seen this problem before ?


Thanks a lot,

-- 
Jeannot Langlois
Programmeur-Analyste / Software Developer
Administrateur Systeme/Reseau / System/Network Administrator
jlanglois AT actares DOT com


http://www.actares.com

More information about the Users mailing list