[Openswan Users] Openswan and SoftRemote

Andreas Steffen andreas.steffen at strongsec.net
Sat Mar 20 09:42:31 CET 2004 

Could you send me a "barf" ( ipsec barf > barf.txt) generated with
the setting

    klipsdebug=none
    plutodebug=all

in ipsec.conf. Also the output of

    ipsec auto --listall

would help. I suspect a conflict with your CAs.

Regards

Andreas

Brian Daniels wrote:
> Has anyone had success with Openswan and SoftRemote?  I've been trying 
> for several days, but I cannot get them to authenticate.
> 
> I've been trying to follow the how-to at:
> http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf
> 
> updating it for openswan-2.1.0.  Here's what I get when I try to bring 
> up the tunnel:
> 
> Mar 19 23:48:27 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: 
> responding to Main Mode from unknown peer 207.69.12.205
> Mar 19 23:48:27 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: 
> transition from state (null) to state STATE_MAIN_R1
> Mar 19 23:48:29 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: ignoring 
> Vendor ID payload [47bbe7c993f1fc13...]
> Mar 19 23:48:29 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: ignoring 
> Vendor ID payload [da8e937880010000]
> Mar 19 23:48:29 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: ignoring 
> Vendor ID payload [Dead Peer Detection]
> Mar 19 23:48:29 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: received 
> Vendor ID payload [XAUTH]
> Mar 19 23:48:29 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: 
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: ignoring 
> informational payload, type IPSEC_REPLAY_STATUS
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: ignoring 
> informational payload, type IPSEC_INITIAL_CONTACT
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: Peer ID 
> is ID_DER_ASN1_DN: 'C=US, ST=North Carolina, L=Morrisville, O=FarPoint, 
> OU=softremote, CN=softremote'
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: issuer 
> crl not found
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: issuer 
> crl not found
> Mar 19 23:48:31 gate pluto[5842]: "brivai"[1] 207.69.12.205 #1: no 
> suitable connection for peer 'C=US, ST=North Carolina, L=Morrisville, 
> O=FarPoint, OU=softremote, CN=softremote'
> 
> I have the certificate for the softremote client in 
> /etc/ipsec.d/certs/rw-cert.pem.  Looking at it with:
> openssl x509 -in /etc/ipsec.d/certs/rw-cert.pem -noout -subject
> subject= /C=US/ST=North 
> Carolina/L=Morrisville/O=FarPoint/OU=softremote/CN=softremote
> which seems to match the ID_DER_ASN1_DN being sent by the client.
> 
> My connection config is:
> conn brivai
>         # identity we use in authentication exchanges
>         left=207.x.x.x
>         # next hop to reach right
>         leftnexthop=207.x.x.x
>         # subnet behind left (omit if there is no subnet)
>         leftsubnet=10.0.0.0/8
>         # right s.g., subnet behind it, and next hop to reach left
>         rightcert=rw-cert.pem
>         right=%any
>         auto=add
>         pfs=yes
>         keyexchange=ike
> 
> Any suggestions appreciated!  This is driving me nuts!
> 
> Thanks,
> Brian Daniels
> Brian Daniels
> Network Administrator
> 
> ------------------------------------------------------
> FarPoint Technologies
> 808 Aviation Pkwy, Suite 1300
> Morrisville, NC 27560
> Phones:
> Tech Support - 919-460-1887
> Sales - 800-645-5913            Main - 919-460-4551
> FTP - ftp.fpoint.com  /fpoint.com
> WEB - www.fpoint.com
> Sales email: fpsales at fpoint.com
> Technical support: fpsupport at fpoint.com
> -------------------------------------------------------

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3198 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040320/3345b238/smime.bin

More information about the Users mailing list