[Openswan Users] Re: Help with WinXP behind NAT as client
Leonard Tulipan
l.tulipan at mpwi.at
Wed Mar 24 16:45:19 CET 2004
So, these are the steps I did to get so far:
downloaded and compiled openswan
started with service ipsec start
created CA
created Certificate for VPNUser1 (WinXP Roadwarrior)
created Certificate for gateway
copied GatewayCert.pem to /etc/ipsec.d and GatewayKey to /etc/ipsec.d/private
put Password of the key in /etc/ipsec.secrets
I also put the cacert.pem and the crl.pem in the corresponding dirs in /etc/ipsec.d
this is my /etc/ipsec.conf
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
auto=add
left=%defaultroute
leftcert=GatewayCert.pem
leftupdown=/usr/local/lib/ipsec/_updown_x509
conn xp-n2n
right=%any
rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
leftsubnet=192.168.118.0/24
rightsubnetwithin=192.168.0.0/24
rightsubnet=192.168.0.15/32
Under windows I followed the docs at http://www.freeswan.ca/docs/WindowsInterop.
I manually added two tunnels for the ipsec connection.
I also imported the VPN User Certificate and the Certificate of the CA (but not the gateway) all with the mmc.
Now with freeswan I still saw packaged arriving at the fw. with openswan I only get (in /var/log/secure):
Mar 24 16:18:41 firewall ipsec__plutorun: Restarting Pluto subsystem...
Mar 24 16:18:41 firewall pluto[16161]: Starting Pluto (Openswan Version 2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
Mar 24 16:18:41 firewall pluto[16161]: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 24 16:18:41 firewall pluto[16161]: Using KLIPS IPsec interface code
Mar 24 16:18:41 firewall pluto[16161]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 24 16:18:41 firewall pluto[16161]: loaded cacert file 'cacert.pem' (1180 bytes)
Mar 24 16:18:41 firewall pluto[16161]: Changing to directory '/etc/ipsec.d/crls'
Mar 24 16:18:41 firewall pluto[16161]: loaded crl file 'crl.pem' (633 bytes)
So can anybody help me out of this one?
At the moment I seem to have a problem with openswan. Maybe this relates to the nat traversal patch. since packets with protocol 50 (ESP) can be routed. Mabye this is some x509 problem (since I see all thos certificate lines in my log).
with tcpdump on the two firewalls I see
(fw one which just forwards the packets):
16:41:39.826773 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.494738 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 2/others I inf: [|d]
(fw two with openswan):
16:42:08.722066 100.100.100.100.isakmp > 200.200.200.200.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.507461 100.100.100.100.isakmp > 200.200.200.200.isakmp: isakmp: phase 2/others I inf:
(d: doi=ipsec proto=isakmp spilen=16 nspi=1 spi=4b2fb1187c5aa6980000000000000000)
Please help me I am losing a lot of sleep on this.
Thanks in Advance
Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040324/248e75fb/attachment.htm
More information about the Users
mailing list