[Openswan Users] Re: Help with WinXP behind NAT as client
l.tulipan at mpwi.at
Wed Mar 24 16:45:19 CET 2004
So, these are the steps I did to get so far:
downloaded and compiled openswan
started with service ipsec start
created Certificate for VPNUser1 (WinXP Roadwarrior)
created Certificate for gateway
copied GatewayCert.pem to /etc/ipsec.d and GatewayKey to /etc/ipsec.d/private
put Password of the key in /etc/ipsec.secrets
I also put the cacert.pem and the crl.pem in the corresponding dirs in /etc/ipsec.d
this is my /etc/ipsec.conf
rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
Under windows I followed the docs at http://www.freeswan.ca/docs/WindowsInterop.
I manually added two tunnels for the ipsec connection.
I also imported the VPN User Certificate and the Certificate of the CA (but not the gateway) all with the mmc.
Now with freeswan I still saw packaged arriving at the fw. with openswan I only get (in /var/log/secure):
Mar 24 16:18:41 firewall ipsec__plutorun: Restarting Pluto subsystem...
Mar 24 16:18:41 firewall pluto: Starting Pluto (Openswan Version 2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
Mar 24 16:18:41 firewall pluto: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 24 16:18:41 firewall pluto: Using KLIPS IPsec interface code
Mar 24 16:18:41 firewall pluto: Changing to directory '/etc/ipsec.d/cacerts'
Mar 24 16:18:41 firewall pluto: loaded cacert file 'cacert.pem' (1180 bytes)
Mar 24 16:18:41 firewall pluto: Changing to directory '/etc/ipsec.d/crls'
Mar 24 16:18:41 firewall pluto: loaded crl file 'crl.pem' (633 bytes)
So can anybody help me out of this one?
At the moment I seem to have a problem with openswan. Maybe this relates to the nat traversal patch. since packets with protocol 50 (ESP) can be routed. Mabye this is some x509 problem (since I see all thos certificate lines in my log).
with tcpdump on the two firewalls I see
(fw one which just forwards the packets):
16:41:39.826773 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.494738 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 2/others I inf: [|d]
(fw two with openswan):
16:42:08.722066 100.100.100.100.isakmp > 188.8.131.52.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.507461 100.100.100.100.isakmp > 184.108.40.206.isakmp: isakmp: phase 2/others I inf:
(d: doi=ipsec proto=isakmp spilen=16 nspi=1 spi=4b2fb1187c5aa6980000000000000000)
Please help me I am losing a lot of sleep on this.
Thanks in Advance
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users