[Openswan Users] Re: Help with WinXP behind NAT as client

Leonard Tulipan l.tulipan at mpwi.at
Wed Mar 24 16:45:19 CET 2004 

So, these are the steps I did to get so far:

downloaded and compiled openswan
started with service ipsec start
created CA 
created Certificate for VPNUser1 (WinXP Roadwarrior)
created Certificate for gateway
copied GatewayCert.pem to /etc/ipsec.d and GatewayKey to /etc/ipsec.d/private
put Password of the key in /etc/ipsec.secrets
I also put the cacert.pem and the crl.pem in the corresponding dirs in /etc/ipsec.d

this is my /etc/ipsec.conf
version 2.0     

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
      keyingtries=1
      disablearrivalcheck=no
      authby=rsasig
      rightrsasigkey=%cert
      auto=add
      left=%defaultroute
      leftcert=GatewayCert.pem
      leftupdown=/usr/local/lib/ipsec/_updown_x509

conn xp-n2n
      right=%any
      rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
      leftsubnet=192.168.118.0/24
      rightsubnetwithin=192.168.0.0/24
      rightsubnet=192.168.0.15/32

Under windows I followed the docs at http://www.freeswan.ca/docs/WindowsInterop.
I manually added two tunnels for the ipsec connection.
I also imported the VPN User Certificate and the Certificate of the CA (but not the gateway) all with the mmc.

Now with freeswan I still saw packaged arriving at the fw. with openswan I only get (in /var/log/secure):

Mar 24 16:18:41 firewall ipsec__plutorun: Restarting Pluto subsystem...
Mar 24 16:18:41 firewall pluto[16161]: Starting Pluto (Openswan Version 2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
Mar 24 16:18:41 firewall pluto[16161]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 24 16:18:41 firewall pluto[16161]: Using KLIPS IPsec interface code
Mar 24 16:18:41 firewall pluto[16161]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 24 16:18:41 firewall pluto[16161]:   loaded cacert file 'cacert.pem' (1180 bytes)
Mar 24 16:18:41 firewall pluto[16161]: Changing to directory '/etc/ipsec.d/crls'
Mar 24 16:18:41 firewall pluto[16161]:   loaded crl file 'crl.pem' (633 bytes)

So can anybody help me out of this one?
At the moment I seem to have a problem with openswan. Maybe this relates to the nat traversal patch. since packets with protocol 50 (ESP) can be routed. Mabye this is some x509 problem (since I see all thos certificate lines in my log).

with tcpdump on the two firewalls I see

(fw one which just forwards the packets):
16:41:39.826773 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.494738 galileo.intern.mpwi.at.isakmp > 200-200-200-200.static.adsl-line.inode.at.isakmp: isakmp: phase 2/others I inf: [|d]

(fw two with openswan):
16:42:08.722066 100.100.100.100.isakmp > 200.200.200.200.isakmp: isakmp: phase 1 I ident: [|sa]
(multiple times then)
16:42:38.507461 100.100.100.100.isakmp > 200.200.200.200.isakmp: isakmp: phase 2/others I inf:
    (d: doi=ipsec proto=isakmp spilen=16 nspi=1 spi=4b2fb1187c5aa6980000000000000000)


Please help me I am losing a lot of sleep on this.

Thanks in Advance
Leonard




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040324/248e75fb/attachment.htm

More information about the Users mailing list