[Openswan Users] Help with WinXP behind NAT as client
Robert W. Burgholzer
rburgholzer at maptech-inc.com
Fri Mar 26 08:20:57 CET 2004
Leonard,
Please forgive me if I present info you already know, I am new to the list.
Anyhow, I have found the command "ipsec auto --status" very helpful. Doing
this on your server would list all the possible names of clients that it
will accept. This info enabled me to debug a problem I had getting my
client recognized as valid.
r.b.
At 01:09 PM 3/26/2004 +0100, Leonard Tulipan wrote:
>I think I am finally getting somewhere.
>I have changed my ipsec.conf to look like this:
>
>version 2.0
>
>config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> uniqueids=yes
>
>conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> leftcert=GatewayCert.pem
>
>conn roadwarrior-net
> leftsubnet=192.168.118.0/24
> also=roadwarrior
>
>conn roadwarrior
> right=%any
> rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
> left=%defaultroute
> auto=add
> pfs=yes
>
>I now use the iVPN GUI tool from sourceforge to manage the connection on
>the WinXP side.
>
>Now when I connect I see
>
>Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
>received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
>Mar 26 12:58:56 firewall pluto[2401]: packet from 100.100.100.100:500:
>received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
>Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
>received Vendor ID Payload; ASCII hash: \020K
>Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
>received Vendor ID Payload; ASCII hash: &$M8m[a3\027*6cPO8\031
>Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
>#1: responding to Main Mode from unknown peer 100.100.100.100
>Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
>#1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Wien, O=Schneller Scharau 5th
>Mind, CN=VPNusr1'
>Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
>#1: no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th
>Mind, CN=VPNusr1'
>Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
>#1: sending encrypted notification INVALID_ID_INFORMATION to
>100.100.100.100:500
>Mar 26 12:59:16 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
>#1: ignoring Delete SA payload: ISAKMP SA not established
>I then replaced the line righid=.. with
> rightcert=VPNusr1Cert.pem
>
>And I still get the no suitable message from above. So this looks like it
>doesn't like my certificate, right?
>Any ideas how I can get it to accept this. I suspect I am very close to
>finally getting it to work.
>
>Cheers
>Leonard
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users
Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/
More information about the Users
mailing list