[Openswan Users] Help with WinXP behind NAT as client
Leonard Tulipan
l.tulipan at mpwi.at
Fri Mar 26 15:35:04 CET 2004
Thank you, but I still don't get it
[root at firewall root]# ipsec auto --status
000 interface ipsec0/ppp0 200.200.200.200
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
O=Schneller Scharau 5th Mind, CN=RoadWarrior1]===192.168.0.15/32; unrouted;
eroute owner: #0
000 "roadwarrior": CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau 5th
Mind, CN=VPN'
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: ppp0;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net":
192.168.118.0/24===200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
O=Schneller Scharau 5th Mind, CN=RoadWarrior1]===192.168.0.15/32; unrouted;
eroute owner: #0
000 "roadwarrior-net": CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau
5th Mind, CN=VPN'
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
24,32; interface: ppp0;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
This is what I get in my log
Mar 26 15:31:34 firewall pluto[27094]: "roadwarrior"[1] 100.100.100.100 #1:
Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1'
Mar 26 15:31:34 firewall pluto[27094]: "roadwarrior"[1] 100.100.100.100 #1:
no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1'
Why doesn't this ipsec.conf accept that connection?
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=GatewayCert.pem
conn roadwarrior-net
leftsubnet=192.168.118.0/24
also=roadwarrior
conn roadwarrior
right=%any
rightcert=RoadWarrior1Cert.pem
rightsubnet=192.168.0.15/32
left=%defaultroute
auto=add
pfs=yes
----- Original Message -----
From: "Robert W. Burgholzer" <rburgholzer at maptech-inc.com>
To: <users at lists.openswan.org>
Sent: Friday, March 26, 2004 2:20 PM
Subject: Re: [Openswan Users] Help with WinXP behind NAT as client
> Leonard,
> Please forgive me if I present info you already know, I am new to the
list.
>
> Anyhow, I have found the command "ipsec auto --status" very helpful. Doing
> this on your server would list all the possible names of clients that it
> will accept. This info enabled me to debug a problem I had getting my
> client recognized as valid.
>
> r.b.
>
> At 01:09 PM 3/26/2004 +0100, Leonard Tulipan wrote:
> >I think I am finally getting somewhere.
> >I have changed my ipsec.conf to look like this:
> >
> >version 2.0
> >
> >config setup
> > interfaces=%defaultroute
> > klipsdebug=none
> > plutodebug=none
> > uniqueids=yes
> >
> >conn %default
> > keyingtries=1
> > compress=yes
> > disablearrivalcheck=no
> > authby=rsasig
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> > leftcert=GatewayCert.pem
> >
> >conn roadwarrior-net
> > leftsubnet=192.168.118.0/24
> > also=roadwarrior
> >
> >conn roadwarrior
> > right=%any
> > rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
> > left=%defaultroute
> > auto=add
> > pfs=yes
> >
> >I now use the iVPN GUI tool from sourceforge to manage the connection on
> >the WinXP side.
> >
> >Now when I connect I see
> >
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash:
\036+Qi\005\031\034}|\026|?5\007da
> >Mar 26 12:58:56 firewall pluto[2401]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: \020K
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: &$M8m[a3\027*6cPO8\031
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: responding to Main Mode from unknown peer 100.100.100.100
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Wien, O=Schneller Scharau 5th
> >Mind, CN=VPNusr1'
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau
5th
> >Mind, CN=VPNusr1'
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: sending encrypted notification INVALID_ID_INFORMATION to
> >100.100.100.100:500
> >Mar 26 12:59:16 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: ignoring Delete SA payload: ISAKMP SA not established
> >I then replaced the line righid=.. with
> > rightcert=VPNusr1Cert.pem
> >
> >And I still get the no suitable message from above. So this looks like it
> >doesn't like my certificate, right?
> >Any ideas how I can get it to accept this. I suspect I am very close to
> >finally getting it to work.
> >
> >Cheers
> >Leonard
> >_______________________________________________
> >Users mailing list
> >Users at lists.openswan.org
> >http://lists.openswan.org/mailman/listinfo/users
>
> Robert Burgholzer
> Environmental Engineer
> MapTech Inc.
> http://www.maptech-inc.com/
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list