[Openswan Users] Help with WinXP behind NAT as client

Leonard Tulipan l.tulipan at mpwi.at
Fri Mar 26 15:35:04 CET 2004


Thank you, but I still don't get it

[root at firewall root]# ipsec auto --status
000 interface ipsec0/ppp0 200.200.200.200
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
O=Schneller Scharau 5th Mind, CN=RoadWarrior1]===192.168.0.15/32; unrouted;
eroute owner: #0
000 "roadwarrior":   CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau 5th
Mind, CN=VPN'
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: ppp0;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net":
192.168.118.0/24===200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
O=Schneller Scharau 5th Mind, CN=RoadWarrior1]===192.168.0.15/32; unrouted;
eroute owner: #0
000 "roadwarrior-net":   CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau
5th Mind, CN=VPN'
000 "roadwarrior-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
24,32; interface: ppp0;
000 "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

This is what I get in my log

Mar 26 15:31:34 firewall pluto[27094]: "roadwarrior"[1] 100.100.100.100 #1:
Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1'
Mar 26 15:31:34 firewall pluto[27094]: "roadwarrior"[1] 100.100.100.100 #1:
no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1'

Why doesn't this ipsec.conf accept that connection?

version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=GatewayCert.pem

conn roadwarrior-net
        leftsubnet=192.168.118.0/24
        also=roadwarrior

conn roadwarrior
        right=%any
        rightcert=RoadWarrior1Cert.pem
        rightsubnet=192.168.0.15/32
        left=%defaultroute
        auto=add
        pfs=yes

----- Original Message ----- 
From: "Robert W. Burgholzer" <rburgholzer at maptech-inc.com>
To: <users at lists.openswan.org>
Sent: Friday, March 26, 2004 2:20 PM
Subject: Re: [Openswan Users] Help with WinXP behind NAT as client


> Leonard,
> Please forgive me if I present info you already know, I am new to the
list.
>
> Anyhow, I have found the command "ipsec auto --status" very helpful. Doing
> this on your server would list all the possible names of clients that it
> will accept. This  info enabled me to debug a problem I had getting my
> client recognized as valid.
>
> r.b.
>
> At 01:09 PM 3/26/2004 +0100, Leonard Tulipan wrote:
> >I think I am finally getting somewhere.
> >I have changed my ipsec.conf to look like this:
> >
> >version 2.0
> >
> >config setup
> >         interfaces=%defaultroute
> >         klipsdebug=none
> >         plutodebug=none
> >         uniqueids=yes
> >
> >conn %default
> >         keyingtries=1
> >         compress=yes
> >         disablearrivalcheck=no
> >         authby=rsasig
> >         leftrsasigkey=%cert
> >         rightrsasigkey=%cert
> >         leftcert=GatewayCert.pem
> >
> >conn roadwarrior-net
> >         leftsubnet=192.168.118.0/24
> >         also=roadwarrior
> >
> >conn roadwarrior
> >         right=%any
> >         rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
> >         left=%defaultroute
> >         auto=add
> >         pfs=yes
> >
> >I now use the iVPN GUI tool from sourceforge to manage the connection on
> >the WinXP side.
> >
> >Now when I connect I see
> >
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash:
\036+Qi\005\031\034}|\026|?5\007da
> >Mar 26 12:58:56 firewall pluto[2401]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: \020K
> >Mar 26 12:58:56 firewall pluto[24011]: packet from 100.100.100.100:500:
> >received Vendor ID Payload; ASCII hash: &$M8m[a3\027*6cPO8\031
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: responding to Main Mode from unknown peer 100.100.100.100
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Wien, O=Schneller Scharau 5th
> >Mind, CN=VPNusr1'
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau
5th
> >Mind, CN=VPNusr1'
> >Mar 26 12:58:56 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: sending encrypted notification INVALID_ID_INFORMATION to
> >100.100.100.100:500
> >Mar 26 12:59:16 firewall pluto[24011]: "roadwarrior"[1] 100.100.100.100
> >#1: ignoring Delete SA payload: ISAKMP SA not established
> >I then replaced the line righid=.. with
> >         rightcert=VPNusr1Cert.pem
> >
> >And I still get the no suitable message from above. So this looks like it
> >doesn't like my certificate, right?
> >Any ideas how I can get it to accept this. I suspect I am very close to
> >finally getting it to work.
> >
> >Cheers
> >Leonard
> >_______________________________________________
> >Users mailing list
> >Users at lists.openswan.org
> >http://lists.openswan.org/mailman/listinfo/users
>
> Robert Burgholzer
> Environmental Engineer
> MapTech Inc.
> http://www.maptech-inc.com/
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>



More information about the Users mailing list