[Openswan Users] Help with WinXP behind NAT as client

Andreas Steffen andreas.steffen at strongsec.net
Mon Mar 29 11:11:44 CEST 2004 

Has the WinXP certificate been issued by the same CA as the FreeS/WAN certificate?
If not you will run into the problem described below, because WinXP cannot handle
mixed CAs. Could you post the output of ipsec auto -listall?

Regards

Andreas

Leonard Tulipan wrote:
> Well 192.168.0.15 is my IP behind the NAT.
> I edited ipsec.conf a bit and not get this status-info
> 
> 000 "roadwarrior": 200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
> O=Schneller Scharau 5th Mind, CN=RoadWarrior1]; unrouted; eroute owner: #0
> 000 "roadwarrior":   CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau 5th
> Mind, CN=VPN'
> 
> and I still get:
> 
> Mar 29 09:17:47 firewall pluto[19706]: "roadwarrior"[1] 100.100.100.100 #2:
> no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
> CN=RoadWarrior1'
> 
> the client - according to the howtos - always tells of a 192.168.0.15/32
> subnet. so that's why I defined that.
> 
> I don't want to believe that I won't get it to work.
> 
> Do I need to do some special IP-Tables rules on the VPN Server?
> Currently I have (which works for a freeswan--freeswan connection I have on
> another machine)
> 
> # IPSEC / freeswan
> # IKE negotiations
> iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> # ESP
> iptables -A INPUT  -p 50 -j ACCEPT
> iptables -A OUTPUT -p 50 -j ACCEPT
> iptables -A OUTPUT -o ipsec0 -j ACCEPT
> iptables -A INPUT -i ipsec0 -j ACCEPT
> 
> Cheers
> Leonard
> ----- Original Message ----- 
> From: "Robert W. Burgholzer" <rburgholzer at maptech-inc.com>
> To: "Leonard Tulipan" <l.tulipan at mpwi.at>
> Sent: Friday, March 26, 2004 7:00 PM
> Subject: Re: [Openswan Users] Help with WinXP behind NAT as client
> 
> 
> 
>>Sorry to be vague.
>>
>>basically, your server log tells you is this:
>>'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=RoadWarrior1'
>>
>>is what your client is announcing itself to the server as, however, in the
>>output of "ipsec auto --status" tells you all of the possible combinations
>>of credentials that it will accept, and none of them matches 'C=AT,
> 
> L=Wien,
> 
>>O=Schneller Scharau 5th Mind, CN=RoadWarrior1' exactly. The closest you
> 
> get is:
> 
>>[C=AT, L=Wien, O=Schneller Scharau 5th Mind,
> 
> CN=RoadWarrior1]===192.168.0.15/32
> 
>>which isn;t close enough. It looks as if you have specified a subnet in
>>your client's configuration, and this is throwing the server off. If you
>>delete the mention of a client side subnet, perhaps this will work?
>>
>>r.b.
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users


-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list