[Openswan Users] Help with WinXP behind NAT as client

Leonard Tulipan l.tulipan at mpwi.at
Mon Mar 29 17:31:11 CEST 2004


Thanks, but I don't think it is. I both signed them on the same machine.
This is what I get:

[root at firewall root]# ipsec auto --listall
000
000 List of Public Keys:
000
000 Mar 29 16:29:36 2004, 1024 RSA Key AwEAAec6+, until Mar 26 14:18:26 2005
ok
000        ID_DER_ASN1_DN 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWa
rrior1'
000        Issuer 'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPN'
000
000 List of X.509 End Certificates:
000
000 Mar 29 16:29:36 2004, count: 2
000        subject: 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1
'
000        issuer:  'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPN'
000        serial:   04
000        pubkey:   1024 RSA Key AwEAAec6+
000        validity: not before Mar 26 14:18:26 2004 ok
000                  not after  Mar 26 14:18:26 2005 ok
000
000 List of X.509 CA Certificates:
000
000 Mar 29 16:29:35 2004, count: 1
000        subject: 'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPN'
000        issuer:  'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPN'
000        serial:   00
000        pubkey:   2048 RSA Key AwEAAbTRY
000        validity: not before Mar 19 14:50:41 2004 ok
000                  not after  Mar 18 14:50:41 2008 ok
000
000 List of X.509 CRLs:
000
000 Mar 29 16:29:35 2004, revoked certs: 1
000        issuer:  'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPN'
000        distPts: 'file:///etc/ipsec.d/crls/crl.pem'
000        updates:  this Mar 19 15:10:24 2004
000                  next Apr 18 16:10:24 2004 ok

----- Original Message ----- 
From: "Andreas Steffen" <andreas.steffen at strongsec.net>
To: "Leonard Tulipan" <l.tulipan at mpwi.at>
Cc: <users at lists.openswan.org>
Sent: Monday, March 29, 2004 10:11 AM
Subject: Re: [Openswan Users] Help with WinXP behind NAT as client


> Has the WinXP certificate been issued by the same CA as the FreeS/WAN
certificate?
> If not you will run into the problem described below, because WinXP cannot
handle
> mixed CAs. Could you post the output of ipsec auto -listall?
>
> Regards
>
> Andreas
>
> Leonard Tulipan wrote:
> > Well 192.168.0.15 is my IP behind the NAT.
> > I edited ipsec.conf a bit and not get this status-info
> >
> > 000 "roadwarrior": 200.200.200.200---200.200.200.254...%any[C=AT,
L=Wien,
> > O=Schneller Scharau 5th Mind, CN=RoadWarrior1]; unrouted; eroute owner:
#0
> > 000 "roadwarrior":   CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau
5th
> > Mind, CN=VPN'
> >
> > and I still get:
> >
> > Mar 29 09:17:47 firewall pluto[19706]: "roadwarrior"[1] 100.100.100.100
#2:
> > no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th
Mind,
> > CN=RoadWarrior1'
> >
> > the client - according to the howtos - always tells of a 192.168.0.15/32
> > subnet. so that's why I defined that.
> >
> > I don't want to believe that I won't get it to work.
> >
> > Do I need to do some special IP-Tables rules on the VPN Server?
> > Currently I have (which works for a freeswan--freeswan connection I have
on
> > another machine)
> >
> > # IPSEC / freeswan
> > # IKE negotiations
> > iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
> > iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> > # ESP
> > iptables -A INPUT  -p 50 -j ACCEPT
> > iptables -A OUTPUT -p 50 -j ACCEPT
> > iptables -A OUTPUT -o ipsec0 -j ACCEPT
> > iptables -A INPUT -i ipsec0 -j ACCEPT
> >
> > Cheers
> > Leonard
> > ----- Original Message ----- 
> > From: "Robert W. Burgholzer" <rburgholzer at maptech-inc.com>
> > To: "Leonard Tulipan" <l.tulipan at mpwi.at>
> > Sent: Friday, March 26, 2004 7:00 PM
> > Subject: Re: [Openswan Users] Help with WinXP behind NAT as client
> >
> >
> >
> >>Sorry to be vague.
> >>
> >>basically, your server log tells you is this:
> >>'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=RoadWarrior1'
> >>
> >>is what your client is announcing itself to the server as, however, in
the
> >>output of "ipsec auto --status" tells you all of the possible
combinations
> >>of credentials that it will accept, and none of them matches 'C=AT,
> >
> > L=Wien,
> >
> >>O=Schneller Scharau 5th Mind, CN=RoadWarrior1' exactly. The closest you
> >
> > get is:
> >
> >>[C=AT, L=Wien, O=Schneller Scharau 5th Mind,
> >
> > CN=RoadWarrior1]===192.168.0.15/32
> >
> >>which isn;t close enough. It looks as if you have specified a subnet in
> >>your client's configuration, and this is throwing the server off. If you
> >>delete the mention of a client side subnet, perhaps this will work?
> >>
> >>r.b.
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
>
>
> -- 
> =======================================================================
> Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
> strongSec GmbH                    home:   http://www.strongsec.com
> Alter Zürichweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
> ==========================================[strong internet security]===
>



More information about the Users mailing list