[Openswan Users] ipsec.secrets
Bastien Rocheron
bastien.rocheron at free.fr
Fri May 7 13:25:57 CEST 2004
hello
I found the logs and they are very interesting, they tell us ipsec.secrets is understood by both the
gateway with frees/wan and the linux user with openswan. They also say on the gateway that there is
no public key to verify the linux host but I copied the .pem file for the host in certs/ and even in
ipsec.d/ on the gateway to make sure and the winXP .pem file is only in certs/ on the gateway and it
works well for it. May be there are different formats for authentication?
here are the logs, if anybody could tell me what is going on... thanks a lot
the gateway (192.168.1.1) logs :
May 7 11:31:37 gateway ipsec__plutorun: Starting Pluto subsystem...
May 7 11:31:37 gateway pluto[26010]: Starting Pluto (FreeS/WAN Version 2.04 X.509-1.4.8
PLUTO_USES_KEYRR)
May 7 11:31:37 gaetway pluto[26010]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
May 7 11:31:37 gateway pluto[26010]: Using KLIPS IPsec interface code
May 7 11:31:37 gateway pluto[26010]: Changing to directory '/etc/ipsec.d/cacerts'
May 7 11:31:37 gateway pluto[26010]: loaded cacert file 'cacert.pem' (1602 bytes)
May 7 11:31:37 gateway pluto[26010]: Changing to directory '/etc/ipsec.d/crls'
May 7 11:31:37 gateway pluto[26010]: loaded crl file 'crl.pem' (682 bytes)
May 7 11:31:37 gateway pluto[26010]: | from whack: got --esp=3des
May 7 11:31:37 gateway pluto[26010]: | from whack: got --ike=3des
May 7 11:31:37 gateway pluto[26010]: loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes)
May 7 11:31:37 gateway pluto[26010]: added
connection description "roadwarrior-allnet"
May 7 11:31:38 gateway pluto[26010]: | from whack: got
--esp=3des
May 7 11:31:38 gateway pluto[26010]: | from whack: got --ike=3des
May 7 11:31:38 gateway pluto[26010]: loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes)
May 7 11:31:38 gateway pluto[26010]: added
connection description "roadwarrior"
May 7 11:31:38 gateway pluto[26010]: listening for IKE
messages
May 7 11:31:38 gateway pluto[26010]: adding interface ipsec0/eth2 192.168.1.1
May 7 11:31:38 gateway pluto[26010]: loading secrets from "/etc/ipsec.secrets"
May 7 11:31:38 gateway pluto[26010]: loaded private key file
'/etc/ipsec.d/private/gateway.mynet.net.key' (1751 bytes)
May 7 11:32:01 gateway CRON[26071]:
(pam_unix) session opened for user root by (uid=0)
May 7 11:32:06 gateway CRON[26071]: (pam_unix)
session closed for user root
May 7 11:33:58 gateway pluto[26010]: "roadwarrior-allnet"[1]
192.168.1.10 #1: responding to Main Mode from unknown peer 192.168.1.10
May 7 11:33:59 gateway
pluto[26010]: "roadwarrior-allnet"[1] 192.168.1.10 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=here,
L=there, O=myorg, OU=mynet, CN=host.mynet.net, E=mymail'
May 7 11:33:59
gateway pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: deleting connection
"roadwarrior-allnet" instance with peer 192.168.1.10 {isakmp=#0/ipsec=#0}
May 7 11:33:59 gateway
pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: no RSA public key known for 'C=FR, ST=here,
L=there, O=myorg, OU=mynet, CN=host.mynet.net, E=mymail'
May 7 11:33:59
gateway pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: sending notification
INVALID_KEY_INFORMATION to 192.168.1.10:500
and here are the logs on the linux host (192.168.1.10) at the same time
May 7 11:33:03 host ipsec__plutorun: Starting Pluto subsystem...
May 7 11:33:03 host pluto[9185]: Starting Pluto (Openswan Version 2.1.2rc3 X.509-1.4.8
PLUTO_USES_KEYRR)
May 7 11:33:03 host pluto[9185]: including NAT-Traversal patch (Version 0.6c)
[disabled]
May 7 11:33:03 host pluto[9185]: Using Linux 2.6 IPsec interface code
May 7 11:33:04 host pluto[9185]: Changing to directory '/etc/ipsec.d/cacerts'
May 7 11:33:04 host pluto[9185]: loaded cacert file 'cacert.pem' (1602 bytes)
May 7 11:33:04 host pluto[9185]: Changing to directory '/etc/ipsec.d/crls'
May 7 11:33:04 host pluto[9185]: loaded crl file 'crl.pem' (682 bytes)
May 7 11:33:05 host pluto[9185]: loaded host cert file '/etc/ipsec.d/certs/host.mynet.net.pem'
(5022 bytes)
May 7 11:33:05 host pluto[9185]: loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes)
May 7 11:33:05 host pluto[9185]: added
connection description "roadwarrior"
May 7 11:33:07 host pluto[9185]: loaded host cert file
'/etc/ipsec.d/certs/host.mynet.net.pem' (5022 bytes)
May 7 11:33:07 host pluto[9185]: loaded
host cert file '/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes)
May 7 11:33:07 host
pluto[9185]: added connection description "roadwarrior-net"
May 7 11:33:07 host pluto[9185]:
listening for IKE messages
May 7 11:33:07 host pluto[9185]: adding interface eth2/eth2
192.168.1.10
May 7 11:33:07 host pluto[9185]: adding interface lo/lo 127.0.0.1
May 7 11:33:07 host pluto[9185]: loading secrets from "/etc/ipsec.secrets"
May 7 11:33:07 host pluto[9185]: loaded private key file
'/etc/ipsec.d/private/host.mynet.net.key' (1743 bytes)
May 7 11:33:08 host pluto[9185]:
"roadwarrior" #1: initiating Main Mode
May 7 11:33:08 host pluto[9185]: "roadwarrior" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 7 11:33:09 host pluto[9185]:
"roadwarrior" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 7 11:33:09 host
pluto[9185]: "roadwarrior" #1: ignoring informational payload, type INVALID_KEY_INFORMATION
May 7 11:33:18 host pluto[9185]: "roadwarrior" #1: discarding duplicate packet; already
STATE_MAIN_I3
May 7 11:33:19 host pluto[9185]: "roadwarrior" #1: ignoring informational payload,
type INVALID_KEY_INFORMATION
May 7 11:33:38 host pluto[9185]: "roadwarrior" #1: discarding
duplicate packet; already STATE_MAIN_I3
May 7 11:33:39 host pluto[9185]: "roadwarrior" #1:
ignoring informational payload, type INVALID_KEY_INFORMATION
May 7 11:34:19 host pluto[9185]:
"roadwarrior"#1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Thu, 6 May 2004 17:22:03 -0500 (CDT)
Nate Carlson <natecars at natecarlson.com> Message original :
> On Thu, 6 May 2004, Bastien Rocheron wrote:
> > > You mean extract it with fswcert, and dump it into ipsec.secrets? Should
> > > work fine.
> >
> > Can you tell me how it works?
>
> http://www.strongsec.com/freeswan/fswcert-0.6.tar.gz
>
> Been a long time since I've used it; I think the '-k' option is what you
> need.
>
> > I couldn't find other logs, I'm going to check the docs
>
> It's in /var/log/auth.log on Debian.
>
> ------------------------------------------------------------------------
> | nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
> | depriving some poor village of its idiot since 1981 |
> ------------------------------------------------------------------------
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
Bastien Rocheron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20040507/aa22e0a9/attachment.bin
More information about the Users
mailing list