[Openswan Users] ipsec.secrets

Bastien Rocheron bastien.rocheron at free.fr
Fri May 7 13:25:57 CEST 2004


hello

I found the logs and they are very interesting, they tell us ipsec.secrets is understood by both the
gateway with frees/wan and the linux user with openswan. They also say on the gateway that there is
no public key to verify the linux host but I copied the .pem file for the host in certs/ and even in
ipsec.d/ on the gateway to make sure and the winXP .pem file is only in certs/ on the gateway and it
works well for it. May be there are different formats for authentication?


here are the logs, if anybody could tell me what is going on... thanks a lot

the gateway (192.168.1.1) logs :


May  7 11:31:37 gateway ipsec__plutorun: Starting Pluto subsystem...
May  7 11:31:37 gateway pluto[26010]: Starting Pluto (FreeS/WAN Version 2.04 X.509-1.4.8
PLUTO_USES_KEYRR) 
May  7 11:31:37 gaetway pluto[26010]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0) 
May  7 11:31:37 gateway pluto[26010]: Using KLIPS IPsec interface code
May  7 11:31:37 gateway pluto[26010]: Changing to directory '/etc/ipsec.d/cacerts'
May  7 11:31:37 gateway pluto[26010]:   loaded cacert file 'cacert.pem' (1602 bytes)
May  7 11:31:37 gateway pluto[26010]: Changing to directory '/etc/ipsec.d/crls'
May  7 11:31:37 gateway pluto[26010]:   loaded crl file 'crl.pem' (682 bytes)
May  7 11:31:37 gateway pluto[26010]: | from whack: got --esp=3des
May  7 11:31:37 gateway pluto[26010]: | from whack: got --ike=3des
May  7 11:31:37 gateway pluto[26010]:   loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes) 
May  7 11:31:37 gateway pluto[26010]: added
connection description "roadwarrior-allnet" 
May  7 11:31:38 gateway pluto[26010]: | from whack: got
--esp=3des 
May  7 11:31:38 gateway pluto[26010]: | from whack: got --ike=3des
May  7 11:31:38 gateway pluto[26010]:   loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes) 
May  7 11:31:38 gateway pluto[26010]: added
connection description "roadwarrior" 
May  7 11:31:38 gateway pluto[26010]: listening for IKE
messages 
May  7 11:31:38 gateway pluto[26010]: adding interface ipsec0/eth2 192.168.1.1
May  7 11:31:38 gateway pluto[26010]: loading secrets from "/etc/ipsec.secrets"
May  7 11:31:38 gateway pluto[26010]:   loaded private key file
'/etc/ipsec.d/private/gateway.mynet.net.key' (1751 bytes) 
May  7 11:32:01 gateway CRON[26071]:
(pam_unix) session opened for user root by (uid=0) 
May  7 11:32:06 gateway CRON[26071]: (pam_unix)
session closed for user root 
May  7 11:33:58 gateway pluto[26010]: "roadwarrior-allnet"[1]
192.168.1.10 #1: responding to Main Mode from unknown peer 192.168.1.10 
May  7 11:33:59 gateway
pluto[26010]: "roadwarrior-allnet"[1] 192.168.1.10 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=here,
L=there, O=myorg, OU=mynet, CN=host.mynet.net, E=mymail' 
May  7 11:33:59
gateway pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: deleting connection
"roadwarrior-allnet" instance with peer 192.168.1.10 {isakmp=#0/ipsec=#0} 
May  7 11:33:59 gateway
pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: no RSA public key known for 'C=FR, ST=here,
L=there, O=myorg, OU=mynet, CN=host.mynet.net, E=mymail' 
May  7 11:33:59
gateway pluto[26010]: "roadwarrior-allnet"[2] 192.168.1.10 #1: sending notification
INVALID_KEY_INFORMATION to 192.168.1.10:500


and here are the logs on the linux host (192.168.1.10) at the same time


May  7 11:33:03 host ipsec__plutorun: Starting Pluto subsystem...
May  7 11:33:03 host pluto[9185]: Starting Pluto (Openswan Version 2.1.2rc3 X.509-1.4.8
PLUTO_USES_KEYRR) 
May  7 11:33:03 host pluto[9185]:   including NAT-Traversal patch (Version 0.6c)
[disabled] 
May  7 11:33:03 host pluto[9185]: Using Linux 2.6 IPsec interface code
May  7 11:33:04 host pluto[9185]: Changing to directory '/etc/ipsec.d/cacerts'
May  7 11:33:04 host pluto[9185]:   loaded cacert file 'cacert.pem' (1602 bytes)
May  7 11:33:04 host pluto[9185]: Changing to directory '/etc/ipsec.d/crls'
May  7 11:33:04 host pluto[9185]:   loaded crl file 'crl.pem' (682 bytes)
May  7 11:33:05 host pluto[9185]:   loaded host cert file '/etc/ipsec.d/certs/host.mynet.net.pem'
(5022 bytes) 
May  7 11:33:05 host pluto[9185]:   loaded host cert file
'/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes) 
May  7 11:33:05 host pluto[9185]: added
connection description "roadwarrior" 
May  7 11:33:07 host pluto[9185]:   loaded host cert file
'/etc/ipsec.d/certs/host.mynet.net.pem' (5022 bytes) 
May  7 11:33:07 host pluto[9185]:   loaded
host cert file '/etc/ipsec.d/certs/gateway.mynet.net.pem' (4992 bytes) 
May  7 11:33:07 host
pluto[9185]: added connection description "roadwarrior-net" 
May  7 11:33:07 host pluto[9185]:
listening for IKE messages 
May  7 11:33:07 host pluto[9185]: adding interface eth2/eth2
192.168.1.10 
May  7 11:33:07 host pluto[9185]: adding interface lo/lo 127.0.0.1
May  7 11:33:07 host pluto[9185]: loading secrets from "/etc/ipsec.secrets"
May  7 11:33:07 host pluto[9185]:   loaded private key file
'/etc/ipsec.d/private/host.mynet.net.key' (1743 bytes) 
May  7 11:33:08 host pluto[9185]:
"roadwarrior" #1: initiating Main Mode 
May  7 11:33:08 host pluto[9185]: "roadwarrior" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 
May  7 11:33:09 host pluto[9185]:
"roadwarrior" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 
May  7 11:33:09 host
pluto[9185]: "roadwarrior" #1: ignoring informational payload, type INVALID_KEY_INFORMATION 
May  7 11:33:18 host pluto[9185]: "roadwarrior" #1: discarding duplicate packet; already
STATE_MAIN_I3 
May 7 11:33:19 host pluto[9185]: "roadwarrior" #1: ignoring informational payload,
type INVALID_KEY_INFORMATION 
May  7 11:33:38 host pluto[9185]: "roadwarrior" #1: discarding
duplicate packet; already STATE_MAIN_I3 
May  7 11:33:39 host pluto[9185]: "roadwarrior" #1:
ignoring informational payload, type INVALID_KEY_INFORMATION 
May  7 11:34:19 host pluto[9185]:
"roadwarrior"#1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted message






Thu, 6 May 2004 17:22:03 -0500 (CDT)
Nate Carlson <natecars at natecarlson.com> Message original :

> On Thu, 6 May 2004, Bastien Rocheron wrote:
> > > You mean extract it with fswcert, and dump it into ipsec.secrets? Should 
> > > work fine.
> > 
> > Can you tell me how it works? 
> 
> http://www.strongsec.com/freeswan/fswcert-0.6.tar.gz
> 
> Been a long time since I've used it; I think the '-k' option is what you 
> need.
> 
> > I couldn't find other logs, I'm going to check the docs
> 
> It's in /var/log/auth.log on Debian.
> 
> ------------------------------------------------------------------------
> | nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
> |       depriving some poor village of its idiot since 1981            |
> ------------------------------------------------------------------------
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


Bastien Rocheron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20040507/aa22e0a9/attachment.bin


More information about the Users mailing list