[Openswan Users] Almost connected from WinXP...

Sat May 29 14:13:11 CEST 2004

On Fri, 28 May 2004, José Julio Hernández Fernández wrote:

> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: Peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com'
> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
> not found
> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
> not found

You might want to remove that obsolete crl.pem (prob from a previously 
generated CA, or regenerate a new crl.pem with the current CA)

> May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d #1: deleting
> connection "test" instance with peer a.b.c.d {isakmp=#0/ipsec=#0}

Seems the other end hangs up.

> May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d:45017 #1:
> received Delete SA payload: deleting ISAKMP State #1

It tells us it is hanging up.

> -----------
> ..and on Windows side I got "error 800" with no connection, and pluto
> makes no rise attempt for "test4_NAT" ¿Any ideas of what I'm doing
> wrong?

You might want to enable oakley.log logging for more verbose output.

> Here's my ipsec.conf:
> -----------
> version 2.0
> config setup
>         interfaces=%defaultroute
>         klipsdebug=none
>         plutodebug=none
>         uniqueids=yes
>         nat_traversal=yes
>  
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> conn %default
>         keyingtries=1
>         disablearrivalcheck=no
>         authby=rsasig
>         auth=esp
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=20m
>         rekey=yes
>         pfs=yes
>         compress=no
>         right=%any
>         rightrsasigkey=%cert
>         left=%defaultroute
>         leftrsasigkey=%cert
>         leftcert=pulpo.pem
>         auto=add

Try adding: leftsendcert=always

> conn test4
>         type=tunnel
>         rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com"
>         leftsubnet=192.168.50.0/24
> conn test4_NAT
>         type=tunnel
>         rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com"
>         rightsubnet=vnet:%priv
>         leftsubnet=192.168.50.0/24

I've never seen "vnet", I think it is not a legal option.
Since you are using virtual_private, what you should use it:

conn test4
	type=tunnel
	rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com, E=test04 at none.com"
	leftsubnet=192.168.50.0/24
	rightsubnet=vhost:%no,%priv

This covers both connections without (%no) NAT and with (%priv) NAT.
Also, since you are using 192.168.50.0/24 as your leftsubnet, you should
exclude this range from your virtual_private, since this range cannot
be used behind nat anymore, since you would have the same subnet on either
end of the connection. So change:

> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

to:

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.50.0/24

Paul