[Openswan Users] Almost connected from WinXP...
Paul Wouters
paul at xelerance.com
Sat May 29 14:13:11 CEST 2004
On Fri, 28 May 2004, José Julio Hernández Fernández wrote:
> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: Peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com'
> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
> not found
> May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
> not found
You might want to remove that obsolete crl.pem (prob from a previously
generated CA, or regenerate a new crl.pem with the current CA)
> May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d #1: deleting
> connection "test" instance with peer a.b.c.d {isakmp=#0/ipsec=#0}
Seems the other end hangs up.
> May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d:45017 #1:
> received Delete SA payload: deleting ISAKMP State #1
It tells us it is hanging up.
> -----------
> ..and on Windows side I got "error 800" with no connection, and pluto
> makes no rise attempt for "test4_NAT" ¿Any ideas of what I'm doing
> wrong?
You might want to enable oakley.log logging for more verbose output.
> Here's my ipsec.conf:
> -----------
> version 2.0
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> uniqueids=yes
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> conn %default
> keyingtries=1
> disablearrivalcheck=no
> authby=rsasig
> auth=esp
> keyexchange=ike
> ikelifetime=240m
> keylife=20m
> rekey=yes
> pfs=yes
> compress=no
> right=%any
> rightrsasigkey=%cert
> left=%defaultroute
> leftrsasigkey=%cert
> leftcert=pulpo.pem
> auto=add
Try adding: leftsendcert=always
> conn test4
> type=tunnel
> rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com"
> leftsubnet=192.168.50.0/24
> conn test4_NAT
> type=tunnel
> rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
> E=test04 at none.com"
> rightsubnet=vnet:%priv
> leftsubnet=192.168.50.0/24
I've never seen "vnet", I think it is not a legal option.
Since you are using virtual_private, what you should use it:
conn test4
type=tunnel
rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com, E=test04 at none.com"
leftsubnet=192.168.50.0/24
rightsubnet=vhost:%no,%priv
This covers both connections without (%no) NAT and with (%priv) NAT.
Also, since you are using 192.168.50.0/24 as your leftsubnet, you should
exclude this range from your virtual_private, since this range cannot
be used behind nat anymore, since you would have the same subnet on either
end of the connection. So change:
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
to:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.50.0/24
Paul
More information about the Users
mailing list