[Openswan Users] Problems with WIndows XP roadwarrior and
openswan gateway using X.509 Certs
Mike McLean
libolt at libolt.net
Tue Sep 14 15:14:38 CEST 2004
On Mon, 2004-09-13 at 23:45, Paul Wouters wrote:
> On Mon, 13 Sep 2004, Mike McLean wrote:
>
> > conn kift-vpntestbox
> > left=%any
> > right=192.168.4.9
> > rightca="C=US, S=Arizona, L=Phoenix, O=Century 21 Metro Alliance,
> > CN=metro.libolt.net, Email=libolt at libolt.net"
> > network=auto
> > auto=start
> > pfs=yes
>
> Note that there is no rightsubnet in any of these, so I guess it
> is meant to be a host-host tunnel. But on the openswan side all
> conns include the rightsubnet, so this one will never come up.
>
> > The following is my ipsec.conf portion for the openswan system
> >
> >
> > conn kift-vpntestbox
> > right=%any
> > rightsubnet=192.168.24.0/24
> > rightcert=kift.libolt.net.pem
> > left=%defaultroute
> > leftsubnet=192.168.25.0/24
>
> I dont think you want the leftsubnet here.
>
> > leftcert=vpntestbox.libolt.net.pem
> > auto=add
> > pfs=yes
> >
> > conn kift-vpntestbox-net
> > leftsubnet=192.168.25.0/24
>
> Since it appears here again.
>
> > also=kift-vpntestbox
>
>
> Paul
Hi Paul,
Thanks for the tips. I still do not have it working, but have made some
changes and seem to have further progress. I removed the
192.168.24.0/24 subnet from the windows computer, I only want it to be
able to connect to the VPN. I am now able to see the windows box trying
to make a connection from the openswan box.
I get the following:
Sep 14 14:10:59 vpntestbox pluto[5863]: packet from 192.168.4.100:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: responding to Main Mode from unknown peer
192.168.4.100
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: transition from state (null) to state STATE_MAIN_R1
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: Peer ID is ID_DER_ASN1_DN: 'C=US,ST=Arizona,
L=Glendale, O=Century 21 Metro Alliance, OU=Kift, CN=kift.libolt.net,
E=libolt at libolt.net'
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: crl update is overdue since Nov 19 23:46:14 UTC 2003
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: crl update is overdue since Nov 19 23:46:14 UTC 2003
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Sep 14 14:10:59 vpntestbox pluto[5863]: "kift-vpntestbox"[1]
192.168.4.100 #1: sent MR3, ISAKMP SA established
+ _________________________ date
+ date
Tue Sep 14 14:11:09 MST 2004
On the XP machine when I try to ping a system connected to the openswan
box I now get "Negotiating IP Security." but no actual ping responses.
The following is my current Windows XP configuration:
conn kift-vpntestbox
right=%any
left=192.168.4.9
leftsubnet=192.168.25.0/24
leftca="C=US, S=Arizona,L=Phoenix,O=Century 21 Metro
Alliance,CN=metro.libolt.net,Email=libolt at libolt.net"
network=auto
auto=start
pfs=yes
conn kift-vpntestbox-net
right=%any
left=192.168.4.9
leftca="C=US,S=Arizona,L=Phoenix,O=Century 21 Metro
Alliance,CN=metro.libolt.net,Email=libolt at libolt.net"
network=auto
auto=start
pfs=yes
The following is my current openswan configuration.
conn kift-vpntestbox
right=%any
rightcert=kift.libolt.net.pem
left=%defaultroute
leftsubnet=192.168.25.0/24
leftcert=vpntestbox.libolt.net.pem
auto=add
pfs=yes
conn kift-vpntestbox-net
leftsubnet=192.168.25.0/24
also=kift-vpntestbox
More information about the Users
mailing list