[Openswan Users] Help for Pocket PC 2003

Michael Tinsay tinsami1 at yahoo.com
Sat Aug 27 06:13:48 CEST 2005 

Hi,


--- Jacco de Leeuw <jacco2 at dds.nl> wrote:

> You don't need to hook it up to an actual LAN yet,
> but
> there should be at least two network interface
> cards.
> And the subnet of the internal network card should
> be
> excluded in virtual_private.

Ok.  Will an alias (a.k.a eth0:1) suffice?  Or will I
need a second physical network card?

> 
> > Tried it also with openssl certs using Nate
> carlson's
> > steps.  Same result.  But I'll try to review it
> again.
> 
> I don't recall Nate writing about Pocket PCs. Do you
> have
> a link for me on that?

You're absolutely right.  What I meant was that I
followed Nate's instructions with regards to creating
openssl certificates.  And then followed your
instructions on how to import them into the Pocket PC
device.


> 
> > Below is a tcpdump result of the testing:
> 
> I'm very bad at interpreting raw tcpdumps but I
> don't
> seem to notice any ESP (IP proto 50) or NAT-T (UDP
> 4500)
> packets. Is your firewall blocking these, by any
> chance?

My firewall is not.  But I have to check with my telco
provider.  Also I think the problem is in my
provider's gateway.  Here's my test setup:

(a) PDA roadwarrior setup
PDA <--> GPRS <--> telco gateway <--> Internet <-->
VPN test server

(b) PC roadwarrior (NATed) setup (PC with Win XP SP2)
PC <--> lan <--> fw/vpn gw <--> Internet <--> VPN test
server

Setup (b) works on my test server's config, but (a)
hang/time out on "transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2"

So problem must be somewhere in the left side of (a)'s
setup.  So I made another setup as:

PC <--> PDA as GPRS modem <--> GPRS <--> telco gw <-->
Internet <--> VPN test server

And I get the same result as (a) above.

So now, I'm thinking the problem may be in the telco
gateway.  I'd like to discuss this with my telco rep. 
My question now is: what is taking place between
STATE_MAIN_R2 and STATE_MAIN_R3?

I can post the XP PC's oakley.log if it would help.

I'll also be trying other telco networks.

> > Tested with Trustix 3.0 (ipsec --version result:
> > "Linux Openswan U2.3.1/K2.6.12.4-2tr (netkey)"). 
> > Still same result.
> 
> In that case I don't think it can be an issue in
> Openswan
> or Pocket PC because this is supposed to work.
> Perhaps it
> is a firewall issue, as I suggested above.
> 
> > Which particular client is known to work best with
> > Openswan?
> 
> I don't own a Pocket PC so I don't have any first
> hand
> experience. But I have seen the NCP client working
> with
> my own eyes connecting to Astaro Linux (=Openswan).
> That
> does not mean I can vouch for it or that the others
> are
> bad. Sorry I can't be more specific.

Thank you for your insights.  I'll have to discuss
things first with my telco provider.  I don't think
using 3rd party IPsec make any difference if the
telco's gateway/firewall is not allowing the proper
traffic to flow through.


> 
> Jacco
> -- 
> Jacco de Leeuw                        
> mailto:jacco2 at dds.nl
> Zaandam, The Netherlands          
> http://www.jacco2.dds.nl
> 


With warm regards.


--- mike t.


Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the Users mailing list