[Openswan Users] PSK works RSA does not
Eray Aslan
eray.aslan at caf.com.tr
Wed Feb 9 08:49:25 CET 2005
Hi,
I am trying to set up an Openswan server with WinXP roadwarrior clients. Server is not natted. Some clients are and some aren't (test client is not natted). PSK works allright. IPSec is established and I can ping, connect to shares in the internal lan etc. However, I cannot establish a connection with self-signed certificates. Certificate installation was done by following the excellent howto by Jacco de Leeuw. No errors on the server or at the client side. Funny thing is when trying to connect to openswan with certificats, pluto just sits there. No logs. So I cannot really figure out what is wrong. Iptables on the server allows protocol 50 and udp ports 50 and 4500 in and out. And since the settings work with PSK, I don't think it is the firewall that is causing the problem (and there are no dropped packets in the logs as well). Ping works by the way. So the connection is there.
What am I missing? Any pointers in the right direction are highly appreciated.
Ipsec.conf and pluto startup logs are below.
Thanks in advance.
Eray
Fedora Core 3, kernel 2.6.10
Openswan 2.3.0
ipsec.conf:
---------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug=none
plutodebug=none
interfaces=%defaultroute
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=10.0.0.0/8
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=my.public.ip
leftcert=xx.xxx.xxxx.pem
leftnexthop=81.215.200.1
right=%any
rightsubnet=vhost:%no,%priv
auto=add
# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
---------------------------------------------
Secure logs:
---------------------------------------------
Feb 8 21:26:00 fr1 ipsec__plutorun: Starting Pluto subsystem...
Feb 8 21:26:00 fr1 pluto[16810]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Feb 8 21:26:00 fr1 pluto[16810]: Setting port floating to on
Feb 8 21:26:00 fr1 pluto[16810]: port floating activate 1/1
Feb 8 21:26:00 fr1 pluto[16810]: including NAT-Traversal patch (Version 0.6c)
Feb 8 21:26:00 fr1 pluto[16810]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb 8 21:26:00 fr1 pluto[16810]: starting up 1 cryptographic helpers
Feb 8 21:26:00 fr1 pluto[16810]: started helper pid=16821 (fd:6)
Feb 8 21:26:00 fr1 pluto[16810]: Using Linux 2.6 IPsec interface code
Feb 8 21:26:00 fr1 pluto[16810]: Changing to directory '/etc/ipsec.d/cacerts'
Feb 8 21:26:00 fr1 pluto[16810]: loaded CA cert file 'cacert.pem' (1432 bytes)
Feb 8 21:26:00 fr1 pluto[16810]: Could not change to directory '/etc/ipsec.d/aacerts'
Feb 8 21:26:00 fr1 pluto[16810]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Feb 8 21:26:00 fr1 pluto[16810]: Changing to directory '/etc/ipsec.d/crls'
Feb 8 21:26:00 fr1 pluto[16810]: loaded crl file 'crl.pem' (625 bytes)
Feb 8 21:26:01 fr1 pluto[16810]: loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb 8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-l2tp"
Feb 8 21:26:01 fr1 pluto[16810]: loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb 8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior"
Feb 8 21:26:01 fr1 pluto[16810]: loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb 8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-all"
Feb 8 21:26:01 fr1 pluto[16810]: loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb 8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-net"
Feb 8 21:26:02 fr1 pluto[16810]: loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb 8 21:26:02 fr1 pluto[16810]: added connection description "roadwarrior-l2tp-updatedwin"
Feb 8 21:26:02 fr1 pluto[16810]: listening for IKE messages
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth2/eth2 10.0.0.1
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth2/eth2 10.0.0.1:4500
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth1/eth1 10.0.2.1
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth1/eth1 10.0.2.1:4500
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth0/eth0 my.public.ip
Feb 8 21:26:02 fr1 pluto[16810]: adding interface eth0/eth0 my.public.ip:4500
Feb 8 21:26:02 fr1 pluto[16810]: adding interface lo/lo 127.0.0.1
Feb 8 21:26:02 fr1 pluto[16810]: adding interface lo/lo 127.0.0.1:4500
Feb 8 21:26:02 fr1 pluto[16810]: adding interface lo/lo ::1
Feb 8 21:26:02 fr1 pluto[16810]: loading secrets from "/etc/ipsec.secrets"
Feb 8 21:26:02 fr1 pluto[16810]: loaded private key file '/etc/ipsec.d/private/xx.xxx.xxxx.key' (2760 bytes)
And then nothing. No more logs.
---------------------------------------------
More information about the Users
mailing list