[Openswan Users] PSK works RSA does not

Eray Aslan eray.aslan at caf.com.tr
Wed Feb 9 08:49:25 CET 2005 

Hi,

I am trying to set up an Openswan server with WinXP roadwarrior clients.  Server is not natted.  Some clients are and some aren't (test client is not natted).  PSK works allright.  IPSec is established and I can ping, connect to shares in the internal lan etc.  However, I cannot establish a connection with self-signed certificates.  Certificate installation was done by following the excellent howto by Jacco de Leeuw.  No errors on the server or at the client side.  Funny thing is when trying to connect to openswan with certificats, pluto just sits there.  No logs. So I cannot really figure out what is wrong.  Iptables on the server allows protocol 50 and udp ports 50 and 4500 in and out.  And since the settings work with PSK, I don't think it is the firewall that is causing the problem (and there are no dropped packets in the logs as well). Ping works by the way. So the connection is there.

What am I missing?  Any pointers in the right direction are highly appreciated.

Ipsec.conf and pluto startup logs are below.

Thanks in advance.
Eray

Fedora Core 3, kernel 2.6.10
Openswan 2.3.0


ipsec.conf:
---------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	klipsdebug=none
	plutodebug=none
	interfaces=%defaultroute
	overridemtu=1410
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
	keyingtries=1
	compress=yes
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	type=tunnel
	keyexchange=ike
	ikelifetime=240m
	keylife=60m

conn roadwarrior-net
	leftsubnet=10.0.0.0/8
	also=roadwarrior

conn roadwarrior-all
	leftsubnet=0.0.0.0/0
	also=roadwarrior

conn roadwarrior-l2tp
	leftprotoport=17/0
	rightprotoport=17/1701
	also=roadwarrior

conn roadwarrior-l2tp-updatedwin
	leftprotoport=17/1701
	rightprotoport=17/1701
	also=roadwarrior

conn roadwarrior
	pfs=no
	left=my.public.ip
	leftcert=xx.xxx.xxxx.pem
	leftnexthop=81.215.200.1
	right=%any
	rightsubnet=vhost:%no,%priv
	auto=add

# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
---------------------------------------------

Secure logs:
---------------------------------------------
Feb  8 21:26:00 fr1 ipsec__plutorun: Starting Pluto subsystem...
Feb  8 21:26:00 fr1 pluto[16810]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Feb  8 21:26:00 fr1 pluto[16810]: Setting port floating to on
Feb  8 21:26:00 fr1 pluto[16810]: port floating activate 1/1
Feb  8 21:26:00 fr1 pluto[16810]:   including NAT-Traversal patch (Version 0.6c)
Feb  8 21:26:00 fr1 pluto[16810]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb  8 21:26:00 fr1 pluto[16810]: starting up 1 cryptographic helpers
Feb  8 21:26:00 fr1 pluto[16810]: started helper pid=16821 (fd:6)
Feb  8 21:26:00 fr1 pluto[16810]: Using Linux 2.6 IPsec interface code
Feb  8 21:26:00 fr1 pluto[16810]: Changing to directory '/etc/ipsec.d/cacerts'
Feb  8 21:26:00 fr1 pluto[16810]:   loaded CA cert file 'cacert.pem' (1432 bytes)
Feb  8 21:26:00 fr1 pluto[16810]: Could not change to directory '/etc/ipsec.d/aacerts'
Feb  8 21:26:00 fr1 pluto[16810]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Feb  8 21:26:00 fr1 pluto[16810]: Changing to directory '/etc/ipsec.d/crls'
Feb  8 21:26:00 fr1 pluto[16810]:   loaded crl file 'crl.pem' (625 bytes)
Feb  8 21:26:01 fr1 pluto[16810]:   loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb  8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-l2tp"
Feb  8 21:26:01 fr1 pluto[16810]:   loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb  8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior"
Feb  8 21:26:01 fr1 pluto[16810]:   loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb  8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-all"
Feb  8 21:26:01 fr1 pluto[16810]:   loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb  8 21:26:01 fr1 pluto[16810]: added connection description "roadwarrior-net"
Feb  8 21:26:02 fr1 pluto[16810]:   loaded host cert file '/etc/ipsec.d/certs/xx.xxx.xxxx.pem' (4720 bytes)
Feb  8 21:26:02 fr1 pluto[16810]: added connection description "roadwarrior-l2tp-updatedwin"
Feb  8 21:26:02 fr1 pluto[16810]: listening for IKE messages
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth2/eth2 10.0.0.1
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth2/eth2 10.0.0.1:4500
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth1/eth1 10.0.2.1
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth1/eth1 10.0.2.1:4500
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth0/eth0 my.public.ip
Feb  8 21:26:02 fr1 pluto[16810]: adding interface eth0/eth0 my.public.ip:4500
Feb  8 21:26:02 fr1 pluto[16810]: adding interface lo/lo 127.0.0.1
Feb  8 21:26:02 fr1 pluto[16810]: adding interface lo/lo 127.0.0.1:4500
Feb  8 21:26:02 fr1 pluto[16810]: adding interface lo/lo ::1
Feb  8 21:26:02 fr1 pluto[16810]: loading secrets from "/etc/ipsec.secrets"
Feb  8 21:26:02 fr1 pluto[16810]:   loaded private key file '/etc/ipsec.d/private/xx.xxx.xxxx.key' (2760 bytes)

And then nothing. No more logs.
---------------------------------------------

More information about the Users mailing list