[Openswan Users] XP + openswan - no connection has been authorize
Paulo Ricardo Bruck
pauloric at contato.com.br
Sat Feb 19 15:45:51 CET 2005
Hi guys
After reading 4 times Nate Carlson's I decided ask help..90)
I follow the troubleshoting but I still can 't connect a winXP w/
Openswan ( and I am certanly doing some nerd error, but after 3 weeks
looking at problem I can see nothing..80)
LAN to LAn w 2 debians + openswan it's ok.
Here what I have
debian sarge w openswan 2.2.0-4 + kernel 2.6.8-2-386
________________________________________________________________________________
ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=all
plutodebug="control parsing"
# Add connections here
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=192.168.0.0/255.255.255.0
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=cerberus.lazzu.com.br.pem
right=%any
rightsubnet=vhost:%no,%priv
#auto=start
auto=add
pfs=yes
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
_______________________________________________________________________________________
ipsec.secrets
: RSA cerberus.lazzu.com.br.key "secret"
_________________________________________________________________________________________
cerberus:~# ls -R /etc/ipsec.d/
/etc/ipsec.d/:
cacerts certs crls examples ocspcerts policies private
/etc/ipsec.d/cacerts:
cacert.pem
/etc/ipsec.d/certs:
cerberus.lazzu.com.br.pem ronaldo.lazzu.com.br.pem
/etc/ipsec.d/crls:
crl.pem
/etc/ipsec.d/examples:
no_oe.conf
/etc/ipsec.d/ocspcerts:
/etc/ipsec.d/policies:
block clear clear-or-private private private-or-clear
/etc/ipsec.d/private:
cerberus.lazzu.com.br.key ronaldo.lazzu.com.br.key
_______________________________________________________________________
cerberus:~/certificadora# cat x509_subject.txt
subject= /C=BR/ST=Sao_Paulo/O=Sherwin/OU=fabrica/CN=Ronaldo
Tavares/emailAddress=ronaldo.tavares at lazzu.com.br
________________________________________________________________________
ipsec.conf at XP
conn roadwarrior
left=%any
right=200.245.xxx.xxx
rightca="C=BR, S=Sao_Paulo, O=Sherwin, OU=fabrica,CN=Ronaldo
Tavares, E=ronaldo.tavares at lazzu.com.br"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=200.245.xxx.xxx
rightsubnet=192.168.0.0/255.255.255.0
rightca="C=BR, S=Sao_Paulo, O=Sherwin, OU=fabrica,CN=Ronaldo
Tavares, E=ronaldo.tavares at lazzu.com.br"
network=auto
auto=start
pfs=yes
_______________________________________________________________________
openswan log:
Feb 19 14:46:41 cerberus pluto[31783]: | **parse ISAKMP Message:
Feb 19 14:46:41 cerberus pluto[31783]: | initiator cookie:
Feb 19 14:46:41 cerberus pluto[31783]: | 69 69 8b 08 d1 99 0f 22
Feb 19 14:46:41 cerberus pluto[31783]: | responder cookie:
Feb 19 14:46:41 cerberus pluto[31783]: | 00 00 00 00 00 00 00 00
Feb 19 14:46:41 cerberus pluto[31783]: | next payload type:
ISAKMP_NEXT_SA
Feb 19 14:46:41 cerberus pluto[31783]: | ISAKMP version: ISAKMP
Version 1.0
Feb 19 14:46:41 cerberus pluto[31783]: | exchange type:
ISAKMP_XCHG_IDPROT
Feb 19 14:46:41 cerberus pluto[31783]: | flags: none
Feb 19 14:46:41 cerberus pluto[31783]: | message ID: 00 00 00 00
Feb 19 14:46:41 cerberus pluto[31783]: | length: 216
Feb 19 14:46:41 cerberus pluto[31783]: | ***parse ISAKMP Security
Association Payl
oad:
Feb 19 14:46:41 cerberus pluto[31783]: | next payload type:
ISAKMP_NEXT_VID
Feb 19 14:46:41 cerberus pluto[31783]: | length: 164
Feb 19 14:46:41 cerberus pluto[31783]: | DOI: ISAKMP_DOI_IPSEC
Feb 19 14:46:41 cerberus pluto[31783]: | ***parse ISAKMP Vendor ID
Payload:
Feb 19 14:46:41 cerberus pluto[31783]: | next payload type:
ISAKMP_NEXT_NONE
Feb 19 14:46:41 cerberus pluto[31783]: | length: 24
Feb 19 14:46:41 cerberus pluto[31783]: packet from 200.226.158.94:500:
ignoring Ve
ndor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Feb 19 14:46:41 cerberus pluto[31783]: packet from 200.226.158.94:500:
initial Mai
n Mode message received on 200.245.92.130:500 but no connection has been
authorize
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_________________________________________________________________________________
I am always convinces that it is a problem w/ XP certificate.If anyone
could help me or point me at right direction I would be very happy.
thanks in advance
--
Paulo Ricardo Bruck - consultor
More information about the Users
mailing list