[Openswan Users] XP + openswan - no connection has been authorize

Paulo Ricardo Bruck pauloric at contato.com.br
Sat Feb 19 15:45:51 CET 2005


Hi guys 

After reading 4 times Nate Carlson's I decided ask help..90)

I follow the troubleshoting but I still can 't connect a winXP w/
Openswan ( and I am certanly doing some nerd error, but after 3 weeks
looking at problem I can see nothing..80)

LAN to LAn w 2 debians + openswan it's ok.


Here what I have
debian sarge w openswan 2.2.0-4 + kernel 2.6.8-2-386

________________________________________________________________________________
ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=all
        plutodebug="control parsing"

# Add connections here
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.0.0/255.255.255.0
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=cerberus.lazzu.com.br.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        #auto=start
        auto=add
        pfs=yes

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

_______________________________________________________________________________________
ipsec.secrets
: RSA cerberus.lazzu.com.br.key "secret"

_________________________________________________________________________________________
cerberus:~# ls -R /etc/ipsec.d/
/etc/ipsec.d/:
cacerts  certs  crls  examples  ocspcerts  policies  private

/etc/ipsec.d/cacerts:
cacert.pem

/etc/ipsec.d/certs:
cerberus.lazzu.com.br.pem  ronaldo.lazzu.com.br.pem

/etc/ipsec.d/crls:
crl.pem

/etc/ipsec.d/examples:
no_oe.conf

/etc/ipsec.d/ocspcerts:

/etc/ipsec.d/policies:
block  clear  clear-or-private  private  private-or-clear

/etc/ipsec.d/private:
cerberus.lazzu.com.br.key  ronaldo.lazzu.com.br.key
_______________________________________________________________________

cerberus:~/certificadora# cat x509_subject.txt
subject= /C=BR/ST=Sao_Paulo/O=Sherwin/OU=fabrica/CN=Ronaldo
Tavares/emailAddress=ronaldo.tavares at lazzu.com.br
________________________________________________________________________
ipsec.conf at XP

conn roadwarrior
        left=%any
        right=200.245.xxx.xxx
        rightca="C=BR, S=Sao_Paulo, O=Sherwin, OU=fabrica,CN=Ronaldo
Tavares, E=ronaldo.tavares at lazzu.com.br"
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        left=%any
        right=200.245.xxx.xxx
        rightsubnet=192.168.0.0/255.255.255.0
        rightca="C=BR, S=Sao_Paulo, O=Sherwin, OU=fabrica,CN=Ronaldo
Tavares, E=ronaldo.tavares at lazzu.com.br"
        network=auto
        auto=start
        pfs=yes

_______________________________________________________________________
openswan log:
Feb 19 14:46:41 cerberus pluto[31783]: | **parse ISAKMP Message:
Feb 19 14:46:41 cerberus pluto[31783]: |    initiator cookie:
Feb 19 14:46:41 cerberus pluto[31783]: |   69 69 8b 08  d1 99 0f 22
Feb 19 14:46:41 cerberus pluto[31783]: |    responder cookie:
Feb 19 14:46:41 cerberus pluto[31783]: |   00 00 00 00  00 00 00 00
Feb 19 14:46:41 cerberus pluto[31783]: |    next payload type:
ISAKMP_NEXT_SA
Feb 19 14:46:41 cerberus pluto[31783]: |    ISAKMP version: ISAKMP
Version 1.0
Feb 19 14:46:41 cerberus pluto[31783]: |    exchange type:
ISAKMP_XCHG_IDPROT
Feb 19 14:46:41 cerberus pluto[31783]: |    flags: none
Feb 19 14:46:41 cerberus pluto[31783]: |    message ID:  00 00 00 00
Feb 19 14:46:41 cerberus pluto[31783]: |    length: 216
Feb 19 14:46:41 cerberus pluto[31783]: | ***parse ISAKMP Security
Association Payl
oad:
Feb 19 14:46:41 cerberus pluto[31783]: |    next payload type:
ISAKMP_NEXT_VID
Feb 19 14:46:41 cerberus pluto[31783]: |    length: 164
Feb 19 14:46:41 cerberus pluto[31783]: |    DOI: ISAKMP_DOI_IPSEC
Feb 19 14:46:41 cerberus pluto[31783]: | ***parse ISAKMP Vendor ID
Payload:
Feb 19 14:46:41 cerberus pluto[31783]: |    next payload type:
ISAKMP_NEXT_NONE
Feb 19 14:46:41 cerberus pluto[31783]: |    length: 24
Feb 19 14:46:41 cerberus pluto[31783]: packet from 200.226.158.94:500:
ignoring Ve
ndor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Feb 19 14:46:41 cerberus pluto[31783]: packet from 200.226.158.94:500:
initial Mai
n Mode message received on 200.245.92.130:500 but no connection has been
authorize
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

_________________________________________________________________________________

I am always convinces that it is a problem w/ XP certificate.If anyone
could help me or point me at right direction I would be very happy.

thanks in advance

-- 
Paulo Ricardo Bruck - consultor




More information about the Users mailing list