[Openswan Users] Help with Openswan setup SUSE 9.2 <-> Win2K

John Simeone jsimeone at inplex.com
Fri Jan 21 07:57:57 CET 2005 

Hello to everyone,

I sent a less complete message to the list co-incident with joining the 
list and have not seen my item so I am reposting.

I am stymied on setting up ipsec on a SUSE 9.2 64 bit  dual processor 
Linux box. I am running Openswan U2.2.0/K2.6.8-24.5-smp (native).

The ultimate objective here is to connect two machines host to host 
across a private WAN network: one, the SUSE box; the other, a Win2K SP3 
with Marcus Müller's ipsec.exe routine.

192.168.3.100(Win2K) ---- Router ----- Router ---- Router ---- 
192.168.32.2(SUSE 9.2)

There is no DNS Server running in the network.

I've followed Nate Carlson's very explicit Openswan how-to 
(http://www.natecarlson.com/linux/ipsec-x509.php) to the letter.

I've reached the point were I have the CA cert and the host machine 
certs generated. On the Linux box the CAcert (cacert.pem) is in 
/etc/ipsec.d/cacerts. The host cert (host1.pem) is in 
/etc/ipsec.d/certs. The host key (host1.key) is in /etc/ipsec.d/private.

My ipsec.conf file is:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
    interfaces="ipsec0=eth0"

config %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsakey
    leftrsasigkey=%cert
    rightrsasigkey=%cert
 
conn host-host
    left=%defaultroute
    leftcert=host1.pem
    right=192.168.3.100
    rightid="C=CA, O=The Corporation, CN=Host2"
    rightrsasigkey=%cert
    auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

My /etc/ipsec.secrets file contains one line:

: RSA host1.key "password"

The ipsec script starts up without any error message but ipsec secrets 
--verbose produces no output.

ipsec auto --listall comes up only with the CA cert and the CRL, no 
Public keys.

I had no problems importing the Windows host cert into the MMC using 
Carlson's instructions.

My ipsec.conf on Windows is:

conn host-to-host
   left=%any
   right=192.168.32.2
   rightca="C=CA, S=Ontario, L=Toronto, O=The Corporation, CN=INC Master 
Cert"
   rightid="C=CA, O=The Corporation, CN=Host1"
   rightrsasigkey=%cert
   network=auto
   auto=start
   pfs=yes

ipsec  -debug on Windows produces three ipsecpol commands which all 
execute without errors, the last associated with ipsec's "Activating 
policy..." message.

Pinging the Host1 machine address from Windows produces four 
"Negotiating IP Security" messages and then a ping stat report of 4 lost 
packets. Running the ping command multiple times results in the same 
output.
Can anyone offer some insights in how to proceed with debugging this 
installation.

Any help would be much appreciated.

John

More information about the Users mailing list