[Openswan Users] Re: Users Digest, Vol 14, Issue 36

foren titze foren.titze at gmx.net
Mon Jan 24 10:36:21 CET 2005


Am Montag, 24. Januar 2005 09:32 schrieb users-request at openswan.org:
> Send Users mailing list submissions to
>  users at openswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>  http://lists.openswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>  users-request at openswan.org
>
> You can reach the person managing the list at
>  users-owner at openswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Help with Openswan setup SUSE 9.2 <-> Win2K (John Simeone)
>    2. Forward of moderated message (mailman-bounces at lists.openswan.org)
>    3. Re: Forward of moderated message (Nico Baggus)
>    4. Tunnel to multipple subnets (Nicolas Ross)
>    5. Unusual packet loss (Philip Burrow)
>    6. RootCA expired, how to change?? (foren titze)
>    7. Re: RootCA expired, how to change?? (Andreas Steffen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 23 Jan 2005 11:09:01 -0500
> From: John Simeone <jsimeone at inplex.com>
> Subject: [Openswan Users] Re: Help with Openswan setup SUSE 9.2 <->
>  Win2K
> To: users at openswan.org
> Message-ID: <41F3CC1D.6010506 at inplex.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> I have enclosed the messages generated by openswan on after a Win2K
> computer establishes a ipsec connection to the SUSE 9.2 Server and pings
> the Server.
>
> Müller's ipsec is running on the Win2K box.
>
> My ipsec.conf on Windows is:
>
> conn host-to-host
>  left=%any
>  right=192.168.32.2
>  rightca="C=CA, S=Ontario, L=Toronto, O=The Corporation, CN=INC Master
> Cert"
>  rightid="C=CA, O=The Corporation, CN=Buyer1"
>  rightrsasigkey=%cert
>  network=auto
>  auto=start
>  pfs=yes
>
> Müller's ipsec starts up without any problem and gives a "Activating
> policy ..." message before exiting. I followed his instructions
> precisely in setting up the MMC on the Win machine.
>
> It appears that the Win box is sending bad packets. Can anyone suggest
> next steps to debug this host-host connection.
>
> Thanks.
>
> John
> ___________________________________________________________________________
>___ pluto[31977]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4
> PLUTO_USES_KEYRR)
> pluto[31977]:   including NAT-Traversal patch (Version 0.6c) [disabled]
> pluto[31977]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> pluto[31977]: Using Linux 2.6 IPsec interface code
> pluto[31977]: Changing to directory '/etc/ipsec.d/cacerts'
> pluto[31977]:   loaded CA cert file 'cacert.pem' (1793 bytes)
> pluto[31977]: Could not change to directory '/etc/ipsec.d/aacerts'
> pluto[31977]: Could not change to directory '/etc/ipsec.d/ocspcerts'
> pluto[31977]: Changing to directory '/etc/ipsec.d/crls'
> pluto[31977]:   loaded crl file 'crl.pem' (743 bytes)
> pluto[31977]:   loaded host cert file '/etc/ipsec.d/certs/buyer1.pem'
> (4520 bytes)
> pluto[31977]: added connection description "host-host"
> pluto[31977]: listening for IKE messages
> pluto[31977]: adding interface eth0/eth0 192.168.32.2
> pluto[31977]: adding interface lo/lo 127.0.0.1
> pluto[31977]: adding interface lo/lo ::1
> pluto[31977]: loading secrets from "/etc/ipsec.secrets"
> pluto[31977]:   loaded private key file
> '/etc/ipsec.d/private/buyer1.key' (1704 bytes)
> pluto[31977]: "host-host" #1: initiating Main Mode
> ipsec__plutorun: 104 "host-host" #1: STATE_MAIN_I1: initiate
> ipsec__plutorun: ...could not start conn "host-host"
> pluto[31977]: packet from 192.168.3.100:500: ignoring Vendor ID payload
> [MS NT5 ISAKMPOAKLEY 00000002]
> pluto[31977]: "host-host" #2: responding to Main Mode
> pluto[31977]: "host-host" #2: transition from state (null) to state
> STATE_MAIN_R1
> pluto[31977]: "host-host" #2: transition from state STATE_MAIN_R1 to
> state STATE_MAIN_R2
> pluto[31977]: "host-host" #2: next payload type of ISAKMP Hash Payload
> has an unknown value: 76
> pluto[31977]: "host-host" #2: malformed payload in packet
> pluto[31977]: "host-host" #2: sending encrypted notification
> PAYLOAD_MALFORMED to 192.168.3.100:500
> pluto[31977]: "host-host" #1: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
> message
> pluto[31977]: "host-host" #3: initiating Main Mode
> pluto[31977]: "host-host" #3: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000002]
> pluto[31977]: "host-host" #3: transition from state STATE_MAIN_I1 to
> state STATE_MAIN_I2
> pluto[31977]: "host-host" #3: I am sending my cert
> pluto[31977]: "host-host" #3: I am sending a certificate request
> pluto[31977]: "host-host" #3: transition from state STATE_MAIN_I2 to
> state STATE_MAIN_I3
> pluto[31977]: "host-host" #3: next payload type of ISAKMP Hash Payload
> has an unknown value: 225
> pluto[31977]: "host-host" #3: malformed payload in packet
> pluto[31977]: "host-host" #3: sending encrypted notification
> PAYLOAD_MALFORMED to 192.168.3.100:500
> pluto[31977]: "host-host" #2: next payload type of ISAKMP Hash Payload
> has an unknown value: 249
> pluto[31977]: "host-host" #2: malformed payload in packet
> pluto[31977]: "host-host" #2: sending encrypted notification
> PAYLOAD_MALFORMED to 192.168.3.100:500
> pluto[31977]: "host-host" #3: Informational Exchange message must be
> encrypted
> pluto[31977]: "host-host" #2: max number of retransmissions (2) reached
> STATE_MAIN_R2
> pluto[31977]: "host-host" #3: Informational Exchange message must be
> encrypted
> pluto[31977]: "host-host" #3: max number of retransmissions (2) reached
> STATE_MAIN_I3.  Possible authentication failure: no acceptable response
> to our first encrypted message
> pluto[31977]: "host-host" #4: initiating Main Mode
> pluto[31977]: "host-host" #4: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
> message
> pluto[31977]: "host-host" #5: initiating Main Mode
> pluto[31977]: "host-host" #5: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
> message
> pluto[31977]: "host-host" #6: initiating Main Mode
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 21 Jan 2005 14:31:04 +0100
> From: mailman-bounces at lists.openswan.org
> Subject: [Openswan Users] Forward of moderated message
> To: users at openswan.org
> Message-ID: <mailman.1.1106314264.15437.mailman at lists.openswan.org>
> Content-Type: text/plain; charset="us-ascii"
>
> An embedded message was scrubbed...
> From: danilov <danilov at comstar.ru>
> Subject: freeswan  client and Netscreen
> Date: Fri, 21 Jan 2005 10:18:52 +0300
> Size: 7116
> Url:
> http://lists.openswan.org/pipermail/users/attachments/20050121/e15e7ead/att
>achment-0001.eml
>
> ------------------------------
>
> Message: 3
> Date: Mon, 24 Jan 2005 01:08:21 +0100
> From: Nico Baggus <mlfreeswan at noci.xs4all.nl>
> Subject: Re: [Openswan Users] Forward of moderated message
> To: users at openswan.org
> Message-ID: <200501240108.21159.mlfreeswan at noci.xs4all.nl>
> Content-Type: text/plain;  charset="iso-8859-1"
>
> > 9) If you have successfully connected client freeswan/openswan
> > with Netscreen 5GT can you send me right config file for freeswan ?
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         interfaces=%defaultroute
>         klipsdebug=none
>         plutodebug=none
>         uniqueids=yes
>
>
>
> # defaults for subsequent connection descriptions
> conn %default
>         keyingtries=3
>         authby=rsasig
>
> conn netscreen
>         auto=start
>         authby=secret
>         pfs=yes
>         keylife=3600
>         left=<MyIpAddress>
>         leftsourceip=<my inside addres of the Firewall> #to allow it to \
>         access the remote network
>         leftnexthop=<gateway address>
>         leftsubnet=<MySubnet>
>         right=<Remote Addres>
>         rightsubnet=<RemoteSubnet>
>
> > 10) Windows client work properly with Netscreen.
> > I use aggressive mode and psk and seed.
> >
> > I know that freeswan do not support
> > aggressive mode and i can reconfigure nestcreen for main mode
> >
> > 11) If it is interesting for you i can
> > give public address of Netscreen device and him config.
> >
> > Thank you.
>
> ------------------------------
>
> Message: 4
> Date: Sun, 23 Jan 2005 19:41:38 -0500
> From: "Nicolas Ross" <rossnick-lists at cybercat.ca>
> Subject: [Openswan Users] Tunnel to multipple subnets
> To: <users at openswan.org>
> Message-ID: <024301c501ad$77020c00$6400a8c0 at defiant>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>  reply-type=original
>
> Hi !
>
> I have currently a subnet between two subnet :
>
> 192.168.20.x
> openswan gateway
> ...
> internet
> ...
> openswan gateway
> 192.168.3.x
>
> On the last gw, there are 3 subnets, on 3 differnet ehternet cards.
> 192.168.1, .2 and .3. I have to make the tunnel accessible for all 3 if's
>
> Can I make a tunnel with 192.168.0.0/16 or will I have to make 3 separates
> tunnels ?
>
> Thanks,
>
> Nicolas
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 24 Jan 2005 02:15:12 +0000
> From: Philip Burrow <philburrow at blueyonder.co.uk>
> Subject: [Openswan Users] Unusual packet loss
> To: users at openswan.org
> Message-ID: <41F45A30.4020305 at blueyonder.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
>
> Firstly, I'm a new member to the list but I've been using
> FreeSWAN/Openswan for a number of years now and always found it to be
> excellent, so props to the developers and contributors.
>
> To my point, I'm having an unusual problem with apparent packet loss
> across a tunnel. Let me describe the set up. I have two machines running
> Fedora 2, with 2.6.10 kernel and Openswan 2.3.0. Both are on ADSL
> connections with 256k upstream operated by the same ISP.
>
> The tunnels connect as expected. I receive no error messages. However
> when I ping, the first 4 or 5 packets are dropped/lost. The sequence
> then begins at about ping number 4 and continues with a sensible ping
> until CTRL-C. I.e. a ping from the internal interface of one gateway to
> the internal interface of the other:
>
> [root at preston i386]# ping 10.0.3.1 -I 10.0.1.1
> PING 10.0.3.1 (10.0.3.1) from 10.0.1.1 : 56(84) bytes of data.
> 64 bytes from 10.0.3.1: icmp_seq=4 ttl=64 time=63.2 ms
> 64 bytes from 10.0.3.1: icmp_seq=5 ttl=64 time=62.3 ms
> 64 bytes from 10.0.3.1: icmp_seq=6 ttl=64 time=64.9 ms
> 64 bytes from 10.0.3.1: icmp_seq=7 ttl=64 time=66.6 ms
> 64 bytes from 10.0.3.1: icmp_seq=8 ttl=64 time=62.6 ms
> 64 bytes from 10.0.3.1: icmp_seq=9 ttl=64 time=61.9 ms
> 64 bytes from 10.0.3.1: icmp_seq=10 ttl=64 time=64.0 ms
> ...
>
> Then if I wait a minute and ping again, it begins from icmp_seq=0 as you
> would expect from a normal ping.
>
> Another example of strangeness is if I try and FTP across the tunnel. I
> can log in and such, as expected, but it hangs when I request a
> directory listing. I then tried to list the contents of a LDAP directory
> on one gateway from the other gateway and it works, but only the first
> 10 lines of the dump actually appear and it hangs (should be thousands
> of lines).
>
> These things work when I stop IPSEC and try them. No losses on pings,
> LDAP dump is a full dump, FTP directory listings work.
>
> ipsec verify shows all as fine, and it does this whether or not I use a
> firewall.
>
> Any suggestions as to what may be causing this? From what I read in the
> documentation it looks like MTU may be involved but I don't see why it
> would be, and don't know what I can do to play with it. Guidance would
> be appreciated!
>
> Regards,
>
> Phil
>
> ------------------------------
>
> Message: 6
> Date: Mon, 24 Jan 2005 09:09:39 +0100
> From: foren titze <foren.titze at gmx.net>
> Subject: [Openswan Users] RootCA expired, how to change??
> To: users at openswan.org
> Message-ID: <200501240909.39899.foren.titze at gmx.net>
> Content-Type: text/plain;  charset="us-ascii"
>
> Hello,
>
> I need Help:
>
> my RootCA for my Tunnel is expired.
> How can I extend this RootCA?
>
> I think it is expired because I have done this:
>
> linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> titze_cert.pem
> titze_cert.pem:
> /C=DE/ST=NRW/L=duesseldorf/O=wapme/OU=rootca/CN=bTitze/Email=rootca at wap.de
> error 10 at 1 depth lookup:certificate has expired
> OK
> linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> brosowski_cert.pem
> brosowski_cert.pem:
> /C=DE/ST=NRW/L=duesseldorf/O=wapme/OU=rootca/CN=bTitze/Email=rootca at wap.de
> error 10 at 1 depth lookup:certificate has expired
> OK
> linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> brosowski_cert.pem
>
> Thanks
>

I have seen on my Windows maschine, that my usercertificate wasn't expired but 
the RootCA, that had generated this usercert, was expired.
So now I have a (re)new RootCA, must I renew ALL the Usercerts thar I ever 
generated? 

thanks
> ------------------------------
>
> Message: 7
> Date: Mon, 24 Jan 2005 09:31:58 +0100
> From: Andreas Steffen <andreas.steffen at strongsec.net>
> Subject: Re: [Openswan Users] RootCA expired, how to change??
> To: foren titze <foren.titze at gmx.net>
> Cc: users at openswan.org
> Message-ID: <41F4B27E.8010405 at strongsec.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Just generate a new CA certificate based on the old
> private CA key:
>
>    openssl req -new -x509 -key private/cakey.pem -days <desired lifetime>
>            -out cacert.pem
>
> Make sure that the Distinguished Name of the new CA certificate
> is identical to the old CA certificate.
>
> Regards
>
> Andreas
>
> foren titze wrote:
> > Hello,
> >
> > I need Help:
> >
> > my RootCA for my Tunnel is expired.
> > How can I extend this RootCA?
> >
> > I think it is expired because I have done this:
> >
> > linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> > titze_cert.pem
> > titze_cert.pem:
> > /C=DE/ST=NRW/L=duesseldorf/O=wapme/OU=rootca/CN=bTitze/Email=rootca at wap.d
> >e error 10 at 1 depth lookup:certificate has expired
> > OK
> > linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> > brosowski_cert.pem
> > brosowski_cert.pem:
> > /C=DE/ST=NRW/L=duesseldorf/O=wapme/OU=rootca/CN=bTitze/Email=rootca at wap.d
> >e error 10 at 1 depth lookup:certificate has expired
> > OK
> > linux-vpn:/etc/ipsec.d/own# openssl verify -CAfile ../cacerts/cacert.pem
> > brosowski_cert.pem
> >
> > Thanks
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list