[Openswan Users] OpenS/WAN and Win2K/XP

David Spear dspear at telus.net
Mon Jan 24 11:56:06 CET 2005


I followed Nate Carlson's instructions on setting up ipsec traffic
between my linux openswan (2.3.0) gateway and a Win2K box.  The only
glitch I had was that the x.509 cert I created had the same
issuer/subject which openswan didn't seem to like.  So. I created
another certificate with different CN, distributed it to my Win2k box.
However, I seem to have some problem in my ipsec.conf either on the
server or client side.  Here are my ipsec.conf files
 
**********begin openswan ipsec.conf***********
version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        # klipsdebug=all
         plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        myid=@explorer.fdns.net
 
conn %default
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        authby=rsasig
        disablearrivalcheck=no
        compress=yes
        keyingtries=1
 
conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior
 
conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior
 
conn roadwarrior
        left=192.168.1.101
        leftcert=testing.pem
        right=%any
        auto=add
        pfs=yes
*******************end openswan ipsec.conf************************
 
*****************begin win2k ipsec.conf****************************
conn roadwarrior
            left=%any
        right=192.168.1.101
        rightid=explorer.fdns.net
        rightca="C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub"
            network=auto
            auto=start
            pfs=yes
 
conn roadwarrior-net
            left=%any
        right=192.168.1.101
        rightid=explorer.fdns.net
            rightsubnet=192.168.1.0/24
        rightca="C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub"
            network=auto
            auto=start
            pfs=yes
********************end win2k ipsec.conf*************************
 
Here's my pluto log for the connection attempt:
 
*******************begin pluto log******************************
Jan 24 11:39:31 explorer pluto[29499]: | certificate signature (C=CA,
ST=BC, L=P
enticton, O=H&M Excavating Ltd., CN=explorer -> C=CA, ST=BC,
L=Penticton, O=H&M 
Excavating Ltd., CN=explorer) is valid
Jan 24 11:39:31 explorer pluto[29499]: | reached self-signed root ca
Jan 24 11:39:31 explorer pluto[29499]: | Public key validated
Jan 24 11:39:31 explorer pluto[29499]: | unreference key: 0x80fbcf8
C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=samesub cnt 1--
Jan 24 11:39:31 explorer pluto[29499]: | unreference key: 0x80f63c0
@explorer.fd
ns.net cnt 1--
Jan 24 11:39:31 explorer pluto[29499]: | CR  30 5f 31 0b  30 09 06 03
55 04 06 
13  02 43 41 31
Jan 24 11:39:31 explorer pluto[29499]: |   0b 30 09 06  03 55 04 08  13
02 42 43
  31 12 30 10
Jan 24 11:39:31 explorer pluto[29499]: |   06 03 55 04  07 13 09 50  65
6e 74 69
  63 74 6f 6e
Jan 24 11:39:31 explorer pluto[29499]: |   31 1c 30 1a  06 03 55 04  0a
14 13 48
  26 4d 20 45
Jan 24 11:39:31 explorer pluto[29499]: |   78 63 61 76  61 74 69 6e  67
20 4c 74
  64 2e 31 11
Jan 24 11:39:31 explorer pluto[29499]: |   30 0f 06 03  55 04 03 13  08
65 78 70
  6c 6f 72 65
Jan 24 11:39:31 explorer pluto[29499]: |   72
Jan 24 11:39:31 explorer pluto[29499]: | requested CA: 'C=CA, ST=BC,
L=Penticton
, O=H&M Excavating Ltd., CN=explorer'
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: starting
with roadwa
rrior
Jan 24 11:39:31 explorer pluto[29499]: |    match_id a=C=CA, ST=BC,
L=Penticton,
 O=H&M Excavating Ltd., CN=samesub b=192.168.1.102
Jan 24 11:39:31 explorer pluto[29499]: |   match_id called with a=C=CA,
ST=BC, L
=Penticton, O=H&M Excavating Ltd., CN=samesub b=192.168.1.102
Jan 24 11:39:31 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:31 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: checking
roadwarrior
 against roadwarrior, best=(none) with match=0(id=0/ca=1/reqca=1)
Jan 24 11:39:31 explorer pluto[29499]: |    match_id a=C=CA, ST=BC,
L=Penticton,
 O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:31 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:31 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: checking
roadwarrior
 against roadwarrior, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior 
against roadwarrior, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: |    match_id a=C=CA, ST=BC,
L=Penticton,
 O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:32 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:32 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checking
roadwarrior
 against roadwarrior-all, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior 
against roadwarrior-all, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: |    match_id a=C=CA, ST=BC,
L=Penticton,
 O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:32 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:32 explorer pluto[29499]: |   trusted_ca called with
a=C=CA, ST=BC,
 L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checking
roadwarrior
 against roadwarrior-net, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior 
against roadwarrior-net, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: "roadwarrior"[2] 192.168.1.102
#4: no sui
table connection for peer 'C=CA, ST=BC, L=Penticton, O=H&M Excavating
Ltd., CN=s
amesub'
Jan 24 11:39:32 explorer pluto[29499]: | complete state transition with
(null)
Jan 24 11:39:32 explorer pluto[29499]: "roadwarrior"[2] 192.168.1.102
#4: sendin
g encrypted notification INVALID_ID_INFORMATION to 192.168.1.102:500
*************************end pluto
log*************************************
 
So, although it seems to be accepting the x.509 cert, it is failing to
find a suitable connection profile to use.  What am I doing wrong here?
The certificate that I generated and imported into Personal Certificates
on the Win2k box is (C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub), while the Trusted CA Root cert is (C=CA, S=BC, L=Penticton,
O=H&M Excavating Ltd., CN=explorer).
 
Thanks
 
Dave
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050124/3ef6fedd/attachment-0001.htm


More information about the Users mailing list