[Openswan Users] OpenS/WAN and Win2K/XP
David Spear
dspear at telus.net
Mon Jan 24 11:56:06 CET 2005
I followed Nate Carlson's instructions on setting up ipsec traffic
between my linux openswan (2.3.0) gateway and a Win2K box. The only
glitch I had was that the x.509 cert I created had the same
issuer/subject which openswan didn't seem to like. So. I created
another certificate with different CN, distributed it to my Win2k box.
However, I seem to have some problem in my ipsec.conf either on the
server or client side. Here are my ipsec.conf files
**********begin openswan ipsec.conf***********
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=all
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
myid=@explorer.fdns.net
conn %default
rightrsasigkey=%cert
leftrsasigkey=%cert
authby=rsasig
disablearrivalcheck=no
compress=yes
keyingtries=1
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=192.168.1.101
leftcert=testing.pem
right=%any
auto=add
pfs=yes
*******************end openswan ipsec.conf************************
*****************begin win2k ipsec.conf****************************
conn roadwarrior
left=%any
right=192.168.1.101
rightid=explorer.fdns.net
rightca="C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=192.168.1.101
rightid=explorer.fdns.net
rightsubnet=192.168.1.0/24
rightca="C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub"
network=auto
auto=start
pfs=yes
********************end win2k ipsec.conf*************************
Here's my pluto log for the connection attempt:
*******************begin pluto log******************************
Jan 24 11:39:31 explorer pluto[29499]: | certificate signature (C=CA,
ST=BC, L=P
enticton, O=H&M Excavating Ltd., CN=explorer -> C=CA, ST=BC,
L=Penticton, O=H&M
Excavating Ltd., CN=explorer) is valid
Jan 24 11:39:31 explorer pluto[29499]: | reached self-signed root ca
Jan 24 11:39:31 explorer pluto[29499]: | Public key validated
Jan 24 11:39:31 explorer pluto[29499]: | unreference key: 0x80fbcf8
C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=samesub cnt 1--
Jan 24 11:39:31 explorer pluto[29499]: | unreference key: 0x80f63c0
@explorer.fd
ns.net cnt 1--
Jan 24 11:39:31 explorer pluto[29499]: | CR 30 5f 31 0b 30 09 06 03
55 04 06
13 02 43 41 31
Jan 24 11:39:31 explorer pluto[29499]: | 0b 30 09 06 03 55 04 08 13
02 42 43
31 12 30 10
Jan 24 11:39:31 explorer pluto[29499]: | 06 03 55 04 07 13 09 50 65
6e 74 69
63 74 6f 6e
Jan 24 11:39:31 explorer pluto[29499]: | 31 1c 30 1a 06 03 55 04 0a
14 13 48
26 4d 20 45
Jan 24 11:39:31 explorer pluto[29499]: | 78 63 61 76 61 74 69 6e 67
20 4c 74
64 2e 31 11
Jan 24 11:39:31 explorer pluto[29499]: | 30 0f 06 03 55 04 03 13 08
65 78 70
6c 6f 72 65
Jan 24 11:39:31 explorer pluto[29499]: | 72
Jan 24 11:39:31 explorer pluto[29499]: | requested CA: 'C=CA, ST=BC,
L=Penticton
, O=H&M Excavating Ltd., CN=explorer'
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: starting
with roadwa
rrior
Jan 24 11:39:31 explorer pluto[29499]: | match_id a=C=CA, ST=BC,
L=Penticton,
O=H&M Excavating Ltd., CN=samesub b=192.168.1.102
Jan 24 11:39:31 explorer pluto[29499]: | match_id called with a=C=CA,
ST=BC, L
=Penticton, O=H&M Excavating Ltd., CN=samesub b=192.168.1.102
Jan 24 11:39:31 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:31 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: checking
roadwarrior
against roadwarrior, best=(none) with match=0(id=0/ca=1/reqca=1)
Jan 24 11:39:31 explorer pluto[29499]: | match_id a=C=CA, ST=BC,
L=Penticton,
O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:31 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:31 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:31 explorer pluto[29499]: | refine_connection: checking
roadwarrior
against roadwarrior, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior
against roadwarrior, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: | match_id a=C=CA, ST=BC,
L=Penticton,
O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:32 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:32 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checking
roadwarrior
against roadwarrior-all, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior
against roadwarrior-all, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: | match_id a=C=CA, ST=BC,
L=Penticton,
O=H&M Excavating Ltd., CN=samesub b=(none)
Jan 24 11:39:32 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=(empty)
Jan 24 11:39:32 explorer pluto[29499]: | trusted_ca called with
a=C=CA, ST=BC,
L=Penticton, O=H&M Excavating Ltd., CN=explorer b=C=CA, ST=BC,
L=Penticton, O=H
&M Excavating Ltd., CN=explorer
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checking
roadwarrior
against roadwarrior-net, best=(none) with match=1(id=1/ca=1/reqca=1)
Jan 24 11:39:32 explorer pluto[29499]: | refine_connection: checked
roadwarrior
against roadwarrior-net, now for see if best
Jan 24 11:39:32 explorer pluto[29499]: | started looking for secret for
C=CA, ST
=BC, L=Penticton, O=H&M Excavating Ltd., CN=samesub->(none) of kind
PPK_RSA
Jan 24 11:39:32 explorer pluto[29499]: | searching for certificate
PPK_RSA:AQOrG
b2Cw vs PPK_RSA:AwEAAc6Qf
Jan 24 11:39:32 explorer pluto[29499]: "roadwarrior"[2] 192.168.1.102
#4: no sui
table connection for peer 'C=CA, ST=BC, L=Penticton, O=H&M Excavating
Ltd., CN=s
amesub'
Jan 24 11:39:32 explorer pluto[29499]: | complete state transition with
(null)
Jan 24 11:39:32 explorer pluto[29499]: "roadwarrior"[2] 192.168.1.102
#4: sendin
g encrypted notification INVALID_ID_INFORMATION to 192.168.1.102:500
*************************end pluto
log*************************************
So, although it seems to be accepting the x.509 cert, it is failing to
find a suitable connection profile to use. What am I doing wrong here?
The certificate that I generated and imported into Personal Certificates
on the Win2k box is (C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
CN=samesub), while the Trusted CA Root cert is (C=CA, S=BC, L=Penticton,
O=H&M Excavating Ltd., CN=explorer).
Thanks
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050124/3ef6fedd/attachment-0001.htm
More information about the Users
mailing list