[Openswan Users] OpenS/WAN and Win2K/XP

David Spear dspear at telus.net
Mon Jan 24 15:47:54 CET 2005 



>

> conn roadwarrior
>            left=%any
>        right=192.168.1.101
>        rightid=explorer.fdns.net

>Either leave out the rightid= or use the X.509 subjectname. Not a
hostname.

Okay, here's my new win2k ipsec.conf:

**************begin win2k ipsec.conf****************
conn roadwarrior
	left=%any
        right=192.168.1.101
        rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
	network=auto
	auto=start
	pfs=yes

conn roadwarrior-net
	left=%any
        right=192.168.1.101
	rightsubnet=192.168.1.0/24
	rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
	network=auto
	auto=start
	pfs=yes
****************end win2k ipsec.conf*******************

>        rightca="C=CA, S=BC, L=Penticton, O=H&M Excavating Ltd.,
>CN=samesub"
>
>You've ignored a few warnings about 'do not use weird symbols such as
"&"'. >Try
>generating certificates without nonstandard characters.

As you can see, I am using a new cert, started from the ground up:  new
CA, new cert, everything is new with no "&" or other funky characters.

However, things seem to have gotten worse, not better.  Here's my
openswan ipsec.conf, revised:

**************begin openswan ipsec.conf**********************
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        # klipsdebug=all
         plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        myid=@explorer.fdns.net

conn %default
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        authby=rsasig
        disablearrivalcheck=no
        compress=yes
        keyingtries=1

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior
        left=192.168.1.101
        leftcert=remote.pem
        right=%any
        auto=add
        pfs=yes
******************end openswan ipsec.conf*******************

Now here's the bad part, my Pluto log.  It does not appear that I am
getting nearly as far as I was before.  I completely removed all certs
and policies from my win2k box, imported new certs, changed ipsec.conf
to reflect new info.

****************begin Pluto log*****************************
Jan 24 15:04:56 explorer pluto[756]: | instantiated "roadwarrior" for
192.168.1.102
Jan 24 15:04:56 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
responding to Main Mode from unknown peer 192.168.1.102
Jan 24 15:04:58 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 24 15:05:00 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #2:
responding to Main Mode from unknown peer 192.168.1.102
Jan 24 15:05:02 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 24 15:05:03 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
responding to Main Mode from unknown peer 192.168.1.102
Jan 24 15:05:05 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 24 15:05:08 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
discarding packet received during DNS lookup in STATE_MAIN_R1
Jan 24 15:05:09 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
discarding packet received during DNS lookup in STATE_MAIN_R1
Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
ignoring Delete SA payload: not encrypted
Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
received and ignored informational message
Jan 24 15:05:12 explorer pluto[756]: | handling event EVENT_RETRANSMIT
for 192.168.1.102 "roadwarrior" #2
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
ignoring informational payload, type INVALID_COOKIE
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
received and ignored informational message
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
ignoring informational payload, type INVALID_COOKIE
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
received and ignored informational message
Jan 24 15:05:14 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #2:
ignoring informational payload, type INVALID_COOKIE
*******************end Pluto log********************************

and so forth until I get "max number of retransmits" and "deleting
connection to..."

Sorry for the length, but here's the raw log:

*******************begin Pluto log*****************************
Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 24 15:05:10 explorer pluto[756]: | sending reply packet
Jan 24 15:05:10 explorer pluto[756]: | sending 180 bytes for
STATE_MAIN_R1 through eth0 to 192.168.1.102:500:
Jan 24 15:05:10 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3  04 a9
e1 af  27 f0 6d 51
Jan 24 15:05:10 explorer pluto[756]: |   04 10 02 00  00 00 00 00  00 00
00 b4  0a 00 00 84
Jan 24 15:05:10 explorer pluto[756]: |   ad 98 90 0f  77 6c 5a 34  ef b3
70 4f  d9 eb 97 4a
Jan 24 15:05:10 explorer pluto[756]: |   e5 90 47 09  da ca 58 37  51 7b
8c 41  b1 20 d8 62
Jan 24 15:05:11 explorer pluto[756]: |   46 78 d6 d0  bd 73 0e 22  2b 62
b9 0b  0f 3e c9 b6
Jan 24 15:05:11 explorer pluto[756]: |   86 5a 3d 89  d3 83 a6 0b  2e 3c
e3 e4  33 96 40 b4
Jan 24 15:05:11 explorer pluto[756]: |   e3 61 4d 6d  c3 00 4a e7  b1 80
2f ce  c6 09 d5 2d
Jan 24 15:05:11 explorer pluto[756]: |   bf 35 82 c5  9f d6 15 49  d4 e7
3e 18  09 0e 3b b2
Jan 24 15:05:11 explorer pluto[756]: |   c7 4b a3 1c  e3 84 a7 01  77 48
df 1b  44 bd 16 6c
Jan 24 15:05:11 explorer pluto[756]: |   cb f7 bb 82  83 06 b5 fe  10 0e
e1 76  12 bb ff da
Jan 24 15:05:11 explorer pluto[756]: |   00 00 00 14  56 02 b9 31  d3 d9
0d 7e  a7 b2 9e 8a
Jan 24 15:05:11 explorer pluto[756]: |   9f 3a 86 93
Jan 24 15:05:11 explorer pluto[756]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Jan 24 15:05:11 explorer pluto[756]: | modecfg pull: noquirk policy:push
not-client
Jan 24 15:05:11 explorer pluto[756]: | phase 1 is done, looking for
phase 1 to unpend
Jan 24 15:05:11 explorer pluto[756]: | next event EVENT_RETRANSMIT in 1
seconds for #2
Jan 24 15:05:11 explorer pluto[756]: |  
Jan 24 15:05:11 explorer pluto[756]: | *received 56 bytes from
192.168.1.102:500 on eth0
Jan 24 15:05:11 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3  04 a9
e1 af  27 f0 6d 51
Jan 24 15:05:11 explorer pluto[756]: |   0c 10 05 00  c6 32 9c 42  00 00
00 38  00 00 00 1c
Jan 24 15:05:11 explorer pluto[756]: |   00 00 00 01  01 10 00 01  79 cd
50 99  03 de 87 d3
Jan 24 15:05:11 explorer pluto[756]: |   04 a9 e1 af  27 f0 6d 51
Jan 24 15:05:11 explorer pluto[756]: | **parse ISAKMP Message:
Jan 24 15:05:11 explorer pluto[756]: |    initiator cookie:
Jan 24 15:05:11 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3
Jan 24 15:05:11 explorer pluto[756]: |    responder cookie:
Jan 24 15:05:11 explorer pluto[756]: |   04 a9 e1 af  27 f0 6d 51
Jan 24 15:05:11 explorer pluto[756]: |    next payload type:
ISAKMP_NEXT_D
Jan 24 15:05:11 explorer pluto[756]: |    ISAKMP version: ISAKMP Version
1.0
Jan 24 15:05:11 explorer pluto[756]: |    exchange type:
ISAKMP_XCHG_INFO
Jan 24 15:05:11 explorer pluto[756]: |    flags: none
Jan 24 15:05:11 explorer pluto[756]: |    message ID:  c6 32 9c 42
Jan 24 15:05:11 explorer pluto[756]: |    length: 56
Jan 24 15:05:11 explorer pluto[756]: | ICOOKIE:  79 cd 50 99  03 de 87
d3
Jan 24 15:05:11 explorer pluto[756]: | RCOOKIE:  04 a9 e1 af  27 f0 6d
51
Jan 24 15:05:11 explorer pluto[756]: | peer:  c0 a8 01 66
Jan 24 15:05:11 explorer pluto[756]: | state hash entry 7
Jan 24 15:05:11 explorer pluto[756]: | peer and cookies match on #1,
provided msgid 00000000 vs 00000000
Jan 24 15:05:11 explorer pluto[756]: | state object #1 found, in
STATE_MAIN_R2
Jan 24 15:05:11 explorer pluto[756]: | ***parse ISAKMP Delete Payload:
Jan 24 15:05:11 explorer pluto[756]: |    next payload type:
ISAKMP_NEXT_NONE
Jan 24 15:05:11 explorer pluto[756]: |    length: 28
Jan 24 15:05:11 explorer pluto[756]: |    DOI: ISAKMP_DOI_IPSEC
Jan 24 15:05:11 explorer pluto[756]: |    protocol ID: 1
Jan 24 15:05:11 explorer pluto[756]: |    SPI size: 16
Jan 24 15:05:11 explorer pluto[756]: |    number of SPIs: 1
Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
ignoring Delete SA payload: not encrypted
Jan 24 15:05:12 explorer pluto[756]: | del:  79 cd 50 99  03 de 87 d3
04 a9 e1 af  27 f0 6d 51
Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
received and ignored informational message
Jan 24 15:05:12 explorer pluto[756]: | complete state transition with
STF_IGNORE
Jan 24 15:05:12 explorer pluto[756]: | next event EVENT_RETRANSMIT in 0
seconds for #2
Jan 24 15:05:12 explorer pluto[756]: |  
Jan 24 15:05:12 explorer pluto[756]: | *time to handle event
Jan 24 15:05:12 explorer pluto[756]: | handling event EVENT_RETRANSMIT
Jan 24 15:05:12 explorer pluto[756]: | event after this is
EVENT_RETRANSMIT in 3 seconds
Jan 24 15:05:12 explorer pluto[756]: | handling event EVENT_RETRANSMIT
for 192.168.1.102 "roadwarrior" #2
Jan 24 15:05:12 explorer pluto[756]: | sending 104 bytes for
EVENT_RETRANSMIT through eth0 to 192.168.1.102:500:
Jan 24 15:05:12 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3  32 50
57 e4  7f fa 16 74
Jan 24 15:05:12 explorer pluto[756]: |   01 10 02 00  00 00 00 00  00 00
00 68  0d 00 00 38
Jan 24 15:05:12 explorer pluto[756]: |   00 00 00 01  00 00 00 01  00 00
00 2c  01 01 00 01
Jan 24 15:05:12 explorer pluto[756]: |   00 00 00 24  01 01 00 00  80 01
00 05  80 02 00 02
Jan 24 15:05:12 explorer pluto[756]: |   80 04 00 02  80 03 00 03  80 0b
00 01  00 0c 00 04
Jan 24 15:05:12 explorer pluto[756]: |   00 00 70 80  00 00 00 14  af ca
d7 13  
68 a1 f1 c9
Jan 24 15:05:12 explorer pluto[756]: |   6b 86 96 fc  77 57 01 00
Jan 24 15:05:12 explorer pluto[756]: | inserting event EVENT_RETRANSMIT,
timeout in 20 seconds for #2
Jan 24 15:05:12 explorer pluto[756]: | next event EVENT_RETRANSMIT in 3
seconds for #3
Jan 24 15:05:12 explorer pluto[756]: |  
Jan 24 15:05:12 explorer pluto[756]: | *received 56 bytes from
192.168.1.102:500 on eth0
Jan 24 15:05:12 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3  b1 29
99 01  fe 22 c8 62
Jan 24 15:05:12 explorer pluto[756]: |   0b 10 05 00  07 e7 58 ab  00 00
00 38  00 00 00 1c
Jan 24 15:05:12 explorer pluto[756]: |   00 00 00 01  01 10 00 04  79 cd
50 99  03 de 87 d3
Jan 24 15:05:12 explorer pluto[756]: |   b1 29 99 01  fe 22 c8 62
Jan 24 15:05:12 explorer pluto[756]: | **parse ISAKMP Message:
Jan 24 15:05:12 explorer pluto[756]: |    initiator cookie:
Jan 24 15:05:12 explorer pluto[756]: |   79 cd 50 99  03 de 87 d3
Jan 24 15:05:12 explorer pluto[756]: |    responder cookie:
Jan 24 15:05:12 explorer pluto[756]: |   b1 29 99 01  fe 22 c8 62
Jan 24 15:05:12 explorer pluto[756]: |    next payload type:
ISAKMP_NEXT_N
Jan 24 15:05:12 explorer pluto[756]: |    ISAKMP version: ISAKMP Version
1.0
Jan 24 15:05:12 explorer pluto[756]: |    exchange type:
ISAKMP_XCHG_INFO
Jan 24 15:05:12 explorer pluto[756]: |    flags: none
Jan 24 15:05:12 explorer pluto[756]: |    message ID:  07 e7 58 ab
Jan 24 15:05:12 explorer pluto[756]: |    length: 56
Jan 24 15:05:12 explorer pluto[756]: | ICOOKIE:  79 cd 50 99  03 de 87
d3
Jan 24 15:05:12 explorer pluto[756]: | RCOOKIE:  b1 29 99 01  fe 22 c8
62
Jan 24 15:05:12 explorer pluto[756]: | peer:  c0 a8 01 66
Jan 24 15:05:12 explorer pluto[756]: | state hash entry 13
Jan 24 15:05:12 explorer pluto[756]: | peer and cookies match on #3,
provided msgid 00000000 vs 00000000
Jan 24 15:05:12 explorer pluto[756]: | state object #3 found, in
STATE_MAIN_R1
Jan 24 15:05:12 explorer pluto[756]: | ***parse ISAKMP Notification
Payload:
Jan 24 15:05:13 explorer pluto[756]: |    next payload type:
ISAKMP_NEXT_NONE
Jan 24 15:05:13 explorer pluto[756]: |    length: 28
Jan 24 15:05:13 explorer pluto[756]: |    DOI: ISAKMP_DOI_IPSEC
Jan 24 15:05:13 explorer pluto[756]: |    protocol ID: 1
Jan 24 15:05:13 explorer pluto[756]: |    SPI size: 16
Jan 24 15:05:13 explorer pluto[756]: |    Notify Message Type:
INVALID_COOKIE
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
ignoring informational payload, type INVALID_COOKIE
Jan 24 15:05:13 explorer pluto[756]: | info:  79 cd 50 99  03 de 87 d3
b1 29 99 01  fe 22 c8 62
Jan 24 15:05:13 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
received and ignored informational message
Jan 24 15:05:13 explorer pluto[756]: | complete state transition with
STF_IGNORE
Jan 24 15:05:13 explorer pluto[756]: | next event EVENT_RETRANSMIT in 2
seconds for #3
**********************end Pluto log****************************

and so forth.

And just for fun, here is:

% openssl x509 -in remote.pem -noout -subject
subject= /C=CA/ST=BC/L=Penticton/O=HMEXC/CN=remote

I think I've spent about 3 days now with no end in sight...

More information about the Users mailing list