[Openswan Users] OpenS/WAN and Win2K/XP

Paul Wouters paul at xelerance.com
Tue Jan 25 01:45:52 CET 2005 

On Mon, 24 Jan 2005, David Spear wrote:

> Okay, here's my new win2k ipsec.conf:
>
> **************begin win2k ipsec.conf****************
> conn roadwarrior
> 	left=%any
>        right=192.168.1.101
>        rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"

Don't you have an emailAdress attribute? Add it after CN using "E=user at address"
(don't use emailAddress=)
>From later on in the email, it seems you do not. I am not sure if that works as
expected.

> 	network=auto
> 	auto=start
> 	pfs=yes
>
> conn roadwarrior-net
> 	left=%any
>        right=192.168.1.101
> 	rightsubnet=192.168.1.0/24

This cannot work. You cannot have one ipsec endpoind in the same range as the
subnet behind it. How can you reach 192.168.1.101 if that is part of 192.168.1.0/24
that you can reach through 192.168.1.101 ?


> 	rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"

Same here.

> 	network=auto
> 	auto=start
> 	pfs=yes
> ****************end win2k ipsec.conf*******************
>
> As you can see, I am using a new cert, started from the ground up:  new
> CA, new cert, everything is new with no "&" or other funky characters.
>
> However, things seem to have gotten worse, not better.  Here's my
> openswan ipsec.conf, revised:
>
> **************begin openswan ipsec.conf**********************
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>        # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>        # klipsdebug=all
>         plutodebug=all

this is not needed. It's better to show output from plutodebug=none, since it is
very unlikely at this point that we have a code error. And configuration errors
do not need this setting (It only makes it MUCH harder to read the logs)

>        # crlcheckinterval=600
>        # strictcrlpolicy=yes
>        myid=@explorer.fdns.net

Remove the myid= lines. It is for OE which you are not using. It might cause confusion.

> conn %default
>        rightrsasigkey=%cert
>        leftrsasigkey=%cert
>        authby=rsasig
>        disablearrivalcheck=no
>        compress=yes
>        keyingtries=1
>
> conn roadwarrior-net
>        leftsubnet=192.168.1.0/24
>        also=roadwarrior
>
> conn roadwarrior-all
>        leftsubnet=0.0.0.0/0
>        also=roadwarrior
>
> conn roadwarrior
>        left=192.168.1.101

So in fact, left right and rightsubnet are all the same subnet. That cannot work.

>        leftcert=remote.pem
>        right=%any
>        auto=add
>        pfs=yes
> ******************end openswan ipsec.conf*******************

Looks fine.

> Now here's the bad part, my Pluto log.  It does not appear that I am
> getting nearly as far as I was before.  I completely removed all certs
> and policies from my win2k box, imported new certs, changed ipsec.conf
> to reflect new info.

did all new certs load properly on linux and windows? What is the output
of ipsec auto --listall ? 
Does the MMC on windows say good things about the certificate and the root CA?

> Jan 24 15:04:56 explorer pluto[756]: | instantiated "roadwarrior" for
> 192.168.1.102
> Jan 24 15:04:56 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> responding to Main Mode from unknown peer 192.168.1.102
> Jan 24 15:04:58 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 24 15:05:00 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #2:
> responding to Main Mode from unknown peer 192.168.1.102
> Jan 24 15:05:02 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #2:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 24 15:05:03 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
> responding to Main Mode from unknown peer 192.168.1.102
> Jan 24 15:05:05 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #3:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 24 15:05:08 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> discarding packet received during DNS lookup in STATE_MAIN_R1
> Jan 24 15:05:09 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> discarding packet received during DNS lookup in STATE_MAIN_R1
> Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102 #1:
> ignoring Delete SA payload: not encrypted

Here it seems there is confusion about the state of the ISAKMP. Check out
what Window's oakley.log says. I think it's giving some error about the
local certificate.

> % openssl x509 -in remote.pem -noout -subject
> subject= /C=CA/ST=BC/L=Penticton/O=HMEXC/CN=remote

I am still a bit confused you have no email attribute. I never tested that.

> I think I've spent about 3 days now with no end in sight...

I am sorry :( X.509 is very frustrating, I know :(

Please, try a host-host conenction with the roadwarrior first. If that works,
the certificates are OK, and you can try your subnet encryption. I think you
want to encrypt the wireless on 192.168.1.0/24. See our "wavesec" examples for
that. (either from wavesec.org or grab the wavesec EXE files from the ftp server,
they contain an example ipsec.conf for doing this)

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list