[Openswan Users] OpenS/WAN and Win2K/XP

David Spear dspear at telus.net
Tue Jan 25 14:18:03 CET 2005


Paul:

The fact that you reply to these mundane problems greatly impresses me
and, in fact, motivates me to be more active in the newsgroups in which
I am expert (NOT ipsec, that's for sure although I may be before I'm
done).  If I lived close enough I would definitely drop off some beer
for you.  I am, as you may have guessed, still having trouble.


> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: January 24, 2005 4:46 PM
> To: David Spear
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] OpenS/WAN and Win2K/XP
> 
> On Mon, 24 Jan 2005, David Spear wrote:
> 
> > Okay, here's my new win2k ipsec.conf:
> >
> > **************begin win2k ipsec.conf****************
> > conn roadwarrior
> > 	left=%any
> >        right=192.168.1.101
> >        rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> 
> Don't you have an emailAdress attribute? Add it after CN using
> "E=user at address"
> (don't use emailAddress=)
> From later on in the email, it seems you do not. I am not sure if that
> works as
> expected.

Okay, here is my new cert:

%openssl x509 -in downstairs.pem -noout -subject
subject=/C=CA/ST=BC/L=Penticton/O=HMEXC/CN=downstairs/emailAddress=dspea
r at telus.net

This cert is located in /etc/ipsec.d/certs.  In my "conn roadwarrior"
section of /etc/ipsec.conf I have

	Leftcert=downstairs.pem

And I see a "loaded host cert downstairs.pem" in my log on startup.

I am definitely having problems on the Windows side.  My import of certs
on the win and linux box went flawlessly.

%ipsec auto --listall

shows both my end user cert and CA cert.

MMC on the Win2K box shows both certs in the right place.

Here is my win2k ipsec.conf:

*******************BEGIN WIN2K IPSEC.CONF******************
conn roadwarrior
	left=%any
	right=192.168.1.101
	
rightca="C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net"
	network=auto
	auto=start
	pfs=yes
*******************END WIN2K IPSEC.CONF******************
I got rid of all the connection defs except "roadwarrior" in both
ipsec.conf files (win2k and openswan).


Here's the Oakley log:

****************begin Oakley********************************
1-25: 13:40:30:64 Receive: (get) SA = 0x00000000 from 192.168.1.101.500
 1-25: 13:40:31:5a0 flush(isakmp): f155c55c-73f9-4e5c-86aa447bf544d071
 1-25: 13:40:31:5a0 Oakley group 2 from UI
 1-25: 13:40:31:5a0 Isakmp policy (4 total):
47014f64-96c9-444a-834fd57648dc6e33 PFS=1
 1-25: 13:40:31:5a0 #0: C.Id = 3, H.ID= 2, A.ID = 0, Group = 2 LT=28800
QMs=0
 1-25: 13:40:31:5a0 #1: C.Id = 3, H.ID= 1, A.ID = 0, Group = 2 LT=28800
QMs=0
 1-25: 13:40:31:5a0 #2: C.Id = 1, H.ID= 2, A.ID = 0, Group = 1 LT=28800
QMs=0
 1-25: 13:40:31:5a0 #3: C.Id = 1, H.ID= 1, A.ID = 0, Group = 1 LT=28800
QMs=0
 1-25: 13:40:31:5a0 flush guid(isakmp):
47014f64-96c9-444a-834fd57648dc6e33
 1-25: 13:40:31:5a0 isadb_schedule_kill_oldPolicy_sas:
47014f64-96c9-444a-834fd57648dc6e33 1
 1-25: 13:40:31:5a0 Added Timeout 13e3c8
 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
d4217a97-751a-4eac-b18d687426869ac1
 1-25: 13:40:31:5a0 Authentication Method[0] from UI 5
 1-25: 13:40:31:5a0 Auth[0]: 5 Authinfosize: 0
 1-25: 13:40:31:5a0 Flags from UI 0
 1-25: 13:40:31:5a0 Ipsec policy (6 total):
d4217a97-751a-4eac-b18d687426869ac1 PFS=2331024
 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 2,
 1-25: 13:40:31:5a0 #1: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 1,
 1-25: 13:40:31:5a0 #2: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 2,
 1-25: 13:40:31:5a0 #3: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 1,
 1-25: 13:40:31:5a0 #4: Auth C.Id = 2, C.KeyLen = 64, I.ID = 0,
 1-25: 13:40:31:5a0 #5: Auth C.Id = 1, C.KeyLen = 64, I.ID = 0,
 1-25: 13:40:31:5a0 flush guid(ipsec):
d4217a97-751a-4eac-b18d687426869ac1
 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
 
1-25: 13:40:31:5a0 Using enumeration could not match the CA name
"C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
 
1-25: 13:40:31:5a0 So using CertStrToName instead
 1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
 1-25: 13:40:31:5a0 Flags from UI 2
 1-25: 13:40:31:5a0 Ipsec policy (1 total):
c664c762-275b-474e-a13dffee90c54cb6 PFS=2337224
 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
 1-25: 13:40:31:5a0 flush guid(ipsec):
c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
c6d9f26c-5bc5-4c8c-b20bea15bae45204
 1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
 

1-25: 13:40:31:5a0 Using enumeration could not match the CA name
"C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
 

1-25: 13:40:31:5a0 So using CertStrToName instead
 1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
 1-25: 13:40:31:5a0 Flags from UI 2
 1-25: 13:40:31:5a0 Ipsec policy (1 total):
c6d9f26c-5bc5-4c8c-b20bea15bae45204 PFS=2326624
 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
 1-25: 13:40:31:5a0 flush guid(ipsec):
c6d9f26c-5bc5-4c8c-b20bea15bae45204
 1-25: 13:40:31:64 entered kill_old_policy_sas
 1-25: 13:40:44:64 Reaper deleting SA 23acd8
 1-25: 13:40:44:64 Deleting SA 0023ACD8
 1-25: 13:40:44:64 Cancelling Timeout 13e300
 1-25: 13:40:44:64 ClearFragList
 1-25: 13:40:50:558 Posting acquire: op=812D84C8 src=192.168.1.102.0
dst=192.168.1.101.0 proto = 0, SrcMask=255.255.255.255,
DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=192.168.1.101 Inbound
TunnelEndpt=192.168.1.102
 1-25: 13:40:50:558 Acquire thread waiting
 1-25: 13:40:50:64 find(ipsec): c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:40:50:64 outstanding_kernel_req returned 0
 1-25: 13:40:50:64 Created new SA 23acd8
 1-25: 13:40:50:64 Acquire: src = 192.168.1.102.62465, dst =
192.168.1.101.62465, proto = 00, context = 812D84C8, ProxySrc =
192.168.1.102.0000, ProxyDst = 192.168.1.101.0000 SrcMask = 0.0.0.0
DstMask = 0.0.0.0
 1-25: 13:40:50:64 constructing ISAKMP Header
 1-25: 13:40:50:64 constructing SA (ISAKMP)
 1-25: 13:40:50:64 find(isakmp): c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:40:50:64 Setting group desc
 1-25: 13:40:50:64 Setting group desc
 1-25: 13:40:50:64 Setting group desc
 1-25: 13:40:50:64 Setting group desc
 1-25: 13:40:50:64 Constructing Vendor MS NT5 ISAKMPOAKLEY
 1-25: 13:40:50:64 Constructing Vendor FRAGMENTATION
 1-25: 13:40:50:64 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02

 1-25: 13:40:50:64 Throw: State mask=1
 1-25: 13:40:50:64 Added Timeout 14c2b0
 1-25: 13:40:50:64 Setting Retransmit: sa 23acd8 handle 14c2b0 context
234268
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 256 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 0000000000000000
 1-25: 13:40:50:64   exchange: Oakley Main Mode
 1-25: 13:40:50:64   flags: 0 
 1-25: 13:40:50:64   next payload: SA
 1-25: 13:40:50:64   message ID: 00000000
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 104 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:40:50:64   exchange: Oakley Main Mode
 1-25: 13:40:50:64   flags: 0 
 1-25: 13:40:50:64   next payload: SA
 1-25: 13:40:50:64   message ID: 00000000
 1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
handle:0014C2B0
 1-25: 13:40:50:64 processing payload SA  
 1-25: 13:40:50:64 Received Phase 1 Transform 1
 1-25: 13:40:50:64      Encryption Alg Triple DES CBC(5)
 1-25: 13:40:50:64      Hash Alg SHA(2)
 1-25: 13:40:50:64      Oakley Group 2
 1-25: 13:40:50:64      Auth Method RSA Signature with Certificates(3)
 1-25: 13:40:50:64      Life type in Seconds
 1-25: 13:40:50:64      Life duration of 28800
 1-25: 13:40:50:64 Phase 1 SA accepted: transform=1
 1-25: 13:40:50:64 SA - Oakley proposal accepted
 1-25: 13:40:50:64 processing payload VENDOR ID
 1-25: 13:40:50:64 Processing Vendor
 1-25: 13:40:50:64 Vendor ID afcad71368a1f1c96b8696fc77570100
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 ClearFragList
 1-25: 13:40:50:64 In state OAK_MM_SA_SETUP
 1-25: 13:40:50:64 constructing ISAKMP Header
 1-25: 13:40:50:64 constructing KE
 1-25: 13:40:50:64 constructing NONCE (ISAKMP)
 1-25: 13:40:50:64 Throw: State mask=7
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 184 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:40:50:64   exchange: Oakley Main Mode
 1-25: 13:40:50:64   flags: 0 
 1-25: 13:40:50:64   next payload: KE
 1-25: 13:40:50:64   message ID: 00000000
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 180 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:40:50:64   exchange: Oakley Main Mode
 1-25: 13:40:50:64   flags: 0 
 1-25: 13:40:50:64   next payload: KE
 1-25: 13:40:50:64   message ID: 00000000
 1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
handle:0014C2B0
 1-25: 13:40:50:64 processing payload KE  
 1-25: 13:40:50:64 Generated 128 byte Shared Secret
 1-25: 13:40:50:64 KE processed; DH shared secret computed
 1-25: 13:40:50:64 processing payload NONCE
 1-25: 13:40:50:64 ClearFragList
 1-25: 13:40:50:64 In state OAK_MM_Key_EXCH
 1-25: 13:40:50:64 skeyid generated; crypto enabled (initiator)
 1-25: 13:40:50:64 constructing ISAKMP Header
 1-25: 13:40:50:64 constructing ID
 
1-25: 13:40:50:64 Received no valid CRPs.  Using all configured
 1-25: 13:40:50:64 Looking for IPSec only cert
 1-25: 13:40:50:64 failed to get chain -2146885628
 1-25: 13:40:50:64 Looking for any cert
 1-25: 13:40:50:64 failed to get chain -2146885628
 1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
status:cbad0326
 
1-25: 13:40:50:64 isadb_set_status sa:0023ACD8 centry:00000000 status
cbad0326
 1-25: 13:40:50:64 Key Exchange Mode (Main Mode)
 1-25: 13:40:50:64 Source IP Address 192.168.1.102Source IP Address Mask
255.255.255.255Destination IP Address 192.168.1.101Destination IP
Address Mask 255.255.255.255Protocol 0Source Port 0Destination Port 0
 1-25: 13:40:50:64 Me
 
1-25: 13:40:50:64 IKE failed to find valid machine certificate
 
1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
status:cbad0326
 1-25: 13:40:50:64 constructing ISAKMP Header
 1-25: 13:40:50:64 constructing HASH (null)
 1-25: 13:40:50:64 constructing NOTIFY 28
 1-25: 13:40:50:64 constructing HASH (ND)
 1-25: 13:40:50:64 Construct ND hash message len = 28 pcklen=80
hashlen=20
 1-25: 13:40:50:64 Construct ND Hash mess ID 94a03f7d
 1-25: 13:40:50:64 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
 1-25: 13:40:50:64 a4f3549e
 1-25: 13:40:50:64 ND Hash message 0000001c000000010110001cb7400532
 1-25: 13:40:50:64 692d82577fcf52b9e913796a
 1-25: 13:40:50:64 Throw: State mask=200110f
 1-25: 13:40:50:64 Doing tripleDES
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 84 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:40:50:64   exchange: ISAKMP Informational Exchange
 1-25: 13:40:50:64   flags: 1 ( encrypted )
 1-25: 13:40:50:64   next payload: HASH
 1-25: 13:40:50:64   message ID: 94a03f7d
 1-25: 13:40:50:64 
 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 40 
 1-25: 13:40:50:64   I-COOKIE b7400532692d8257
 1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:40:50:64   exchange: ISAKMP Informational Exchange
 1-25: 13:40:50:64   flags: 0 
 1-25: 13:40:50:64   next payload: NOTIFY
 1-25: 13:40:50:64   message ID: aed8df27
 1-25: 13:40:50:64 received an unencrypted packet when crypto active
 1-25: 13:40:50:64 GetPacket failed cbad0324
 1-25: 13:41:00:64 
 1-25: 13:41:00:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
 1-25: 13:41:00:64 ISAKMP Header: (V1.0), len = 180 
 1-25: 13:41:00:64   I-COOKIE b7400532692d8257
 1-25: 13:41:00:64   R-COOKIE 7fcf52b9e913796a
 1-25: 13:41:00:64   exchange: Oakley Main Mode
 1-25: 13:41:00:64   flags: 0 
 1-25: 13:41:00:64   next payload: KE
 1-25: 13:41:00:64   message ID: 00000000
 1-25: 13:41:00:64 received an unencrypted packet when crypto active
 1-25: 13:41:00:64 GetPacket failed cbad0324
 1-25: 13:41:05:5a0 flush guid(ipsec):
d4217a97-751a-4eac-b18d687426869ac1
 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
d4217a97-751a-4eac-b18d687426869ac1
 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
d4217a97-751a-4eac-b18d687426869ac1 0
 1-25: 13:41:05:5a0 Added Timeout 151f88
 1-25: 13:41:05:5a0 flush guid(ipsec):
c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
c664c762-275b-474e-a13dffee90c54cb6
 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
c664c762-275b-474e-a13dffee90c54cb6 0
 1-25: 13:41:05:5a0 Added Timeout 127fe0
 1-25: 13:41:05:5a0 flush guid(ipsec):
c6d9f26c-5bc5-4c8c-b20bea15bae45204
 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
c6d9f26c-5bc5-4c8c-b20bea15bae45204
 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
c6d9f26c-5bc5-4c8c-b20bea15bae45204 0
 1-25: 13:41:05:5a0 Added Timeout 158330
 1-25: 13:41:05:64 entered kill_old_policy_sas
 1-25: 13:41:05:658 entered kill_old_policy_sas
 1-25: 13:41:05:658 SA Dead. sa:0023ACD8 status:cbad0351
 1-25: 13:41:05:658 constructing ISAKMP Header
 1-25: 13:41:05:658 constructing HASH (null)
 1-25: 13:41:05:658 constructing DELETE
 1-25: 13:41:05:658 constructing HASH (ND)
 1-25: 13:41:05:658 Construct ND hash message len = 28 pcklen=80
hashlen=20
 1-25: 13:41:05:658 Construct ND Hash mess ID 0b941af3
 1-25: 13:41:05:658 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
 1-25: 13:41:05:658 a4f3549e
 1-25: 13:41:05:658 ND Hash message 0000001c0000000101100001b7400532
 1-25: 13:41:05:658 692d82577fcf52b9e913796a
 1-25: 13:41:05:658 Throw: State mask=110f
 1-25: 13:41:05:658 Doing tripleDES
 1-25: 13:41:05:658 
 1-25: 13:41:05:658 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
 1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 84 
 1-25: 13:41:05:658   I-COOKIE b7400532692d8257
 1-25: 13:41:05:658   R-COOKIE 7fcf52b9e913796a
 1-25: 13:41:05:658   exchange: ISAKMP Informational Exchange
 1-25: 13:41:05:658   flags: 1 ( encrypted )
 1-25: 13:41:05:658   next payload: HASH
 1-25: 13:41:05:658   message ID: 0b941af3
 1-25: 13:41:05:658 entered kill_old_policy_sas
 1-25: 13:41:05:658 
 1-25: 13:41:05:658 Receive: (get) SA = 0x00000000 from
192.168.1.101.500
 1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 40 
 1-25: 13:41:05:658   I-COOKIE b7400532692d8257
 1-25: 13:41:05:658   R-COOKIE 7fcf52b9e913796a
 1-25: 13:41:05:658   exchange: ISAKMP Informational Exchange
 1-25: 13:41:05:658   flags: 0 
 1-25: 13:41:05:658   next payload: NOTIFY
 1-25: 13:41:05:658   message ID: c16f5b76
 1-25: 13:41:05:658 received an unencrypted packet when crypto active
 1-25: 13:41:05:658 GetPacket failed cbad0324
*********************END OAKLEY LOG***********************************

Here is EXACTLY what I did to get the cert on the Win2k box:

# CA -newreq (DN as above in logs, etc.)
# CA -sign
# cp newreq.pem /etc/ipsec.d/private/downstairs.key
# cp newcert.pem /etc/ipsec.d/certs
# openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
demoCA/cacert.pem -out downstairs.p12

I then moved downstairs.p12 onto the Win2K machine and used MMC to
import, entered password, got "Import Successful" message.  There is a
cert (Subject=downstairs, issuer=explorer) in Personal Certs folder and
a cert (subject=explorer=issuer) in the Trusted Root CA Cert folder.  I
am guessing that the "IKE failed to find valid machine certificate"
means that no x509 authentication will go on and that ipsec is moving to
step 2, perhaps a shared secret approach?  I had not seen this message
previously.

> 
> > 	network=auto
> > 	auto=start
> > 	pfs=yes
> >
> > conn roadwarrior-net
> > 	left=%any
> >        right=192.168.1.101
> > 	rightsubnet=192.168.1.0/24
> 
> This cannot work. You cannot have one ipsec endpoind in the same range
as
> the
> subnet behind it. How can you reach 192.168.1.101 if that is part of
> 192.168.1.0/24
> that you can reach through 192.168.1.101 ?
> 
> 
> > 	rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> 
See above, I turfed all the connections but roadwarrior.  The way I
assumed (bad bad bad) is that all local subnet traffic would be routed
through the ipsec tunnel once it is established with the destination
host... anyway, the "roadwarrior-net" and "roadwarrior-all" are gone.


> Same here.
> 
> > 	network=auto
> > 	auto=start
> > 	pfs=yes
> > ****************end win2k ipsec.conf*******************
> >
> > As you can see, I am using a new cert, started from the ground up:
new
> > CA, new cert, everything is new with no "&" or other funky
characters.
> >
> > However, things seem to have gotten worse, not better.  Here's my
> > openswan ipsec.conf, revised:
> >
> > **************begin openswan ipsec.conf**********************
> > version 2.0     # conforms to second version of ipsec.conf
specification
> >
> > # basic configuration
> > config setup
> >        # Debug-logging controls:  "none" for (almost) none, "all"
for
> > lots.
> >        # klipsdebug=all
> >         plutodebug=all
> 
> this is not needed. It's better to show output from plutodebug=none,
since
> it is
> very unlikely at this point that we have a code error. And
configuration
> errors
> do not need this setting (It only makes it MUCH harder to read the
logs)

Done and agreed, didn't know how much or which info you needed so I
figured "more is better".

> 
> >        # crlcheckinterval=600
> >        # strictcrlpolicy=yes
> >        myid=@explorer.fdns.net
> 
> Remove the myid= lines. It is for OE which you are not using. It might
> cause confusion.
> 

Done.

> > conn %default
> >        rightrsasigkey=%cert
> >        leftrsasigkey=%cert
> >        authby=rsasig
> >        disablearrivalcheck=no
> >        compress=yes
> >        keyingtries=1
> >
> > conn roadwarrior-net
> >        leftsubnet=192.168.1.0/24
> >        also=roadwarrior
> >
> > conn roadwarrior-all
> >        leftsubnet=0.0.0.0/0
> >        also=roadwarrior
> >
> > conn roadwarrior
> >        left=192.168.1.101
> 
> So in fact, left right and rightsubnet are all the same subnet. That
> cannot work.
> 
> >        leftcert=remote.pem
> >        right=%any
> >        auto=add
> >        pfs=yes
> > ******************end openswan ipsec.conf*******************
> 
> Looks fine.
> 
> > Now here's the bad part, my Pluto log.  It does not appear that I am
> > getting nearly as far as I was before.  I completely removed all
certs
> > and policies from my win2k box, imported new certs, changed
ipsec.conf
> > to reflect new info.
> 
> did all new certs load properly on linux and windows? What is the
output
> of ipsec auto --listall ?
> Does the MMC on windows say good things about the certificate and the
root
> CA?
> 
> > Jan 24 15:04:56 explorer pluto[756]: | instantiated "roadwarrior"
for
> > 192.168.1.102
> > Jan 24 15:04:56 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > responding to Main Mode from unknown peer 192.168.1.102
> > Jan 24 15:04:58 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jan 24 15:05:00 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#2:
> > responding to Main Mode from unknown peer 192.168.1.102
> > Jan 24 15:05:02 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#2:
> > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jan 24 15:05:03 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#3:
> > responding to Main Mode from unknown peer 192.168.1.102
> > Jan 24 15:05:05 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#3:
> > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jan 24 15:05:08 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > discarding packet received during DNS lookup in STATE_MAIN_R1
> > Jan 24 15:05:09 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > discarding packet received during DNS lookup in STATE_MAIN_R1
> > Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
#1:
> > ignoring Delete SA payload: not encrypted
> 
> Here it seems there is confusion about the state of the ISAKMP. Check
out
> what Window's oakley.log says. I think it's giving some error about
the
> local certificate.
> 
> > % openssl x509 -in remote.pem -noout -subject
> > subject= /C=CA/ST=BC/L=Penticton/O=HMEXC/CN=remote
> 
> I am still a bit confused you have no email attribute. I never tested
> that.
> 
> > I think I've spent about 3 days now with no end in sight...
> 
> I am sorry :( X.509 is very frustrating, I know :(
> 
> Please, try a host-host conenction with the roadwarrior first. If that
> works,
> the certificates are OK, and you can try your subnet encryption. I
think
> you
> want to encrypt the wireless on 192.168.1.0/24. See our "wavesec"
examples
> for
> that. (either from wavesec.org or grab the wavesec EXE files from the
ftp
> server,
> they contain an example ipsec.conf for doing this)
> 
> Paul
> --
> 
> "At best it is a theory, at worst a fantasy" -- Michael Crichton





More information about the Users mailing list