[Openswan Users] OpenS/WAN and Win2K/XP

Jaroslaw Zdrzalek jz at silpion.de
Wed Jan 26 00:13:29 CET 2005


hi users,
recently i reviewed the x509-patch-docs an so i know where to look for
the clarificaton:
from
http://www.strongsec.com/freeswan/install.txt
ST           State or province
S            Surname

You have a typo in the windos.conf in DN/subjectline of the cert.

hopefuly it was the whole thing...

regards
jz

Am Di, den 25.01.2005 schrieb David Spear um 22:18:
> Paul:
> 
> The fact that you reply to these mundane problems greatly impresses me
> and, in fact, motivates me to be more active in the newsgroups in which
> I am expert (NOT ipsec, that's for sure although I may be before I'm
> done).  If I lived close enough I would definitely drop off some beer
> for you.  I am, as you may have guessed, still having trouble.
> 
> 
> > -----Original Message-----
> > From: Paul Wouters [mailto:paul at xelerance.com]
> > Sent: January 24, 2005 4:46 PM
> > To: David Spear
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] OpenS/WAN and Win2K/XP
> > 
> > On Mon, 24 Jan 2005, David Spear wrote:
> > 
> > > Okay, here's my new win2k ipsec.conf:
> > >
> > > **************begin win2k ipsec.conf****************
> > > conn roadwarrior
> > > 	left=%any
> > >        right=192.168.1.101
> > >        rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> > 
> > Don't you have an emailAdress attribute? Add it after CN using
> > "E=user at address"
> > (don't use emailAddress=)
> > From later on in the email, it seems you do not. I am not sure if that
> > works as
> > expected.
> 
> Okay, here is my new cert:
> 
> %openssl x509 -in downstairs.pem -noout -subject
> subject=/C=CA/ST=BC/L=Penticton/O=HMEXC/CN=downstairs/emailAddress=dspea
> r at telus.net
> 
> This cert is located in /etc/ipsec.d/certs.  In my "conn roadwarrior"
> section of /etc/ipsec.conf I have
> 
> 	Leftcert=downstairs.pem
> 
> And I see a "loaded host cert downstairs.pem" in my log on startup.
> 
> I am definitely having problems on the Windows side.  My import of certs
> on the win and linux box went flawlessly.
> 
> %ipsec auto --listall
> 
> shows both my end user cert and CA cert.
> 
> MMC on the Win2K box shows both certs in the right place.
> 
> Here is my win2k ipsec.conf:
> 
> *******************BEGIN WIN2K IPSEC.CONF******************
> conn roadwarrior
> 	left=%any
> 	right=192.168.1.101
> 	
> rightca="C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net"
> 	network=auto
> 	auto=start
> 	pfs=yes
> *******************END WIN2K IPSEC.CONF******************
> I got rid of all the connection defs except "roadwarrior" in both
> ipsec.conf files (win2k and openswan).
> 
> 
> Here's the Oakley log:
> 
> ****************begin Oakley********************************
> 1-25: 13:40:30:64 Receive: (get) SA = 0x00000000 from 192.168.1.101.500
>  1-25: 13:40:31:5a0 flush(isakmp): f155c55c-73f9-4e5c-86aa447bf544d071
>  1-25: 13:40:31:5a0 Oakley group 2 from UI
>  1-25: 13:40:31:5a0 Isakmp policy (4 total):
> 47014f64-96c9-444a-834fd57648dc6e33 PFS=1
>  1-25: 13:40:31:5a0 #0: C.Id = 3, H.ID= 2, A.ID = 0, Group = 2 LT=28800
> QMs=0
>  1-25: 13:40:31:5a0 #1: C.Id = 3, H.ID= 1, A.ID = 0, Group = 2 LT=28800
> QMs=0
>  1-25: 13:40:31:5a0 #2: C.Id = 1, H.ID= 2, A.ID = 0, Group = 1 LT=28800
> QMs=0
>  1-25: 13:40:31:5a0 #3: C.Id = 1, H.ID= 1, A.ID = 0, Group = 1 LT=28800
> QMs=0
>  1-25: 13:40:31:5a0 flush guid(isakmp):
> 47014f64-96c9-444a-834fd57648dc6e33
>  1-25: 13:40:31:5a0 isadb_schedule_kill_oldPolicy_sas:
> 47014f64-96c9-444a-834fd57648dc6e33 1
>  1-25: 13:40:31:5a0 Added Timeout 13e3c8
>  1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
>  1-25: 13:40:31:5a0 Authentication Method[0] from UI 5
>  1-25: 13:40:31:5a0 Auth[0]: 5 Authinfosize: 0
>  1-25: 13:40:31:5a0 Flags from UI 0
>  1-25: 13:40:31:5a0 Ipsec policy (6 total):
> d4217a97-751a-4eac-b18d687426869ac1 PFS=2331024
>  1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 2,
>  1-25: 13:40:31:5a0 #1: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 1,
>  1-25: 13:40:31:5a0 #2: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 2,
>  1-25: 13:40:31:5a0 #3: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 1,
>  1-25: 13:40:31:5a0 #4: Auth C.Id = 2, C.KeyLen = 64, I.ID = 0,
>  1-25: 13:40:31:5a0 #5: Auth C.Id = 1, C.KeyLen = 64, I.ID = 0,
>  1-25: 13:40:31:5a0 flush guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
>  1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
>  
> 1-25: 13:40:31:5a0 Using enumeration could not match the CA name
> "C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
>  
> 1-25: 13:40:31:5a0 So using CertStrToName instead
>  1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
>  1-25: 13:40:31:5a0 Flags from UI 2
>  1-25: 13:40:31:5a0 Ipsec policy (1 total):
> c664c762-275b-474e-a13dffee90c54cb6 PFS=2337224
>  1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
>  1-25: 13:40:31:5a0 flush guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
>  1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
>  
> 
> 1-25: 13:40:31:5a0 Using enumeration could not match the CA name
> "C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
>  
> 
> 1-25: 13:40:31:5a0 So using CertStrToName instead
>  1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
>  1-25: 13:40:31:5a0 Flags from UI 2
>  1-25: 13:40:31:5a0 Ipsec policy (1 total):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204 PFS=2326624
>  1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
>  1-25: 13:40:31:5a0 flush guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
>  1-25: 13:40:31:64 entered kill_old_policy_sas
>  1-25: 13:40:44:64 Reaper deleting SA 23acd8
>  1-25: 13:40:44:64 Deleting SA 0023ACD8
>  1-25: 13:40:44:64 Cancelling Timeout 13e300
>  1-25: 13:40:44:64 ClearFragList
>  1-25: 13:40:50:558 Posting acquire: op=812D84C8 src=192.168.1.102.0
> dst=192.168.1.101.0 proto = 0, SrcMask=255.255.255.255,
> DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=192.168.1.101 Inbound
> TunnelEndpt=192.168.1.102
>  1-25: 13:40:50:558 Acquire thread waiting
>  1-25: 13:40:50:64 find(ipsec): c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:40:50:64 outstanding_kernel_req returned 0
>  1-25: 13:40:50:64 Created new SA 23acd8
>  1-25: 13:40:50:64 Acquire: src = 192.168.1.102.62465, dst =
> 192.168.1.101.62465, proto = 00, context = 812D84C8, ProxySrc =
> 192.168.1.102.0000, ProxyDst = 192.168.1.101.0000 SrcMask = 0.0.0.0
> DstMask = 0.0.0.0
>  1-25: 13:40:50:64 constructing ISAKMP Header
>  1-25: 13:40:50:64 constructing SA (ISAKMP)
>  1-25: 13:40:50:64 find(isakmp): c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:40:50:64 Setting group desc
>  1-25: 13:40:50:64 Setting group desc
>  1-25: 13:40:50:64 Setting group desc
>  1-25: 13:40:50:64 Setting group desc
>  1-25: 13:40:50:64 Constructing Vendor MS NT5 ISAKMPOAKLEY
>  1-25: 13:40:50:64 Constructing Vendor FRAGMENTATION
>  1-25: 13:40:50:64 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
> 
>  1-25: 13:40:50:64 Throw: State mask=1
>  1-25: 13:40:50:64 Added Timeout 14c2b0
>  1-25: 13:40:50:64 Setting Retransmit: sa 23acd8 handle 14c2b0 context
> 234268
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 256 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 0000000000000000
>  1-25: 13:40:50:64   exchange: Oakley Main Mode
>  1-25: 13:40:50:64   flags: 0 
>  1-25: 13:40:50:64   next payload: SA
>  1-25: 13:40:50:64   message ID: 00000000
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 104 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:40:50:64   exchange: Oakley Main Mode
>  1-25: 13:40:50:64   flags: 0 
>  1-25: 13:40:50:64   next payload: SA
>  1-25: 13:40:50:64   message ID: 00000000
>  1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
> handle:0014C2B0
>  1-25: 13:40:50:64 processing payload SA  
>  1-25: 13:40:50:64 Received Phase 1 Transform 1
>  1-25: 13:40:50:64      Encryption Alg Triple DES CBC(5)
>  1-25: 13:40:50:64      Hash Alg SHA(2)
>  1-25: 13:40:50:64      Oakley Group 2
>  1-25: 13:40:50:64      Auth Method RSA Signature with Certificates(3)
>  1-25: 13:40:50:64      Life type in Seconds
>  1-25: 13:40:50:64      Life duration of 28800
>  1-25: 13:40:50:64 Phase 1 SA accepted: transform=1
>  1-25: 13:40:50:64 SA - Oakley proposal accepted
>  1-25: 13:40:50:64 processing payload VENDOR ID
>  1-25: 13:40:50:64 Processing Vendor
>  1-25: 13:40:50:64 Vendor ID afcad71368a1f1c96b8696fc77570100
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 ClearFragList
>  1-25: 13:40:50:64 In state OAK_MM_SA_SETUP
>  1-25: 13:40:50:64 constructing ISAKMP Header
>  1-25: 13:40:50:64 constructing KE
>  1-25: 13:40:50:64 constructing NONCE (ISAKMP)
>  1-25: 13:40:50:64 Throw: State mask=7
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 184 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:40:50:64   exchange: Oakley Main Mode
>  1-25: 13:40:50:64   flags: 0 
>  1-25: 13:40:50:64   next payload: KE
>  1-25: 13:40:50:64   message ID: 00000000
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 180 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:40:50:64   exchange: Oakley Main Mode
>  1-25: 13:40:50:64   flags: 0 
>  1-25: 13:40:50:64   next payload: KE
>  1-25: 13:40:50:64   message ID: 00000000
>  1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
> handle:0014C2B0
>  1-25: 13:40:50:64 processing payload KE  
>  1-25: 13:40:50:64 Generated 128 byte Shared Secret
>  1-25: 13:40:50:64 KE processed; DH shared secret computed
>  1-25: 13:40:50:64 processing payload NONCE
>  1-25: 13:40:50:64 ClearFragList
>  1-25: 13:40:50:64 In state OAK_MM_Key_EXCH
>  1-25: 13:40:50:64 skeyid generated; crypto enabled (initiator)
>  1-25: 13:40:50:64 constructing ISAKMP Header
>  1-25: 13:40:50:64 constructing ID
>  
> 1-25: 13:40:50:64 Received no valid CRPs.  Using all configured
>  1-25: 13:40:50:64 Looking for IPSec only cert
>  1-25: 13:40:50:64 failed to get chain -2146885628
>  1-25: 13:40:50:64 Looking for any cert
>  1-25: 13:40:50:64 failed to get chain -2146885628
>  1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
> status:cbad0326
>  
> 1-25: 13:40:50:64 isadb_set_status sa:0023ACD8 centry:00000000 status
> cbad0326
>  1-25: 13:40:50:64 Key Exchange Mode (Main Mode)
>  1-25: 13:40:50:64 Source IP Address 192.168.1.102Source IP Address Mask
> 255.255.255.255Destination IP Address 192.168.1.101Destination IP
> Address Mask 255.255.255.255Protocol 0Source Port 0Destination Port 0
>  1-25: 13:40:50:64 Me
>  
> 1-25: 13:40:50:64 IKE failed to find valid machine certificate
>  
> 1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
> status:cbad0326
>  1-25: 13:40:50:64 constructing ISAKMP Header
>  1-25: 13:40:50:64 constructing HASH (null)
>  1-25: 13:40:50:64 constructing NOTIFY 28
>  1-25: 13:40:50:64 constructing HASH (ND)
>  1-25: 13:40:50:64 Construct ND hash message len = 28 pcklen=80
> hashlen=20
>  1-25: 13:40:50:64 Construct ND Hash mess ID 94a03f7d
>  1-25: 13:40:50:64 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
>  1-25: 13:40:50:64 a4f3549e
>  1-25: 13:40:50:64 ND Hash message 0000001c000000010110001cb7400532
>  1-25: 13:40:50:64 692d82577fcf52b9e913796a
>  1-25: 13:40:50:64 Throw: State mask=200110f
>  1-25: 13:40:50:64 Doing tripleDES
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 84 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:40:50:64   exchange: ISAKMP Informational Exchange
>  1-25: 13:40:50:64   flags: 1 ( encrypted )
>  1-25: 13:40:50:64   next payload: HASH
>  1-25: 13:40:50:64   message ID: 94a03f7d
>  1-25: 13:40:50:64 
>  1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
>  1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 40 
>  1-25: 13:40:50:64   I-COOKIE b7400532692d8257
>  1-25: 13:40:50:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:40:50:64   exchange: ISAKMP Informational Exchange
>  1-25: 13:40:50:64   flags: 0 
>  1-25: 13:40:50:64   next payload: NOTIFY
>  1-25: 13:40:50:64   message ID: aed8df27
>  1-25: 13:40:50:64 received an unencrypted packet when crypto active
>  1-25: 13:40:50:64 GetPacket failed cbad0324
>  1-25: 13:41:00:64 
>  1-25: 13:41:00:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
>  1-25: 13:41:00:64 ISAKMP Header: (V1.0), len = 180 
>  1-25: 13:41:00:64   I-COOKIE b7400532692d8257
>  1-25: 13:41:00:64   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:41:00:64   exchange: Oakley Main Mode
>  1-25: 13:41:00:64   flags: 0 
>  1-25: 13:41:00:64   next payload: KE
>  1-25: 13:41:00:64   message ID: 00000000
>  1-25: 13:41:00:64 received an unencrypted packet when crypto active
>  1-25: 13:41:00:64 GetPacket failed cbad0324
>  1-25: 13:41:05:5a0 flush guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
>  1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
>  1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> d4217a97-751a-4eac-b18d687426869ac1 0
>  1-25: 13:41:05:5a0 Added Timeout 151f88
>  1-25: 13:41:05:5a0 flush guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
>  1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> c664c762-275b-474e-a13dffee90c54cb6 0
>  1-25: 13:41:05:5a0 Added Timeout 127fe0
>  1-25: 13:41:05:5a0 flush guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
>  1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
>  1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> c6d9f26c-5bc5-4c8c-b20bea15bae45204 0
>  1-25: 13:41:05:5a0 Added Timeout 158330
>  1-25: 13:41:05:64 entered kill_old_policy_sas
>  1-25: 13:41:05:658 entered kill_old_policy_sas
>  1-25: 13:41:05:658 SA Dead. sa:0023ACD8 status:cbad0351
>  1-25: 13:41:05:658 constructing ISAKMP Header
>  1-25: 13:41:05:658 constructing HASH (null)
>  1-25: 13:41:05:658 constructing DELETE
>  1-25: 13:41:05:658 constructing HASH (ND)
>  1-25: 13:41:05:658 Construct ND hash message len = 28 pcklen=80
> hashlen=20
>  1-25: 13:41:05:658 Construct ND Hash mess ID 0b941af3
>  1-25: 13:41:05:658 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
>  1-25: 13:41:05:658 a4f3549e
>  1-25: 13:41:05:658 ND Hash message 0000001c0000000101100001b7400532
>  1-25: 13:41:05:658 692d82577fcf52b9e913796a
>  1-25: 13:41:05:658 Throw: State mask=110f
>  1-25: 13:41:05:658 Doing tripleDES
>  1-25: 13:41:05:658 
>  1-25: 13:41:05:658 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
>  1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 84 
>  1-25: 13:41:05:658   I-COOKIE b7400532692d8257
>  1-25: 13:41:05:658   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:41:05:658   exchange: ISAKMP Informational Exchange
>  1-25: 13:41:05:658   flags: 1 ( encrypted )
>  1-25: 13:41:05:658   next payload: HASH
>  1-25: 13:41:05:658   message ID: 0b941af3
>  1-25: 13:41:05:658 entered kill_old_policy_sas
>  1-25: 13:41:05:658 
>  1-25: 13:41:05:658 Receive: (get) SA = 0x00000000 from
> 192.168.1.101.500
>  1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 40 
>  1-25: 13:41:05:658   I-COOKIE b7400532692d8257
>  1-25: 13:41:05:658   R-COOKIE 7fcf52b9e913796a
>  1-25: 13:41:05:658   exchange: ISAKMP Informational Exchange
>  1-25: 13:41:05:658   flags: 0 
>  1-25: 13:41:05:658   next payload: NOTIFY
>  1-25: 13:41:05:658   message ID: c16f5b76
>  1-25: 13:41:05:658 received an unencrypted packet when crypto active
>  1-25: 13:41:05:658 GetPacket failed cbad0324
> *********************END OAKLEY LOG***********************************
> 
> Here is EXACTLY what I did to get the cert on the Win2k box:
> 
> # CA -newreq (DN as above in logs, etc.)
> # CA -sign
> # cp newreq.pem /etc/ipsec.d/private/downstairs.key
> # cp newcert.pem /etc/ipsec.d/certs
> # openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
> demoCA/cacert.pem -out downstairs.p12
> 
> I then moved downstairs.p12 onto the Win2K machine and used MMC to
> import, entered password, got "Import Successful" message.  There is a
> cert (Subject=downstairs, issuer=explorer) in Personal Certs folder and
> a cert (subject=explorer=issuer) in the Trusted Root CA Cert folder.  I
> am guessing that the "IKE failed to find valid machine certificate"
> means that no x509 authentication will go on and that ipsec is moving to
> step 2, perhaps a shared secret approach?  I had not seen this message
> previously.
> 
> > 
> > > 	network=auto
> > > 	auto=start
> > > 	pfs=yes
> > >
> > > conn roadwarrior-net
> > > 	left=%any
> > >        right=192.168.1.101
> > > 	rightsubnet=192.168.1.0/24
> > 
> > This cannot work. You cannot have one ipsec endpoind in the same range
> as
> > the
> > subnet behind it. How can you reach 192.168.1.101 if that is part of
> > 192.168.1.0/24
> > that you can reach through 192.168.1.101 ?
> > 
> > 
> > > 	rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> > 
> See above, I turfed all the connections but roadwarrior.  The way I
> assumed (bad bad bad) is that all local subnet traffic would be routed
> through the ipsec tunnel once it is established with the destination
> host... anyway, the "roadwarrior-net" and "roadwarrior-all" are gone.
> 
> 
> > Same here.
> > 
> > > 	network=auto
> > > 	auto=start
> > > 	pfs=yes
> > > ****************end win2k ipsec.conf*******************
> > >
> > > As you can see, I am using a new cert, started from the ground up:
> new
> > > CA, new cert, everything is new with no "&" or other funky
> characters.
> > >
> > > However, things seem to have gotten worse, not better.  Here's my
> > > openswan ipsec.conf, revised:
> > >
> > > **************begin openswan ipsec.conf**********************
> > > version 2.0     # conforms to second version of ipsec.conf
> specification
> > >
> > > # basic configuration
> > > config setup
> > >        # Debug-logging controls:  "none" for (almost) none, "all"
> for
> > > lots.
> > >        # klipsdebug=all
> > >         plutodebug=all
> > 
> > this is not needed. It's better to show output from plutodebug=none,
> since
> > it is
> > very unlikely at this point that we have a code error. And
> configuration
> > errors
> > do not need this setting (It only makes it MUCH harder to read the
> logs)
> 
> Done and agreed, didn't know how much or which info you needed so I
> figured "more is better".
> 
> > 
> > >        # crlcheckinterval=600
> > >        # strictcrlpolicy=yes
> > >        myid=@explorer.fdns.net
> > 
> > Remove the myid= lines. It is for OE which you are not using. It might
> > cause confusion.
> > 
> 
> Done.
> 
> > > conn %default
> > >        rightrsasigkey=%cert
> > >        leftrsasigkey=%cert
> > >        authby=rsasig
> > >        disablearrivalcheck=no
> > >        compress=yes
> > >        keyingtries=1
> > >
> > > conn roadwarrior-net
> > >        leftsubnet=192.168.1.0/24
> > >        also=roadwarrior
> > >
> > > conn roadwarrior-all
> > >        leftsubnet=0.0.0.0/0
> > >        also=roadwarrior
> > >
> > > conn roadwarrior
> > >        left=192.168.1.101
> > 
> > So in fact, left right and rightsubnet are all the same subnet. That
> > cannot work.
> > 
> > >        leftcert=remote.pem
> > >        right=%any
> > >        auto=add
> > >        pfs=yes
> > > ******************end openswan ipsec.conf*******************
> > 
> > Looks fine.
> > 
> > > Now here's the bad part, my Pluto log.  It does not appear that I am
> > > getting nearly as far as I was before.  I completely removed all
> certs
> > > and policies from my win2k box, imported new certs, changed
> ipsec.conf
> > > to reflect new info.
> > 
> > did all new certs load properly on linux and windows? What is the
> output
> > of ipsec auto --listall ?
> > Does the MMC on windows say good things about the certificate and the
> root
> > CA?
> > 
> > > Jan 24 15:04:56 explorer pluto[756]: | instantiated "roadwarrior"
> for
> > > 192.168.1.102
> > > Jan 24 15:04:56 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:04:58 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:00 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #2:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:05:02 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #2:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:03 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #3:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:05:05 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #3:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:08 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > discarding packet received during DNS lookup in STATE_MAIN_R1
> > > Jan 24 15:05:09 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > discarding packet received during DNS lookup in STATE_MAIN_R1
> > > Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > > Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > ignoring Delete SA payload: not encrypted
> > 
> > Here it seems there is confusion about the state of the ISAKMP. Check
> out
> > what Window's oakley.log says. I think it's giving some error about
> the
> > local certificate.
> > 
> > > % openssl x509 -in remote.pem -noout -subject
> > > subject= /C=CA/ST=BC/L=Penticton/O=HMEXC/CN=remote
> > 
> > I am still a bit confused you have no email attribute. I never tested
> > that.
> > 
> > > I think I've spent about 3 days now with no end in sight...
> > 
> > I am sorry :( X.509 is very frustrating, I know :(
> > 
> > Please, try a host-host conenction with the roadwarrior first. If that
> > works,
> > the certificates are OK, and you can try your subnet encryption. I
> think
> > you
> > want to encrypt the wireless on 192.168.1.0/24. See our "wavesec"
> examples
> > for
> > that. (either from wavesec.org or grab the wavesec EXE files from the
> ftp
> > server,
> > they contain an example ipsec.conf for doing this)
> > 
> > Paul
> > --
> > 
> > "At best it is a theory, at worst a fantasy" -- Michael Crichton
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users



More information about the Users mailing list