[Openswan Users] OpenS/WAN and Win2K/XP
Jaroslaw Zdrzalek
jz at silpion.de
Wed Jan 26 00:13:29 CET 2005
hi users,
recently i reviewed the x509-patch-docs an so i know where to look for
the clarificaton:
from
http://www.strongsec.com/freeswan/install.txt
ST State or province
S Surname
You have a typo in the windos.conf in DN/subjectline of the cert.
hopefuly it was the whole thing...
regards
jz
Am Di, den 25.01.2005 schrieb David Spear um 22:18:
> Paul:
>
> The fact that you reply to these mundane problems greatly impresses me
> and, in fact, motivates me to be more active in the newsgroups in which
> I am expert (NOT ipsec, that's for sure although I may be before I'm
> done). If I lived close enough I would definitely drop off some beer
> for you. I am, as you may have guessed, still having trouble.
>
>
> > -----Original Message-----
> > From: Paul Wouters [mailto:paul at xelerance.com]
> > Sent: January 24, 2005 4:46 PM
> > To: David Spear
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] OpenS/WAN and Win2K/XP
> >
> > On Mon, 24 Jan 2005, David Spear wrote:
> >
> > > Okay, here's my new win2k ipsec.conf:
> > >
> > > **************begin win2k ipsec.conf****************
> > > conn roadwarrior
> > > left=%any
> > > right=192.168.1.101
> > > rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> >
> > Don't you have an emailAdress attribute? Add it after CN using
> > "E=user at address"
> > (don't use emailAddress=)
> > From later on in the email, it seems you do not. I am not sure if that
> > works as
> > expected.
>
> Okay, here is my new cert:
>
> %openssl x509 -in downstairs.pem -noout -subject
> subject=/C=CA/ST=BC/L=Penticton/O=HMEXC/CN=downstairs/emailAddress=dspea
> r at telus.net
>
> This cert is located in /etc/ipsec.d/certs. In my "conn roadwarrior"
> section of /etc/ipsec.conf I have
>
> Leftcert=downstairs.pem
>
> And I see a "loaded host cert downstairs.pem" in my log on startup.
>
> I am definitely having problems on the Windows side. My import of certs
> on the win and linux box went flawlessly.
>
> %ipsec auto --listall
>
> shows both my end user cert and CA cert.
>
> MMC on the Win2K box shows both certs in the right place.
>
> Here is my win2k ipsec.conf:
>
> *******************BEGIN WIN2K IPSEC.CONF******************
> conn roadwarrior
> left=%any
> right=192.168.1.101
>
> rightca="C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net"
> network=auto
> auto=start
> pfs=yes
> *******************END WIN2K IPSEC.CONF******************
> I got rid of all the connection defs except "roadwarrior" in both
> ipsec.conf files (win2k and openswan).
>
>
> Here's the Oakley log:
>
> ****************begin Oakley********************************
> 1-25: 13:40:30:64 Receive: (get) SA = 0x00000000 from 192.168.1.101.500
> 1-25: 13:40:31:5a0 flush(isakmp): f155c55c-73f9-4e5c-86aa447bf544d071
> 1-25: 13:40:31:5a0 Oakley group 2 from UI
> 1-25: 13:40:31:5a0 Isakmp policy (4 total):
> 47014f64-96c9-444a-834fd57648dc6e33 PFS=1
> 1-25: 13:40:31:5a0 #0: C.Id = 3, H.ID= 2, A.ID = 0, Group = 2 LT=28800
> QMs=0
> 1-25: 13:40:31:5a0 #1: C.Id = 3, H.ID= 1, A.ID = 0, Group = 2 LT=28800
> QMs=0
> 1-25: 13:40:31:5a0 #2: C.Id = 1, H.ID= 2, A.ID = 0, Group = 1 LT=28800
> QMs=0
> 1-25: 13:40:31:5a0 #3: C.Id = 1, H.ID= 1, A.ID = 0, Group = 1 LT=28800
> QMs=0
> 1-25: 13:40:31:5a0 flush guid(isakmp):
> 47014f64-96c9-444a-834fd57648dc6e33
> 1-25: 13:40:31:5a0 isadb_schedule_kill_oldPolicy_sas:
> 47014f64-96c9-444a-834fd57648dc6e33 1
> 1-25: 13:40:31:5a0 Added Timeout 13e3c8
> 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
> 1-25: 13:40:31:5a0 Authentication Method[0] from UI 5
> 1-25: 13:40:31:5a0 Auth[0]: 5 Authinfosize: 0
> 1-25: 13:40:31:5a0 Flags from UI 0
> 1-25: 13:40:31:5a0 Ipsec policy (6 total):
> d4217a97-751a-4eac-b18d687426869ac1 PFS=2331024
> 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 2,
> 1-25: 13:40:31:5a0 #1: Encrypt C.Id = 3, C.KeyLen = 64, I.ID = 1,
> 1-25: 13:40:31:5a0 #2: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 2,
> 1-25: 13:40:31:5a0 #3: Encrypt C.Id = 1, C.KeyLen = 64, I.ID = 1,
> 1-25: 13:40:31:5a0 #4: Auth C.Id = 2, C.KeyLen = 64, I.ID = 0,
> 1-25: 13:40:31:5a0 #5: Auth C.Id = 1, C.KeyLen = 64, I.ID = 0,
> 1-25: 13:40:31:5a0 flush guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
> 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
>
> 1-25: 13:40:31:5a0 Using enumeration could not match the CA name
> "C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
>
> 1-25: 13:40:31:5a0 So using CertStrToName instead
> 1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
> 1-25: 13:40:31:5a0 Flags from UI 2
> 1-25: 13:40:31:5a0 Ipsec policy (1 total):
> c664c762-275b-474e-a13dffee90c54cb6 PFS=2337224
> 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
> 1-25: 13:40:31:5a0 flush guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:40:31:5a0 Adding policy guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
> 1-25: 13:40:31:5a0 Authentication Method[0] from UI 3
>
>
> 1-25: 13:40:31:5a0 Using enumeration could not match the CA name
> "C=CA,S=BC,L=Penticton,O=HMEXC,CN=downstairs,E=dspear at telus.net".
>
>
> 1-25: 13:40:31:5a0 So using CertStrToName instead
> 1-25: 13:40:31:5a0 Auth[0]: 3 Authinfosize: 118
> 1-25: 13:40:31:5a0 Flags from UI 2
> 1-25: 13:40:31:5a0 Ipsec policy (1 total):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204 PFS=2326624
> 1-25: 13:40:31:5a0 #0: Encrypt C.Id = 3, C.KeyLen = 0, I.ID = 1,
> 1-25: 13:40:31:5a0 flush guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
> 1-25: 13:40:31:64 entered kill_old_policy_sas
> 1-25: 13:40:44:64 Reaper deleting SA 23acd8
> 1-25: 13:40:44:64 Deleting SA 0023ACD8
> 1-25: 13:40:44:64 Cancelling Timeout 13e300
> 1-25: 13:40:44:64 ClearFragList
> 1-25: 13:40:50:558 Posting acquire: op=812D84C8 src=192.168.1.102.0
> dst=192.168.1.101.0 proto = 0, SrcMask=255.255.255.255,
> DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=192.168.1.101 Inbound
> TunnelEndpt=192.168.1.102
> 1-25: 13:40:50:558 Acquire thread waiting
> 1-25: 13:40:50:64 find(ipsec): c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:40:50:64 outstanding_kernel_req returned 0
> 1-25: 13:40:50:64 Created new SA 23acd8
> 1-25: 13:40:50:64 Acquire: src = 192.168.1.102.62465, dst =
> 192.168.1.101.62465, proto = 00, context = 812D84C8, ProxySrc =
> 192.168.1.102.0000, ProxyDst = 192.168.1.101.0000 SrcMask = 0.0.0.0
> DstMask = 0.0.0.0
> 1-25: 13:40:50:64 constructing ISAKMP Header
> 1-25: 13:40:50:64 constructing SA (ISAKMP)
> 1-25: 13:40:50:64 find(isakmp): c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:40:50:64 Setting group desc
> 1-25: 13:40:50:64 Setting group desc
> 1-25: 13:40:50:64 Setting group desc
> 1-25: 13:40:50:64 Setting group desc
> 1-25: 13:40:50:64 Constructing Vendor MS NT5 ISAKMPOAKLEY
> 1-25: 13:40:50:64 Constructing Vendor FRAGMENTATION
> 1-25: 13:40:50:64 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
>
> 1-25: 13:40:50:64 Throw: State mask=1
> 1-25: 13:40:50:64 Added Timeout 14c2b0
> 1-25: 13:40:50:64 Setting Retransmit: sa 23acd8 handle 14c2b0 context
> 234268
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 256
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 0000000000000000
> 1-25: 13:40:50:64 exchange: Oakley Main Mode
> 1-25: 13:40:50:64 flags: 0
> 1-25: 13:40:50:64 next payload: SA
> 1-25: 13:40:50:64 message ID: 00000000
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 104
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:40:50:64 exchange: Oakley Main Mode
> 1-25: 13:40:50:64 flags: 0
> 1-25: 13:40:50:64 next payload: SA
> 1-25: 13:40:50:64 message ID: 00000000
> 1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
> handle:0014C2B0
> 1-25: 13:40:50:64 processing payload SA
> 1-25: 13:40:50:64 Received Phase 1 Transform 1
> 1-25: 13:40:50:64 Encryption Alg Triple DES CBC(5)
> 1-25: 13:40:50:64 Hash Alg SHA(2)
> 1-25: 13:40:50:64 Oakley Group 2
> 1-25: 13:40:50:64 Auth Method RSA Signature with Certificates(3)
> 1-25: 13:40:50:64 Life type in Seconds
> 1-25: 13:40:50:64 Life duration of 28800
> 1-25: 13:40:50:64 Phase 1 SA accepted: transform=1
> 1-25: 13:40:50:64 SA - Oakley proposal accepted
> 1-25: 13:40:50:64 processing payload VENDOR ID
> 1-25: 13:40:50:64 Processing Vendor
> 1-25: 13:40:50:64 Vendor ID afcad71368a1f1c96b8696fc77570100
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 ClearFragList
> 1-25: 13:40:50:64 In state OAK_MM_SA_SETUP
> 1-25: 13:40:50:64 constructing ISAKMP Header
> 1-25: 13:40:50:64 constructing KE
> 1-25: 13:40:50:64 constructing NONCE (ISAKMP)
> 1-25: 13:40:50:64 Throw: State mask=7
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 184
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:40:50:64 exchange: Oakley Main Mode
> 1-25: 13:40:50:64 flags: 0
> 1-25: 13:40:50:64 next payload: KE
> 1-25: 13:40:50:64 message ID: 00000000
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 180
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:40:50:64 exchange: Oakley Main Mode
> 1-25: 13:40:50:64 flags: 0
> 1-25: 13:40:50:64 next payload: KE
> 1-25: 13:40:50:64 message ID: 00000000
> 1-25: 13:40:50:64 Stopping RetransTimer sa:0023ACD8 centry:00000000
> handle:0014C2B0
> 1-25: 13:40:50:64 processing payload KE
> 1-25: 13:40:50:64 Generated 128 byte Shared Secret
> 1-25: 13:40:50:64 KE processed; DH shared secret computed
> 1-25: 13:40:50:64 processing payload NONCE
> 1-25: 13:40:50:64 ClearFragList
> 1-25: 13:40:50:64 In state OAK_MM_Key_EXCH
> 1-25: 13:40:50:64 skeyid generated; crypto enabled (initiator)
> 1-25: 13:40:50:64 constructing ISAKMP Header
> 1-25: 13:40:50:64 constructing ID
>
> 1-25: 13:40:50:64 Received no valid CRPs. Using all configured
> 1-25: 13:40:50:64 Looking for IPSec only cert
> 1-25: 13:40:50:64 failed to get chain -2146885628
> 1-25: 13:40:50:64 Looking for any cert
> 1-25: 13:40:50:64 failed to get chain -2146885628
> 1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
> status:cbad0326
>
> 1-25: 13:40:50:64 isadb_set_status sa:0023ACD8 centry:00000000 status
> cbad0326
> 1-25: 13:40:50:64 Key Exchange Mode (Main Mode)
> 1-25: 13:40:50:64 Source IP Address 192.168.1.102Source IP Address Mask
> 255.255.255.255Destination IP Address 192.168.1.101Destination IP
> Address Mask 255.255.255.255Protocol 0Source Port 0Destination Port 0
> 1-25: 13:40:50:64 Me
>
> 1-25: 13:40:50:64 IKE failed to find valid machine certificate
>
> 1-25: 13:40:50:64 ProcessFailure: sa:0023ACD8 centry:00000000
> status:cbad0326
> 1-25: 13:40:50:64 constructing ISAKMP Header
> 1-25: 13:40:50:64 constructing HASH (null)
> 1-25: 13:40:50:64 constructing NOTIFY 28
> 1-25: 13:40:50:64 constructing HASH (ND)
> 1-25: 13:40:50:64 Construct ND hash message len = 28 pcklen=80
> hashlen=20
> 1-25: 13:40:50:64 Construct ND Hash mess ID 94a03f7d
> 1-25: 13:40:50:64 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
> 1-25: 13:40:50:64 a4f3549e
> 1-25: 13:40:50:64 ND Hash message 0000001c000000010110001cb7400532
> 1-25: 13:40:50:64 692d82577fcf52b9e913796a
> 1-25: 13:40:50:64 Throw: State mask=200110f
> 1-25: 13:40:50:64 Doing tripleDES
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 84
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:40:50:64 exchange: ISAKMP Informational Exchange
> 1-25: 13:40:50:64 flags: 1 ( encrypted )
> 1-25: 13:40:50:64 next payload: HASH
> 1-25: 13:40:50:64 message ID: 94a03f7d
> 1-25: 13:40:50:64
> 1-25: 13:40:50:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
> 1-25: 13:40:50:64 ISAKMP Header: (V1.0), len = 40
> 1-25: 13:40:50:64 I-COOKIE b7400532692d8257
> 1-25: 13:40:50:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:40:50:64 exchange: ISAKMP Informational Exchange
> 1-25: 13:40:50:64 flags: 0
> 1-25: 13:40:50:64 next payload: NOTIFY
> 1-25: 13:40:50:64 message ID: aed8df27
> 1-25: 13:40:50:64 received an unencrypted packet when crypto active
> 1-25: 13:40:50:64 GetPacket failed cbad0324
> 1-25: 13:41:00:64
> 1-25: 13:41:00:64 Receive: (get) SA = 0x0023acd8 from 192.168.1.101.500
> 1-25: 13:41:00:64 ISAKMP Header: (V1.0), len = 180
> 1-25: 13:41:00:64 I-COOKIE b7400532692d8257
> 1-25: 13:41:00:64 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:41:00:64 exchange: Oakley Main Mode
> 1-25: 13:41:00:64 flags: 0
> 1-25: 13:41:00:64 next payload: KE
> 1-25: 13:41:00:64 message ID: 00000000
> 1-25: 13:41:00:64 received an unencrypted packet when crypto active
> 1-25: 13:41:00:64 GetPacket failed cbad0324
> 1-25: 13:41:05:5a0 flush guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
> 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> d4217a97-751a-4eac-b18d687426869ac1
> 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> d4217a97-751a-4eac-b18d687426869ac1 0
> 1-25: 13:41:05:5a0 Added Timeout 151f88
> 1-25: 13:41:05:5a0 flush guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> c664c762-275b-474e-a13dffee90c54cb6
> 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> c664c762-275b-474e-a13dffee90c54cb6 0
> 1-25: 13:41:05:5a0 Added Timeout 127fe0
> 1-25: 13:41:05:5a0 flush guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
> 1-25: 13:41:05:5a0 Actually flushing guid(ipsec):
> c6d9f26c-5bc5-4c8c-b20bea15bae45204
> 1-25: 13:41:05:5a0 isadb_schedule_kill_oldPolicy_sas:
> c6d9f26c-5bc5-4c8c-b20bea15bae45204 0
> 1-25: 13:41:05:5a0 Added Timeout 158330
> 1-25: 13:41:05:64 entered kill_old_policy_sas
> 1-25: 13:41:05:658 entered kill_old_policy_sas
> 1-25: 13:41:05:658 SA Dead. sa:0023ACD8 status:cbad0351
> 1-25: 13:41:05:658 constructing ISAKMP Header
> 1-25: 13:41:05:658 constructing HASH (null)
> 1-25: 13:41:05:658 constructing DELETE
> 1-25: 13:41:05:658 constructing HASH (ND)
> 1-25: 13:41:05:658 Construct ND hash message len = 28 pcklen=80
> hashlen=20
> 1-25: 13:41:05:658 Construct ND Hash mess ID 0b941af3
> 1-25: 13:41:05:658 ND Hash skeyid_a eafdd6ce817e022acb54b22258ffd02c
> 1-25: 13:41:05:658 a4f3549e
> 1-25: 13:41:05:658 ND Hash message 0000001c0000000101100001b7400532
> 1-25: 13:41:05:658 692d82577fcf52b9e913796a
> 1-25: 13:41:05:658 Throw: State mask=110f
> 1-25: 13:41:05:658 Doing tripleDES
> 1-25: 13:41:05:658
> 1-25: 13:41:05:658 Sending: SA = 0x0023ACD8 to 192.168.1.101.500
> 1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 84
> 1-25: 13:41:05:658 I-COOKIE b7400532692d8257
> 1-25: 13:41:05:658 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:41:05:658 exchange: ISAKMP Informational Exchange
> 1-25: 13:41:05:658 flags: 1 ( encrypted )
> 1-25: 13:41:05:658 next payload: HASH
> 1-25: 13:41:05:658 message ID: 0b941af3
> 1-25: 13:41:05:658 entered kill_old_policy_sas
> 1-25: 13:41:05:658
> 1-25: 13:41:05:658 Receive: (get) SA = 0x00000000 from
> 192.168.1.101.500
> 1-25: 13:41:05:658 ISAKMP Header: (V1.0), len = 40
> 1-25: 13:41:05:658 I-COOKIE b7400532692d8257
> 1-25: 13:41:05:658 R-COOKIE 7fcf52b9e913796a
> 1-25: 13:41:05:658 exchange: ISAKMP Informational Exchange
> 1-25: 13:41:05:658 flags: 0
> 1-25: 13:41:05:658 next payload: NOTIFY
> 1-25: 13:41:05:658 message ID: c16f5b76
> 1-25: 13:41:05:658 received an unencrypted packet when crypto active
> 1-25: 13:41:05:658 GetPacket failed cbad0324
> *********************END OAKLEY LOG***********************************
>
> Here is EXACTLY what I did to get the cert on the Win2k box:
>
> # CA -newreq (DN as above in logs, etc.)
> # CA -sign
> # cp newreq.pem /etc/ipsec.d/private/downstairs.key
> # cp newcert.pem /etc/ipsec.d/certs
> # openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
> demoCA/cacert.pem -out downstairs.p12
>
> I then moved downstairs.p12 onto the Win2K machine and used MMC to
> import, entered password, got "Import Successful" message. There is a
> cert (Subject=downstairs, issuer=explorer) in Personal Certs folder and
> a cert (subject=explorer=issuer) in the Trusted Root CA Cert folder. I
> am guessing that the "IKE failed to find valid machine certificate"
> means that no x509 authentication will go on and that ipsec is moving to
> step 2, perhaps a shared secret approach? I had not seen this message
> previously.
>
> >
> > > network=auto
> > > auto=start
> > > pfs=yes
> > >
> > > conn roadwarrior-net
> > > left=%any
> > > right=192.168.1.101
> > > rightsubnet=192.168.1.0/24
> >
> > This cannot work. You cannot have one ipsec endpoind in the same range
> as
> > the
> > subnet behind it. How can you reach 192.168.1.101 if that is part of
> > 192.168.1.0/24
> > that you can reach through 192.168.1.101 ?
> >
> >
> > > rightca="C=CA, S=BC, L=Penticton, O=HMEXC, CN=remote"
> >
> See above, I turfed all the connections but roadwarrior. The way I
> assumed (bad bad bad) is that all local subnet traffic would be routed
> through the ipsec tunnel once it is established with the destination
> host... anyway, the "roadwarrior-net" and "roadwarrior-all" are gone.
>
>
> > Same here.
> >
> > > network=auto
> > > auto=start
> > > pfs=yes
> > > ****************end win2k ipsec.conf*******************
> > >
> > > As you can see, I am using a new cert, started from the ground up:
> new
> > > CA, new cert, everything is new with no "&" or other funky
> characters.
> > >
> > > However, things seem to have gotten worse, not better. Here's my
> > > openswan ipsec.conf, revised:
> > >
> > > **************begin openswan ipsec.conf**********************
> > > version 2.0 # conforms to second version of ipsec.conf
> specification
> > >
> > > # basic configuration
> > > config setup
> > > # Debug-logging controls: "none" for (almost) none, "all"
> for
> > > lots.
> > > # klipsdebug=all
> > > plutodebug=all
> >
> > this is not needed. It's better to show output from plutodebug=none,
> since
> > it is
> > very unlikely at this point that we have a code error. And
> configuration
> > errors
> > do not need this setting (It only makes it MUCH harder to read the
> logs)
>
> Done and agreed, didn't know how much or which info you needed so I
> figured "more is better".
>
> >
> > > # crlcheckinterval=600
> > > # strictcrlpolicy=yes
> > > myid=@explorer.fdns.net
> >
> > Remove the myid= lines. It is for OE which you are not using. It might
> > cause confusion.
> >
>
> Done.
>
> > > conn %default
> > > rightrsasigkey=%cert
> > > leftrsasigkey=%cert
> > > authby=rsasig
> > > disablearrivalcheck=no
> > > compress=yes
> > > keyingtries=1
> > >
> > > conn roadwarrior-net
> > > leftsubnet=192.168.1.0/24
> > > also=roadwarrior
> > >
> > > conn roadwarrior-all
> > > leftsubnet=0.0.0.0/0
> > > also=roadwarrior
> > >
> > > conn roadwarrior
> > > left=192.168.1.101
> >
> > So in fact, left right and rightsubnet are all the same subnet. That
> > cannot work.
> >
> > > leftcert=remote.pem
> > > right=%any
> > > auto=add
> > > pfs=yes
> > > ******************end openswan ipsec.conf*******************
> >
> > Looks fine.
> >
> > > Now here's the bad part, my Pluto log. It does not appear that I am
> > > getting nearly as far as I was before. I completely removed all
> certs
> > > and policies from my win2k box, imported new certs, changed
> ipsec.conf
> > > to reflect new info.
> >
> > did all new certs load properly on linux and windows? What is the
> output
> > of ipsec auto --listall ?
> > Does the MMC on windows say good things about the certificate and the
> root
> > CA?
> >
> > > Jan 24 15:04:56 explorer pluto[756]: | instantiated "roadwarrior"
> for
> > > 192.168.1.102
> > > Jan 24 15:04:56 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:04:58 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:00 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #2:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:05:02 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #2:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:03 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #3:
> > > responding to Main Mode from unknown peer 192.168.1.102
> > > Jan 24 15:05:05 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #3:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jan 24 15:05:08 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > discarding packet received during DNS lookup in STATE_MAIN_R1
> > > Jan 24 15:05:09 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > discarding packet received during DNS lookup in STATE_MAIN_R1
> > > Jan 24 15:05:10 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > > Jan 24 15:05:12 explorer pluto[756]: "roadwarrior"[1] 192.168.1.102
> #1:
> > > ignoring Delete SA payload: not encrypted
> >
> > Here it seems there is confusion about the state of the ISAKMP. Check
> out
> > what Window's oakley.log says. I think it's giving some error about
> the
> > local certificate.
> >
> > > % openssl x509 -in remote.pem -noout -subject
> > > subject= /C=CA/ST=BC/L=Penticton/O=HMEXC/CN=remote
> >
> > I am still a bit confused you have no email attribute. I never tested
> > that.
> >
> > > I think I've spent about 3 days now with no end in sight...
> >
> > I am sorry :( X.509 is very frustrating, I know :(
> >
> > Please, try a host-host conenction with the roadwarrior first. If that
> > works,
> > the certificates are OK, and you can try your subnet encryption. I
> think
> > you
> > want to encrypt the wireless on 192.168.1.0/24. See our "wavesec"
> examples
> > for
> > that. (either from wavesec.org or grab the wavesec EXE files from the
> ftp
> > server,
> > they contain an example ipsec.conf for doing this)
> >
> > Paul
> > --
> >
> > "At best it is a theory, at worst a fantasy" -- Michael Crichton
>
>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list