[Openswan Users]
Another problem with openswan and xp, a helping hand needed
Thomas Rupp
trupp at bytebox.de
Mon Jul 18 09:14:57 CEST 2005
Hi,
after spending my second sunday to get this thing working i have no idea
what's wrong with my configuration and maybe anybody can give me some
advise.
The situation:
Lan --- VPN-Box1 --- Internet --- VPN-Box2 --- Lan
192.168.1.0/24
192.168.0.0/24
This part is named "da-po" in the ipsec.conf on VPN-Box1 and works fine.
Now there should be a roadwarrior part on the VPN-Box1. So it looks like
this i actually trying with
---
VPN-Box2 --- Lan
192.168.0.0/24
Lan --- VPN-Box1 --- Internet
192.168.1.0/24 --- Router1 ---
Lan --- Roadwarrior
192.168.168.0/24 .215/32
I copied a working configuration (this part is named trupp/trupp-net)
from another server to the VPN-Box1. The Router is an old Linuxmachine
with masquarading enabled. The Roadwarrior is a Windows XP Box with SP2.
I also installed the Support-Tools from Microsoft-Homepage for SP2.
Clientpart is the ipsec package from Markus Müller
(http://vpn.ebootis.de). All certificates living at the right place.
I think the error is on the windowsside but i can't figure out.
Thanks for any help
Tom
--- VPN-Box1 ipsec.conf ---
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
uniqueids=yes
#crlcheckinterval=600
#strictcrlpolicy=yes
conn %default
keyingtries=1
compress=no
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
conn trupp-net
leftsubnet=192.168.1.0/255.255.255.0
also=trupp
conn trupp
leftcert=gwdaCert.pem
left=%defaultroute
right=%any
rightid="/C=DE/ST=Hessen/O=Infrastruktur und
Umwelt/OU=Netzwerksicherheit/CN=Thomas Rupp/emailAddress=trupp at bytebox.de"
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
leftupdown=/usr/lib/ipsec/_updown_x509
conn da-po
leftcert=gwdaCert.pem
left=%defaultroute
leftsubnet=192.168.1.0/24
right=%any
rightid="/C=DE/ST=Hessen/O=Infrastruktur und
Umwelt/OU=Netzwerksicherheit/CN=infrapot.dyndns.org/emailAddress=gwpo at iu-info.de"
rightsubnet=192.168.0.0/24
auto=add
pfs=yes
leftupdown=/usr/lib/ipsec/_updown_x509
include /etc/ipsec.d/no_oe.conf
--- WindowsXP ipsec.conf
conn roadwarrior
mac=12-39-62-78-f9-46
left=%any
right=213.188.106.75
rightca="C=DE, S=Hessen, O=Infrastruktur und Umwelt,
OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA, E=ca at iu-info.de"
network=lan
auto=start
pfs=yes
conn roadwarrior-net
mac=12-39-62-78-f9-46
left=%any
right=213.188.106.75
rightsubnet=192.168.1.0/24
rightca="C=DE, S=Hessen, O=Infrastruktur und Umwelt,
OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA, E=ca at iu-info.de"
network=lan
auto=start
pfs=yes
--- Windows ipsec.exe output ---
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Setting up IPSec ...
Deactivating old policy...
Removing old policy...
Connection roadwarrior:
MyTunnel : 192.168.168.215
MyNet : 192.168.168.215/255.255.255.255
PartnerTunnel: 213.188.106.75
PartnerNet : 213.188.106.75/255.255.255.255
CA (ID) : C=DE, S=Hessen, O=Infrastruktur und Umwelt, OU=Net...
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...
Connection roadwarrior-net:
MyTunnel : 192.168.168.215
MyNet : 192.168.168.215/255.255.255.255
PartnerTunnel: 213.188.106.75
PartnerNet : 192.168.1.0/255.255.255.0
CA (ID) : C=DE, S=Hessen, O=Infrastruktur und Umwelt, OU=Net...
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...
--- VPN-Box1 log ---
Jul 18 08:08:08 infra pluto[23604]: packet from 84.177.96.33:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 18 08:08:08 infra pluto[23604]: packet from 84.177.96.33:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 18 08:08:08 infra pluto[23604]: packet from 84.177.96.33:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jul 18 08:08:08 infra pluto[23604]: packet from 84.177.96.33:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30:
responding to Main Mode from unknown peer 84.177.96.33
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30: Main
mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hessen, O=Infrastruktur und
Umwelt, OU=Netzwerksicherheit, CN=Thomas Rupp, E=trupp at bytebox.de'
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30: I am
sending my cert
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33 #30:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 18 08:08:08 infra pluto[23604]: | NAT-T: new mapping
84.177.96.33:500/4500)
Jul 18 08:08:08 infra pluto[23604]: "trupp"[6] 84.177.96.33:4500 #30:
sent MR3, ISAKMP SA established
--- WindowsXP oakley.log --- (This is in german, if you need any
translation, just ask)
7-18: 08:08:06:671:2f0 Acquire from driver: op=0000000D
src=192.168.168.215.0 dst=192.168.1.5.0 proto = 0,
SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1,
TunnelEndpt=213.188.106.75 Inbound TunnelEndpt=192.168.168.215
7-18: 08:08:06:671:adc Filter to match: Src 213.188.106.75 Dst
192.168.168.215
7-18: 08:08:06:671:adc MM PolicyName: 8
7-18: 08:08:06:671:adc MMPolicy dwFlags 2 SoftSAExpireTime 28800
7-18: 08:08:06:671:adc MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
7-18: 08:08:06:671:adc MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
7-18: 08:08:06:671:adc MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
7-18: 08:08:06:671:adc MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
7-18: 08:08:06:671:adc MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
7-18: 08:08:06:671:adc MMOffer[2] Encrypt: DES CBC Hash: SHA
7-18: 08:08:06:671:adc MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
7-18: 08:08:06:671:adc MMOffer[3] Encrypt: DES CBC Hash: MD5
7-18: 08:08:06:671:adc Auth[0]:RSA Sig C=DE, S=Hessen, O=Infrastruktur
und Umwelt, OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA,
E=ca at iu-info.de AuthFlags 0
7-18: 08:08:06:671:adc QM PolicyName: Host-roadwarrior-net filter
action dwFlags 1
7-18: 08:08:06:671:adc QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
7-18: 08:08:06:671:adc QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
7-18: 08:08:06:671:adc Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
7-18: 08:08:06:671:adc Starting Negotiation: src =
192.168.168.215.0500, dst = 213.188.106.75.0500, proto = 00, context =
0000000D, ProxySrc = 192.168.168.215.0000, ProxyDst = 192.168.1.0.0000
SrcMask = 255.255.255.255 DstMask = 255.255.255.0
7-18: 08:08:06:671:adc constructing ISAKMP Header
7-18: 08:08:06:671:adc constructing SA (ISAKMP)
7-18: 08:08:06:671:adc Constructing Vendor MS NT5 ISAKMPOAKLEY
7-18: 08:08:06:671:adc Constructing Vendor FRAGMENTATION
7-18: 08:08:06:671:adc Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
7-18: 08:08:06:671:adc Constructing Vendor Vid-Initial-Contact
7-18: 08:08:06:671:adc
7-18: 08:08:06:671:adc Sending: SA = 0x0013ED68 to 213.188.106.75:Type
2.500
7-18: 08:08:06:671:adc ISAKMP Header: (V1.0), len = 276
7-18: 08:08:06:671:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:06:671:adc R-COOKIE 0000000000000000
7-18: 08:08:06:671:adc exchange: Oakley Main Mode
7-18: 08:08:06:671:adc flags: 0
7-18: 08:08:06:671:adc next payload: SA
7-18: 08:08:06:671:adc message ID: 00000000
7-18: 08:08:06:671:adc Ports S:f401 D:f401
7-18: 08:08:06:750:adc
7-18: 08:08:06:750:adc Receive: (get) SA = 0x0013ed68 from
213.188.106.75.500
7-18: 08:08:06:750:adc ISAKMP Header: (V1.0), len = 124
7-18: 08:08:06:750:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:06:750:adc R-COOKIE f2784b9811a6b301
7-18: 08:08:06:750:adc exchange: Oakley Main Mode
7-18: 08:08:06:750:adc flags: 0
7-18: 08:08:06:750:adc next payload: SA
7-18: 08:08:06:750:adc message ID: 00000000
7-18: 08:08:06:750:adc processing payload SA
7-18: 08:08:06:750:adc Received Phase 1 Transform 1
7-18: 08:08:06:750:adc Encryption Alg Dreifach-DES CBC(5)
7-18: 08:08:06:750:adc Hash Alg SHA(2)
7-18: 08:08:06:750:adc Oakley Group 2
7-18: 08:08:06:750:adc Auth Method RSA-Signatur mit Zertifikaten(3)
7-18: 08:08:06:750:adc Life type in Seconds
7-18: 08:08:06:750:adc Life duration of 28800
7-18: 08:08:06:750:adc Phase 1 SA accepted: transform=1
7-18: 08:08:06:750:adc SA - Oakley proposal accepted
7-18: 08:08:06:750:adc processing payload VENDOR ID
7-18: 08:08:06:750:adc processing payload VENDOR ID
7-18: 08:08:06:750:adc Received VendorId draft-ietf-ipsec-nat-t-ike-02
7-18: 08:08:06:750:adc ClearFragList
7-18: 08:08:06:750:adc constructing ISAKMP Header
7-18: 08:08:06:765:adc constructing KE
7-18: 08:08:06:765:adc constructing NONCE (ISAKMP)
7-18: 08:08:06:765:adc Constructing NatDisc
7-18: 08:08:06:765:adc
7-18: 08:08:06:765:adc Sending: SA = 0x0013ED68 to 213.188.106.75:Type
2.500
7-18: 08:08:06:765:adc ISAKMP Header: (V1.0), len = 232
7-18: 08:08:06:765:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:06:765:adc R-COOKIE f2784b9811a6b301
7-18: 08:08:06:765:adc exchange: Oakley Main Mode
7-18: 08:08:06:765:adc flags: 0
7-18: 08:08:06:765:adc next payload: KE
7-18: 08:08:06:765:adc message ID: 00000000
7-18: 08:08:06:765:adc Ports S:f401 D:f401
7-18: 08:08:06:859:adc
7-18: 08:08:06:859:adc Receive: (get) SA = 0x0013ed68 from
213.188.106.75.500
7-18: 08:08:06:859:adc ISAKMP Header: (V1.0), len = 228
7-18: 08:08:06:859:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:06:859:adc R-COOKIE f2784b9811a6b301
7-18: 08:08:06:859:adc exchange: Oakley Main Mode
7-18: 08:08:06:859:adc flags: 0
7-18: 08:08:06:859:adc next payload: KE
7-18: 08:08:06:859:adc message ID: 00000000
7-18: 08:08:06:859:adc processing payload KE
7-18: 08:08:06:859:adc processing payload NONCE
7-18: 08:08:06:859:adc processing payload NATDISC
7-18: 08:08:06:859:adc Processing NatHash
7-18: 08:08:06:859:adc Nat hash e38235836bd967e0b2b57e6539a33557
7-18: 08:08:06:859:adc 0ffa7940
7-18: 08:08:06:859:adc SA StateMask2 1f
7-18: 08:08:06:859:adc processing payload NATDISC
7-18: 08:08:06:859:adc Processing NatHash
7-18: 08:08:06:859:adc Nat hash 3381c15433576f3800f1166f89289af4
7-18: 08:08:06:859:adc 80206666
7-18: 08:08:06:859:adc SA StateMask2 9f
7-18: 08:08:06:859:adc ClearFragList
7-18: 08:08:06:859:adc Floated Ports Orig Me:f401 Peer:f401
7-18: 08:08:06:859:adc Floated Ports Me:9411 Peer:9411
7-18: 08:08:06:859:adc constructing ISAKMP Header
7-18: 08:08:06:859:adc constructing ID
7-18: 08:08:06:859:adc Received no valid CRPs. Using all configured
7-18: 08:08:06:859:adc Looking for IPSec only cert
7-18: 08:08:06:859:adc Cert Trustes. 0 100
7-18: 08:08:06:859:adc Cert SHA Thumbprint 2fc98042db8e3d89af62ceb2398033e4
7-18: 08:08:06:859:adc e2ee142d
7-18: 08:08:06:859:adc CertFindExtenstion failed with 0
7-18: 08:08:06:859:adc Entered CRL check
7-18: 08:08:06:875:adc Left CRL check
7-18: 08:08:06:875:adc Cert SHA Thumbprint 2fc98042db8e3d89af62ceb2398033e4
7-18: 08:08:06:875:adc e2ee142d
7-18: 08:08:06:875:adc SubjectName: C=DE, S=Hessen, O=Infrastruktur und
Umwelt, OU=Netzwerksicherheit, CN=Thomas Rupp, E=trupp at bytebox.de
7-18: 08:08:06:875:adc Cert Serialnumber 02
7-18: 08:08:06:875:adc Cert SHA Thumbprint 2fc98042db8e3d89af62ceb2398033e4
7-18: 08:08:06:875:adc e2ee142d
7-18: 08:08:06:875:adc SubjectName: C=DE, S=Hessen, O=Infrastruktur und
Umwelt, OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA,
E=ca at iu-info.de
7-18: 08:08:06:875:adc Cert Serialnumber 00
7-18: 08:08:06:875:adc Cert SHA Thumbprint ec7f41cf8471172ccb2f519ecc3877b9
7-18: 08:08:06:875:adc 73215dbe
7-18: 08:08:06:875:adc Not storing My cert chain in SA.
7-18: 08:08:06:875:adc MM ID Type 9
7-18: 08:08:06:875:adc MM ID 308195310b3009060355040613024445
7-18: 08:08:06:875:adc 310f300d060355040813064865737365
7-18: 08:08:06:875:adc 6e3121301f060355040a1318496e6672
7-18: 08:08:06:875:adc 61737472756b74757220756e6420556d
7-18: 08:08:06:875:adc 77656c74311b3019060355040b13124e
7-18: 08:08:06:875:adc 65747a7765726b736963686572686569
7-18: 08:08:06:875:adc 74311430120603550403130b54686f6d
7-18: 08:08:06:875:adc 61732052757070311f301d06092a8648
7-18: 08:08:06:875:adc 86f70d01090116107472757070406279
7-18: 08:08:06:875:adc 7465626f782e6465
7-18: 08:08:06:875:adc constructing CERT
7-18: 08:08:06:875:adc Construct SIG
7-18: 08:08:06:890:adc Constructing Cert Request
7-18: 08:08:06:890:adc C=DE, S=Hessen, O=Infrastruktur und Umwelt,
OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA, E=ca at iu-info.de
7-18: 08:08:06:890:adc
7-18: 08:08:06:890:adc Sending: SA = 0x0013ED68 to 213.188.106.75:Type
2.4500
7-18: 08:08:06:890:adc ISAKMP Header: (V1.0), len = 1900
7-18: 08:08:06:890:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:06:890:adc R-COOKIE f2784b9811a6b301
7-18: 08:08:06:890:adc exchange: Oakley Main Mode
7-18: 08:08:06:890:adc flags: 1 ( encrypted )
7-18: 08:08:06:890:adc next payload: ID
7-18: 08:08:06:890:adc message ID: 00000000
7-18: 08:08:06:890:adc Ports S:9411 D:9411
7-18: 08:08:07:109:adc
7-18: 08:08:07:109:adc Receive: (get) SA = 0x0013ed68 from
213.188.106.75.4500
7-18: 08:08:07:109:adc ISAKMP Header: (V1.0), len = 1732
7-18: 08:08:07:109:adc I-COOKIE 4cd83385f869735b
7-18: 08:08:07:109:adc R-COOKIE f2784b9811a6b301
7-18: 08:08:07:109:adc exchange: Oakley Main Mode
7-18: 08:08:07:109:adc flags: 1 ( encrypted )
7-18: 08:08:07:109:adc next payload: ID
7-18: 08:08:07:109:adc message ID: 00000000
7-18: 08:08:07:109:adc processing payload ID
7-18: 08:08:07:109:adc processing payload CERT
7-18: 08:08:07:109:adc processing payload SIG
7-18: 08:08:07:109:adc Verifying CertStore
7-18: 08:08:07:109:adc SubjectName: C=DE, S=Hessen, O=Infrastruktur und
Umwelt, OU=Netzwerksicherheit, CN=mail.iu-info.de, E=gwda at iu-info.de
7-18: 08:08:07:109:adc Cert Serialnumber 00
7-18: 08:08:07:109:adc Cert SHA Thumbprint 9794696367340e6015d2001d9ebabc04
7-18: 08:08:07:109:adc adc4da66
7-18: 08:08:07:109:adc Trust failed. 28 0
7-18: 08:08:07:109:adc Cert Trustes. 28 0
7-18: 08:08:07:125:adc SubjectName: C=DE, S=Hessen, O=Infrastruktur und
Umwelt, OU=Netzwerksicherheit, CN=mail.iu-info.de, E=gwda at iu-info.de
7-18: 08:08:07:125:adc Cert Serialnumber 00
7-18: 08:08:07:125:adc Cert SHA Thumbprint 9794696367340e6015d2001d9ebabc04
7-18: 08:08:07:125:adc adc4da66
7-18: 08:08:07:125:adc Not storing Peer's cert chain in SA.
7-18: 08:08:07:125:adc Cert SHA Thumbprint 9794696367340e6015d2001d9ebabc04
7-18: 08:08:07:125:adc adc4da66
7-18: 08:08:07:125:adc Zertifikatsbasierte Identität.
Peerantragsteller C=DE, S=Hessen, O=Infrastruktur und Umwelt,
OU=Netzwerksicherheit, CN=mail.iu-info.de, E=gwda at iu-info.de
Peer-SHA-Fingerabdruck 9794696367340e6015d2001d9ebabc04adc4da66 Peer,
der die Zertifizierungsstelle ausstellt: C=DE, S=Hessen, O=Infrastruktur
und Umwelt, OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA,
E=ca at iu-info.de Stammzertifizierungsstelle C=DE, S=Hessen,
O=Infrastruktur und Umwelt, OU=Netzwerksicherheit, CN=mail.iu-info.de,
E=gwda at iu-info.de Eigener Antragsteller C=DE, S=Hessen, O=Infrastruktur
und Umwelt, OU=Netzwerksicherheit, CN=Thomas Rupp, E=trupp at bytebox.de
Eigener SHA-Fingerabdruck 2fc98042db8e3d89af62ceb2398033e4e2ee142d
Peer-IP-Adresse: 213.188.106.75
7-18: 08:08:07:125:adc Quell-IP-Adresse 192.168.168.215
Quell-IP-Adressmaske 255.255.255.255 Ziel-IP-Adresse 213.188.106.75
Ziel-IP-Adressmaske 255.255.255.255 Protokoll 0 Quellport 0 Zielport
0 Lokale IKE-Adresse 192.168.168.215 Peer-IKE-Adresse 213.188.106.75
7-18: 08:08:07:125:adc isadb_set_status sa:0013ED68 centry:00000000
status 35e9
7-18: 08:08:07:125:adc Schlüsselaustauschmodus (Hauptmodus)
7-18: 08:08:07:125:adc Quell-IP-Adresse 192.168.168.215
Quell-IP-Adressmaske 255.255.255.255 Ziel-IP-Adresse 213.188.106.75
Ziel-IP-Adressmaske 255.255.255.255 Protokoll 0 Quellport 0 Zielport
0 Lokale IKE-Adresse 192.168.168.215 Peer-IKE-Adresse 213.188.106.75
7-18: 08:08:07:125:adc Zertifikatsbasierte Identität.
Peerantragsteller C=DE, S=Hessen, O=Infrastruktur und Umwelt,
OU=Netzwerksicherheit, CN=mail.iu-info.de, E=gwda at iu-info.de
Peer-SHA-Fingerabdruck 9794696367340e6015d2001d9ebabc04adc4da66 Peer,
der die Zertifizierungsstelle ausstellt: C=DE, S=Hessen, O=Infrastruktur
und Umwelt, OU=Netzwerksicherheit, CN=Infrastruktur und Umwelt Root CA,
E=ca at iu-info.de Stammzertifizierungsstelle C=DE, S=Hessen,
O=Infrastruktur und Umwelt, OU=Netzwerksicherheit, CN=mail.iu-info.de,
E=gwda at iu-info.de Eigener Antragsteller C=DE, S=Hessen, O=Infrastruktur
und Umwelt, OU=Netzwerksicherheit, CN=Thomas Rupp, E=trupp at bytebox.de
Eigener SHA-Fingerabdruck 2fc98042db8e3d89af62ceb2398033e4e2ee142d
Peer-IP-Adresse: 213.188.106.75
7-18: 08:08:07:125:adc Benutzer
7-18: 08:08:07:125:adc IKE-Authentifizierung-Anmeldeinformationen sind
nicht akzeptabel.
7-18: 08:08:07:125:adc 0x0 0x0
7-18: 08:08:07:125:adc ProcessFailure: sa:0013ED68 centry:00000000
status:35e9
7-18: 08:08:07:125:adc Not creating notify.
More information about the Users
mailing list