[Openswan Users] Openswan and Windows XP

Tue Jun 28 13:53:49 CEST 2005

If you're using SP2, make sure you have the WinXP registry patch installed.

On 28/06/05, Vincent Tieleman <v_tieleman at hotmail.com> wrote:
> Hello everyone,
> 
> I'v been trying to get this to work for days now and I thought now would be
> the time to get some expert advise...
> I have the following setup:
> 
> Windows XP Client (192.168.0.2) ---- Gentoo Gateway (192.168.0.1 and
> 192.168.1.10) ---- Router (192.168.1.1 and <client ip>) ---- <<< Internet
>  >>> --- Router (<server ip> and 10.0.0.138) --- Network (10.0.0.0/24),
> including Gentoo Server With OpenSwan (10.0.0.151)
> 
> I want the XP client to access the office network (10.0.0.0/24). After a
> long struggle with the settings, I managed to get as far as to get this
> connection using the ipsec by Marcus Mueller.
> 
> However, it is easier for the roadwarriors to simply connect with the
> 'connect to...' dialog. Here is the problem. I can get this to work on my
> local network, but not with NAT. When trying remotely, the server does not
> except the same certificates etc. used locally. Obviously the certificates
> are not the problem, so Windows XP must be causing them.
> 
> Maybe someone can help? This is my ipsec.conf:
> 
> config setup
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24
> interfaces="ipsec0=eth0"
> nat_traversal=yes
> 
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> 
> conn roadwarrior-l2tp
> leftprotoport=17/0
> rightprotoport=17/1701
> also=roadwarrior
> 
> conn roadwarrior-l2tp-updated
> leftprotoport=17/1701
> rightprotoport=17/1701
> also=roadwarrior
> 
> conn roadwarrior
> left=10.0.0.151
> leftsubnet=10.0.0.0/24
> leftnexthop=10.0.0.138
> leftcert=backoffice.trefa.nl.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> auto=add
> pfs=no
> 
> And this is the error I get:
> 
> Jun 24 15:08:47 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
> #1: responding to Main Mode from unknown peer <client ip>
> Jun 24 15:08:47 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
> #1: transition from state (null) to state STATE_MAIN_R1
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
> NATed
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
> #1: Peer ID is ID_DER_ASN1_DN: '<client certificate DN>'
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
> #1: deleting connection "roadwarrior-l2tp" instance with peer <client ip>
> {isakmp=#0/ipsec=#0}
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
> #1: I am sending my cert
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 24 15:08:48 backoffice pluto[29780]: | NAT-T: new mapping <client
> ip>:500/10523)
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
> ip>:10523 #1: sent MR3, ISAKMP SA established
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
> ip>:10523 #1: cannot respond to IPsec SA request because no connection is
> known for <server ip>/32===10.0.0.151:4500[<server certificate
> DN>]:17/1701...<client ip>:10523[<client sertificate DN>]:17/1701
> Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
> ip>:10523 #1: sending encrypted notification INVALID_ID_INFORMATION to
> <client ip>:10523
> 
> Please, please... any suggestions?
> 
> Vincent
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 

-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/