[Openswan Users] testing very simple openswan architecture

John Joseph jjk_saji at yahoo.com
Wed May 4 14:23:26 CEST 2005


Dear Friends 
   I am also trying to test very simple openswan
architecture , I would like to share my experince and
problems 

    I am trying to configure OpenSWAN for two PC  in
the same subnet, I am able to run ipsec , after
running ipsec , I was able to telnet , ssh , ping etc
from 192.168.20.99 (left) to 192.168.20.98(right) ,
But not able to do (ping , ssh, ftp , etc ) from
192.168.20.98(right) to the same IP address  and also
when I ping or shh from 192.168.20.98 to itself I get
this errors

[root at ipsec ~]# ping 192.168.20.98
connect: Resource temporarily unavailable
[root at ipsec ~]# ssh 192.168.20.98
ssh: connect to host 192.168.20.98 port 22: Resource
temporarily unavailable
[root at ipsec ~]#

     I am sending my "ipsec.conf" file , I am using
RH4 and OpenSwan Linux Openswan U2.3.0/K

I am trying to find , what may be the reason for this
behaviour 
                          Thanks 
                             Joseph John 



**********************************************************************************************
version 2.0



conn net-to-net
	left=192.168.20.99
	leftid=@john.test.com
	# RSA 2192 bits   john.test.com   Wed May  4 12:34:02
2005

leftrsasigkey=0sAQOCjGSHZHenddzgVhWt9C8LUA0uaxE+RlVkeDqfV98boekezT9SR33br2xNup18kNqe1ROd1eKroFxgskbvAiLqBO1rpay+iLIlKls1rntCl6ilpBFb3IsMK05RmXTySSaf3stfEpz+4icH9syvJHB9y4k1PmC+v5QjQCvwsgeWd8CQi8roSRvh8BKiXntMd4HmSGrvVbE93hNcJw7K9Ks5X3wx9g3UtC/yRzS8k4BvJpG+1DOWtK+Jw23fZAib4djK6QRtuQYp/A3wB91EOHqAxguJKM5GPOXAh7ZScCfa5r5r2MerVOiJJR+feZYyu7SR4ibjAqKkcc5NBab3q3bFmdl54To4oLLtWdB8AGbv7pgN
	right=192.168.20.98
	rightid=@ipsec.test.com
	# RSA 2192 bits   ipsec.test.com   Wed May  4
10:46:46 2005

rightrsasigkey=0sAQNyxxTKqF+SlejvYqn8iNGZ260hGDJDQI8SMcM0ikq+Y6iVSD/ejUcTtaHLQduKj1KogPte4K6DyW+GdbQB7evH8Jj8QEK+5Hi03bEYWMe3/8yj5nrR5+GURhhW2UlskGEM5Q2o5mrFTjuUVm2aFvAOdwmh1bs1ZO366/u14HWFlc/8aAs8fJt7eIToaxMdmkDorFI/DU7YkNUWfrlfWLp+/68HxE0p7TxYo4DhTbSUwk+coxACjwD82qud3BTQn8UJwspI6t5f8s5Mtp+uxQ+Z933vOOSZA+AF39W2Jg0QtLdL8TLPCQLv1vyBYnl0wkk7WdAjjokIqUkl+VpIAO5e707j309IvForDKAfKeDm5vTd
**********************************************************************************************

--- david <ngc1976.m42 at caramail.com> wrote:

> > On Tue, 3 May 2005, david wrote:
> > 
> > > I read the documentation strongsec/freeswan and
> the how-to from Nate Carlson but I think I do not
> understand how to configure the ipsec.conf files for
> the two hosts.
> > >
> > > HostA and hostB are directky linked.
> > >
> > > --------------------HostA certificat
> files----------------------
> > > /etc/openswan/ipsec.d/private/user01des.key
> > > /etc/openswan/ipsec.d/certs/user01des.crt
> > > /etc/openswan/ipsec.d/cacerts/ca.crt
> > >
> > >
>
-----------------------------end-----------------------------------
> > >
> > > --------------------HostB certificat
> files----------------------
> > > /etc/openswan/ipsec.d/private/user02des.key
> > > /etc/openswan/ipsec.d/certs/user02des.crt
> > > /etc/openswan/ipsec.d/cacerts/ca.crt
> > >
> > >
>
-----------------------------end-----------------------------------
> > >
> > > user01des.crt and user02.crt are signed by the
> ca.crt
> > > For all the keys, the length is 1024 with DES3.
> > >
> > >
> > >
> > >
> > >
> > > -------------------host A ipsec.conf
> file------------------------
> > > config setup
> > >         klipsdebug=none
> > >   plutodebug=all
> > >
> > > # Add connections here
> > > conn %default
> > >         keyingtries=0
> > >         authby=rsasig
> > >
> > >
> > > # sample VPN connection
> > > conn testvpnda
> > >  left=195.212.109.202
> > >  leftcert=user01des.crt
> > >  right=195.212.109.203
> > >  rightrsasigkey=%cert
> > >  auto=add
> > >
> > >
>
------------------------------end-------------------------------------
> > >
> > > I put the same configuration for hostA et hostB.
> > 
> > That wont work, unless you changed
> leftcert/rightcert. Both ends need to
> > load only their own certificate.
> 
> yes, I put (already) for hostB :
>  -------------------host B ipsec.conf
> file------------------------
>  config setup
>          klipsdebug=none
>    plutodebug=all
> 
>  # Add connections here
>  conn %default
>          keyingtries=0
>          authby=rsasig
> 
>  # sample VPN connection
>  conn testvpnda
>   left=195.212.109.202
>   leftrsasigkey=%cert
>   right=195.212.109.203
>   rightcert=user02des.crt
>   auto=add
> 
>
------------------------------end-------------------------------------
> 
> 
> > 
> > Helpful command: ipsec auto --listall
>
------------------------------------------------------------------------
> 
> ok, this command give me on hostB (it is quiet the
> same on hostA but of course, proper certificat and
> proper key are not the same, everything is ok):
> 
> [root at dhcp203 openswan]# ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9,
> until May 03 13:26:29 2006 ok
> 000        ID_USER_FQDN 'user01des at caramail.com'
> 000        Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9,
> until May 03 13:26:29 2006 ok
> 000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user01des,
> E=user01des at caramail.com'
> 000        Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4,
> until May 03 13:29:40 2006 ok
> 000        ID_USER_FQDN 'user02des at caramail.com'
> 000        Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4,
> until May 03 13:29:40 2006 ok
> 000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user02des,
> E=user02des at caramail.com'
> 000        Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:42 2005, 2192 RSA Key AQNeVYs83,
> until --- -- --:--:-- ---- ok (expires never)
> 000        ID_IPV4_ADDR '195.212.109.204'
> 000 May 03 19:17:42 2005, 2192 RSA Key AQOvVgRGm,
> until --- -- --:--:-- ---- ok (expires never)
> 000        ID_IPV4_ADDR '195.212.109.203'
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 May 03 19:17:47 2005, count: 1
> 000        subject: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user02des,
> E=user02des at caramail.com'
> 000        issuer:  'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000        serial:   03
> 000        pubkey:   1024 RSA Key AwEAAeqR4, has
> private key
> 000        validity: not before May 03 13:29:40 2005
> ok
> 000                  not after  May 03 13:29:40 2006
> ok
> 000        subjkey: 
>
a6:0a:2c:41:7b:8b:4d:6d:75:6b:b5:a2:ec:25:95:81:e7:12:d1:bc
> 000        authkey: 
>
28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
> 000
> 000 List of X.509 CA Certificates:
> 000
> 000 May 03 19:17:40 2005, count: 1
> 000        subject: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000        issuer:  'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000        serial:   00
> 000        pubkey:   1024 RSA Key AwEAAcKtB
> 000        validity: not before May 03 13:11:24 2005
> ok
> 000                  not after  May 03 13:11:24 2025
> ok
> 000        subjkey: 
>
28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
> 
>
----------------------------------end---------------------------------
> 
> Is there anything wrong ? (it's seems to me not...)
> 
> 
> > Check to see if your certificate loaded it has a
> private key loaded, and 
> > the root CA loaded on both ends.
> 
> It seems that my certificat is loaded and it has a
> private key ,and the root CA is loaded too ?
> 
> 
> > 
> > Paul
> 
> Comparez les prix de la high-tech avec
> Boursoprix.com - http://www.boursoprix.com>
_______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com 


More information about the Users mailing list