[Openswan Users] testing very simple openswan architecture
John Joseph
jjk_saji at yahoo.com
Wed May 4 14:23:26 CEST 2005
Dear Friends
I am also trying to test very simple openswan
architecture , I would like to share my experince and
problems
I am trying to configure OpenSWAN for two PC in
the same subnet, I am able to run ipsec , after
running ipsec , I was able to telnet , ssh , ping etc
from 192.168.20.99 (left) to 192.168.20.98(right) ,
But not able to do (ping , ssh, ftp , etc ) from
192.168.20.98(right) to the same IP address and also
when I ping or shh from 192.168.20.98 to itself I get
this errors
[root at ipsec ~]# ping 192.168.20.98
connect: Resource temporarily unavailable
[root at ipsec ~]# ssh 192.168.20.98
ssh: connect to host 192.168.20.98 port 22: Resource
temporarily unavailable
[root at ipsec ~]#
I am sending my "ipsec.conf" file , I am using
RH4 and OpenSwan Linux Openswan U2.3.0/K
I am trying to find , what may be the reason for this
behaviour
Thanks
Joseph John
**********************************************************************************************
version 2.0
conn net-to-net
left=192.168.20.99
leftid=@john.test.com
# RSA 2192 bits john.test.com Wed May 4 12:34:02
2005
leftrsasigkey=0sAQOCjGSHZHenddzgVhWt9C8LUA0uaxE+RlVkeDqfV98boekezT9SR33br2xNup18kNqe1ROd1eKroFxgskbvAiLqBO1rpay+iLIlKls1rntCl6ilpBFb3IsMK05RmXTySSaf3stfEpz+4icH9syvJHB9y4k1PmC+v5QjQCvwsgeWd8CQi8roSRvh8BKiXntMd4HmSGrvVbE93hNcJw7K9Ks5X3wx9g3UtC/yRzS8k4BvJpG+1DOWtK+Jw23fZAib4djK6QRtuQYp/A3wB91EOHqAxguJKM5GPOXAh7ZScCfa5r5r2MerVOiJJR+feZYyu7SR4ibjAqKkcc5NBab3q3bFmdl54To4oLLtWdB8AGbv7pgN
right=192.168.20.98
rightid=@ipsec.test.com
# RSA 2192 bits ipsec.test.com Wed May 4
10:46:46 2005
rightrsasigkey=0sAQNyxxTKqF+SlejvYqn8iNGZ260hGDJDQI8SMcM0ikq+Y6iVSD/ejUcTtaHLQduKj1KogPte4K6DyW+GdbQB7evH8Jj8QEK+5Hi03bEYWMe3/8yj5nrR5+GURhhW2UlskGEM5Q2o5mrFTjuUVm2aFvAOdwmh1bs1ZO366/u14HWFlc/8aAs8fJt7eIToaxMdmkDorFI/DU7YkNUWfrlfWLp+/68HxE0p7TxYo4DhTbSUwk+coxACjwD82qud3BTQn8UJwspI6t5f8s5Mtp+uxQ+Z933vOOSZA+AF39W2Jg0QtLdL8TLPCQLv1vyBYnl0wkk7WdAjjokIqUkl+VpIAO5e707j309IvForDKAfKeDm5vTd
**********************************************************************************************
--- david <ngc1976.m42 at caramail.com> wrote:
> > On Tue, 3 May 2005, david wrote:
> >
> > > I read the documentation strongsec/freeswan and
> the how-to from Nate Carlson but I think I do not
> understand how to configure the ipsec.conf files for
> the two hosts.
> > >
> > > HostA and hostB are directky linked.
> > >
> > > --------------------HostA certificat
> files----------------------
> > > /etc/openswan/ipsec.d/private/user01des.key
> > > /etc/openswan/ipsec.d/certs/user01des.crt
> > > /etc/openswan/ipsec.d/cacerts/ca.crt
> > >
> > >
>
-----------------------------end-----------------------------------
> > >
> > > --------------------HostB certificat
> files----------------------
> > > /etc/openswan/ipsec.d/private/user02des.key
> > > /etc/openswan/ipsec.d/certs/user02des.crt
> > > /etc/openswan/ipsec.d/cacerts/ca.crt
> > >
> > >
>
-----------------------------end-----------------------------------
> > >
> > > user01des.crt and user02.crt are signed by the
> ca.crt
> > > For all the keys, the length is 1024 with DES3.
> > >
> > >
> > >
> > >
> > >
> > > -------------------host A ipsec.conf
> file------------------------
> > > config setup
> > > klipsdebug=none
> > > plutodebug=all
> > >
> > > # Add connections here
> > > conn %default
> > > keyingtries=0
> > > authby=rsasig
> > >
> > >
> > > # sample VPN connection
> > > conn testvpnda
> > > left=195.212.109.202
> > > leftcert=user01des.crt
> > > right=195.212.109.203
> > > rightrsasigkey=%cert
> > > auto=add
> > >
> > >
>
------------------------------end-------------------------------------
> > >
> > > I put the same configuration for hostA et hostB.
> >
> > That wont work, unless you changed
> leftcert/rightcert. Both ends need to
> > load only their own certificate.
>
> yes, I put (already) for hostB :
> -------------------host B ipsec.conf
> file------------------------
> config setup
> klipsdebug=none
> plutodebug=all
>
> # Add connections here
> conn %default
> keyingtries=0
> authby=rsasig
>
> # sample VPN connection
> conn testvpnda
> left=195.212.109.202
> leftrsasigkey=%cert
> right=195.212.109.203
> rightcert=user02des.crt
> auto=add
>
>
------------------------------end-------------------------------------
>
>
> >
> > Helpful command: ipsec auto --listall
>
------------------------------------------------------------------------
>
> ok, this command give me on hostB (it is quiet the
> same on hostA but of course, proper certificat and
> proper key are not the same, everything is ok):
>
> [root at dhcp203 openswan]# ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9,
> until May 03 13:26:29 2006 ok
> 000 ID_USER_FQDN 'user01des at caramail.com'
> 000 Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:19:52 2005, 1024 RSA Key AwEAAeCQ9,
> until May 03 13:26:29 2006 ok
> 000 ID_DER_ASN1_DN 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user01des,
> E=user01des at caramail.com'
> 000 Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4,
> until May 03 13:29:40 2006 ok
> 000 ID_USER_FQDN 'user02des at caramail.com'
> 000 Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:47 2005, 1024 RSA Key AwEAAeqR4,
> until May 03 13:29:40 2006 ok
> 000 ID_DER_ASN1_DN 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user02des,
> E=user02des at caramail.com'
> 000 Issuer 'C=fr, ST=ile-de-france, L=paris,
> O=toto, CN=rootca1024'
> 000 May 03 19:17:42 2005, 2192 RSA Key AQNeVYs83,
> until --- -- --:--:-- ---- ok (expires never)
> 000 ID_IPV4_ADDR '195.212.109.204'
> 000 May 03 19:17:42 2005, 2192 RSA Key AQOvVgRGm,
> until --- -- --:--:-- ---- ok (expires never)
> 000 ID_IPV4_ADDR '195.212.109.203'
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 May 03 19:17:47 2005, count: 1
> 000 subject: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=user02des,
> E=user02des at caramail.com'
> 000 issuer: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000 serial: 03
> 000 pubkey: 1024 RSA Key AwEAAeqR4, has
> private key
> 000 validity: not before May 03 13:29:40 2005
> ok
> 000 not after May 03 13:29:40 2006
> ok
> 000 subjkey:
>
a6:0a:2c:41:7b:8b:4d:6d:75:6b:b5:a2:ec:25:95:81:e7:12:d1:bc
> 000 authkey:
>
28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
> 000
> 000 List of X.509 CA Certificates:
> 000
> 000 May 03 19:17:40 2005, count: 1
> 000 subject: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000 issuer: 'C=fr, ST=ile-de-france,
> L=paris, O=toto, CN=rootca1024'
> 000 serial: 00
> 000 pubkey: 1024 RSA Key AwEAAcKtB
> 000 validity: not before May 03 13:11:24 2005
> ok
> 000 not after May 03 13:11:24 2025
> ok
> 000 subjkey:
>
28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
>
>
----------------------------------end---------------------------------
>
> Is there anything wrong ? (it's seems to me not...)
>
>
> > Check to see if your certificate loaded it has a
> private key loaded, and
> > the root CA loaded on both ends.
>
> It seems that my certificat is loaded and it has a
> private key ,and the root CA is loaded too ?
>
>
> >
> > Paul
>
> Comparez les prix de la high-tech avec
> Boursoprix.com - http://www.boursoprix.com>
_______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
More information about the Users
mailing list