[Openswan Users] NCP / openswan interop

jamona perez jamon_perez at hotmail.com
Fri Apr 28 19:45:56 CEST 2006 

Hi all,
I have trouble making NCP secure entry client work with a openswan gw using 
certs.
I have followed different leads, used nate carlson's pages about configuring 
openswan along with ncp support pages but I cannont get rid of a
RECV_MSG1_MAIN -
28/04/2006 17:21:23  NCPIKE-phase1:name() - error - ATTRIBUTES_NOT_SUPPORTED
this surely has something to do with XAUTH / identities under NCP, but I 
cannot find a way to fix it

openswan config :
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16
        plutodebug="control parsing"
        interfaces=%defaultroute

conn roadwarrior-with-cert-test
        keyingtries=1
        compress=no
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftsubnet=10.10.10.0/24
        leftcert=openswan-cert.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        pfs=yes
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Note : ipsec auto --listcerts, --listcacerts, --listpubkeys all work 
correctly and give the correct information

NCP config :
Gateway aa.bb.cc.dd
IKE policy RSA Signature
IPSec policy ESP - AES128 - MD5
Exch mode : main mode
DH-Group 2
Identities : ASN1 DN
ID left blank (supposed to be taken from the certificate)
use extended XAUTH / use access data from certificate field "cn"
IP Address assignement : manual 192.168.0.10 / 255.255.255.0
remote network : 10.10.10.0 / 255.255.255.0
nothing in certificate check
link firewall - nothing here Netbios over IP disabled

from the certificates menu i've installed the certificate and cab read it 
correctly.

As you understood from above NCP client is on the 192.168.0.0/24 network 
(behind a gateway linksys router with ipsec/pptp/l2tp passthru enabled) 
connecting to an openswan gateway at address aa.bb.cc.dd leading to an 
internal network 10.10.10.0/24

I've managed to make other kinds of tunnels work (gateway-to-gateway using 
PSK), but not NATed client-to-gateway using cert...

If anybody can be of any help, it would be greatly appreciated.

_________________________________________________________________
Tout savoir sur la sécurité de votre PC ! 
http://go.msn.fr/10-channel/80-security/spam/default.asp

More information about the Users mailing list