[Openswan Users] I can´t ping my private network
Paul Wouters
paul at xelerance.com
Wed Dec 6 12:21:33 EST 2006
On Wed, 6 Dec 2006, Fabio Ferreira wrote:
> Dec 6 14:33:08 frwmarkway pluto[650]: Using Linux 2.6 IPsec interface code on 2.6.18-1.2239.fc5
> Dec 6 14:33:08 frwmarkway pluto[650]: Changing to directory '/etc/ipsec.d/cacerts'
> Dec 6 14:33:08 frwmarkway pluto[650]: loaded CA cert file 'cacert.pem' (3129 bytes)
> Dec 6 14:33:08 frwmarkway pluto[650]: Changing to directory '/etc/ipsec.d/crls'
> Dec 6 14:33:08 frwmarkway pluto[650]: loaded crl file 'crl.pem' (495 bytes)
> Dec 6 14:33:08 frwmarkway pluto[650]: crl issuer cacert not found for (file:///etc/ipsec.d/crls/crl.pem)
Looks like that crl does not belong to the cacert. I hope the gateway cert *does* belong to the cacert?
> Dec 6 14:33:09 frwmarkway pluto[650]: loaded host cert file '/etc/ipsec.d/certs/secreto.pem' (3061 bytes)
> Dec 6 14:33:09 frwmarkway pluto[650]: added connection description "roadwarrior_secreto"
Is this conn an X.509 conn? I think it is misleadingly named" secreto"?
> Dec 6 14:33:09 frwmarkway pluto[650]: loaded private key file '/etc/ipsec.d/private/secreto.key' (963 bytes)
Check with ipsec auto --listall to see if the certificates are all okay.
> Dec 6 14:43:35 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 6 14:43:35 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Dec 6 14:43:36 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: next payload type of ISAKMP Hash Payload has an unknown value: 152
This happens when Windows and openswan do not agree on something. Windows mistakingly sends a crypted message.
> 12-06: 15:00:01:187:aac Source IP Address 201.5.8.142 Source IP Address Mask 255.255.255.255 Destination IP Address 200.150.147.244 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 201.5.8.142 IKE Peer Addr 200.150.147.244
> 12-06: 15:00:01:187:aac Certificate based Identity. Peer Subject Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer Issuing Certificate Authority Root Certificate Authority My Subject C=BR, S=RJ, L=RJ, O=markway, CN=secreto My SHA Thumbprint 48cf1d9ab784752beb668bad71b709a4a8c6b80f Peer IP Address: 200.150.147.244
> 12-06: 15:00:01:187:aac Me
> 12-06: 15:00:01:187:aac IKE failed to find valid machine certificate
> 12-06: 15:00:01:187:aac constructing ISAKMP Header
> 12-06: 15:00:01:187:aac constructing HASH (null)
> 12-06: 15:00:01:187:aac constructing NOTIFY 28
> 12-06: 15:00:01:187:aac constructing HASH (Notify/Delete)
the message openswan cannot read is "kill the connection, we cannot go on".
> conn roadwarrior_secreto
> leftsubnet=192.168.1.0/255.255.255.0
> left=200.150.147.244
> leftnexthop=200.150.147.241
> leftcert=secreto.pem
> right=%any
> esp = 3DES-SHA1
> ikelifetime = 900m
> auto=add
> pfs=yes
Try pfs=no, since windows does not support pfs.
Make sure your certificate is imported in the right way on windows. Use certimport.exe
Don't double click the p12 file.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list