[Openswan Users] I can´t ping my private network

Fabio Ferreira fabio.ferreira at markway.com.br
Thu Dec 7 12:43:16 EST 2006 

Paul,

I think the problem can be in my private key.

I have into misc directory this 4 files: crl.pem, newcert.pem, newkey.pem, newreq.pem. What I need to do for make the .P12 certificate?

Thanks,

Fabio 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, December 06, 2006 2:22 PM
To: Fabio Ferreira
Cc: users at openswan.org
Subject: RE: [Openswan Users] I can´t ping my private network

On Wed, 6 Dec 2006, Fabio Ferreira wrote:

> Dec  6 14:33:08 frwmarkway pluto[650]: Using Linux 2.6 IPsec interface code on 2.6.18-1.2239.fc5
> Dec  6 14:33:08 frwmarkway pluto[650]: Changing to directory '/etc/ipsec.d/cacerts'
> Dec  6 14:33:08 frwmarkway pluto[650]:   loaded CA cert file 'cacert.pem' (3129 bytes)
> Dec  6 14:33:08 frwmarkway pluto[650]: Changing to directory '/etc/ipsec.d/crls'
> Dec  6 14:33:08 frwmarkway pluto[650]:   loaded crl file 'crl.pem' (495 bytes)
> Dec  6 14:33:08 frwmarkway pluto[650]: crl issuer cacert not found for (file:///etc/ipsec.d/crls/crl.pem)

Looks like that crl does not belong to the cacert. I hope the gateway cert *does* belong to the cacert?

> Dec  6 14:33:09 frwmarkway pluto[650]:   loaded host cert file '/etc/ipsec.d/certs/secreto.pem' (3061 bytes)
> Dec  6 14:33:09 frwmarkway pluto[650]: added connection description "roadwarrior_secreto"

Is this conn an X.509 conn? I think it is misleadingly named" secreto"?

> Dec  6 14:33:09 frwmarkway pluto[650]:   loaded private key file '/etc/ipsec.d/private/secreto.key' (963 bytes)

Check with ipsec auto --listall to see if the certificates are all okay.

> Dec  6 14:43:35 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec  6 14:43:35 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Dec  6 14:43:36 frwmarkway pluto[650]: "roadwarrior_secreto"[1] 201.5.8.142 #1: next payload type of ISAKMP Hash Payload has an unknown value: 152

This happens when Windows and openswan do not agree on something. Windows mistakingly sends a crypted message.

> 12-06: 15:00:01:187:aac Source IP Address 201.5.8.142  Source IP Address Mask 255.255.255.255  Destination IP Address 200.150.147.244  Destination IP Address Mask 255.255.255.255  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 201.5.8.142  IKE Peer Addr 200.150.147.244
> 12-06: 15:00:01:187:aac Certificate based Identity.    Peer Subject   Peer SHA Thumbprint 0000000000000000000000000000000000000000  Peer Issuing Certificate Authority   Root Certificate Authority   My Subject C=BR, S=RJ, L=RJ, O=markway, CN=secreto  My SHA Thumbprint 48cf1d9ab784752beb668bad71b709a4a8c6b80f  Peer IP Address: 200.150.147.244
> 12-06: 15:00:01:187:aac Me
> 12-06: 15:00:01:187:aac IKE failed to find valid machine certificate

> 12-06: 15:00:01:187:aac constructing ISAKMP Header
> 12-06: 15:00:01:187:aac constructing HASH (null)
> 12-06: 15:00:01:187:aac constructing NOTIFY 28
> 12-06: 15:00:01:187:aac constructing HASH (Notify/Delete)

the message openswan cannot read is "kill the connection, we cannot go on".

> conn roadwarrior_secreto
>         leftsubnet=192.168.1.0/255.255.255.0
>         left=200.150.147.244
>         leftnexthop=200.150.147.241
>         leftcert=secreto.pem
>         right=%any
>         esp = 3DES-SHA1
>         ikelifetime = 900m
>         auto=add
>         pfs=yes

Try pfs=no, since windows does not support pfs.

Make sure your certificate is imported in the right way on windows. Use certimport.exe
Don't double click the p12 file.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list