[Openswan Users] linux box <> WinXP/SP2 problem (NAT-T, LTPD)
Radek Antoniuk
R.Antoniuk at pixel.com.pl
Fri Jan 13 11:40:25 CET 2006
Hello,
I have a problem with setting up certificate tunnel with Openswan (2.4.5
dr3 & 2.6.15) with MS WinXP/SP2.
I have read the instructions at
http://www.natecarlson.com/linux/ipsec-x509.php and I think it is the
certificate problem, but I'm not sure in fact.
I have made and signed both of the certificates, but openswan seems not
to like the one presented by WinXP.
And an additional question. What LTPD do you use? Cause the www.ltpd.org
site is now down.
I have switched to rp-l2tp-0.4. Any other useful daemons? Does anybody
have a working example with this daemon? (NAT-T is required)
And the last question. Is there any native method of authentication with
One Time Passwords like PSKs? Or only by using some 'external' ideas
like RADIUS or something?
In short what do I have:
my ipsec.conf
version 2
conn l2tp-X.509
authby=rsasig
pfs=no
auto=add
rekey=no
left=%defaultroute
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/gate.cert
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
include /etc/ipsec.d/examples/no_oe.conf
.:
total 32
drwxr-xr-x 2 root root 4096 2006-01-09 22:27 aacerts
drwxr-xr-x 2 root root 4096 2006-01-12 02:54 cacerts
drwxr-xr-x 2 root root 4096 2006-01-12 02:55 certs
drwxr-xr-x 2 root root 4096 2006-01-09 22:27 crls
drwxr-xr-x 2 root root 4096 2006-01-09 22:27 examples
drwxr-xr-x 2 root root 4096 2006-01-09 22:27 ocspcerts
drwxr-xr-x 2 root root 4096 2006-01-09 22:27 policies
drwx------ 2 root root 4096 2006-01-12 02:55 private
./aacerts:
total 0
./cacerts:
total 4
-rw-r--r-- 1 root root 3101 2006-01-12 02:50 cacert.pem
./certs:
total 4
-rw-r--r-- 1 root root 3169 2006-01-12 02:51 gate.cert
./crls:
total 0
./examples:
total 20
-rwxr-xr-x 1 root root 957 2006-01-09 22:27 l2tp-cert.conf
-rwxr-xr-x 1 root root 892 2006-01-09 22:27 l2tp-cert-orgWIN2KXP.conf
-rwxr-xr-x 1 root root 825 2006-01-09 22:27 l2tp-psk.conf
-rwxr-xr-x 1 root root 803 2006-01-09 22:27 l2tp-psk-orgWIN2KXP.conf
-rwxr-xr-x 1 root root 397 2006-01-09 22:27 no_oe.conf
./ocspcerts:
total 0
./policies:
total 20
-rwxr-xr-x 1 root root 235 2006-01-09 22:27 block
-rwxr-xr-x 1 root root 240 2006-01-09 22:27 clear
-rwxr-xr-x 1 root root 357 2006-01-09 22:27 clear-or-private
-rwxr-xr-x 1 root root 252 2006-01-09 22:27 private
-rwxr-xr-x 1 root root 512 2006-01-09 22:27 private-or-clear
./private:
total 4
-rw-r--r-- 1 root root 963 2006-01-12 02:51 gate.key
Auth.log
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
responding to Main Mode from unknown peer 193.16.255.138
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
next payload type of ISAKMP Hash Payload has an unknown value: 239
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
malformed payload in packet
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
sending notification PAYLOAD_MALFORMED to 193.16.255.138:500
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
byte 2 of ISAKMP Hash Payload must be zero, but is not
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16:
malformed payload in packet
Thank you in advance,
Radek
More information about the Users
mailing list