[Openswan Users] Windows Xp client to openswan
Can Akalin
canakalin77 at gmail.com
Thu Mar 16 12:10:59 CET 2006
Hello again Paul,
Yes, I have checked the IPSec service and it is runnig at the windows box. I
also checked the linux box by
#ipsec verify
command and everything looks fine too.
Here is my work and test LAN so that you can have a better understanding of
my network;
++++++
++++++ ++++++
++++++192.168.1.68------------------------
192.168.1.55++++++10.10.10.1-------------------10.10.10.10++++++
++++++
++++++ ++++++
++++++
++++++ ++++++
Windows XP SP2 Gateway
router Suse Linux 2.6.13
Machine
UDP 500 open Openswan 2.4.0
As you said, I have used 10.10.10.10 and 10.10.10.0 at Private
Address/Network Mask part in lsipsectool. Here are the log files from
lsipsectool and Windows;
>>>>>>>>>>>>>>>>>>>>>>>>>>>A trial with 10.10.10.10 as Remote Network
Address>>>>>>>>><<<<<<<<<<<<<<<<<
ipsectool log FILE IS;
11:18:05: Starting Tunnel
11:18:05: IKE Encryption: 3des
IKE Integrity: md5
Remote Gateway Address: 192.168.1.55
Remote Monitor Address: 10.10.10.10
Remote Network: 10.10.10.10/255.255.255.0
Local Address: 192.168.1.68
Local Network: 192.168.1.68/255.255.255.255
11:18:46: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
11:19:28: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
11:19:29: Stoping Tunnel
WINDOWS log FILE FOR THIS IS;
IPSec Services: PAStore Engine failed to apply some rules of the active
IPSec policy "x4 {30a70c2c-180f-46b6-9f33-46c26bb6c0de}" on the machine with
error code: The parameter is incorrect.
. Please run IPSec monitor snap-in to further diagnose the problem.
AND ANOTHER LOG FILE FOR THIS THAT WINDOWS CREATED IS;
IPSec Services: PAStore Engine failed to apply local registry storage IPSec
policy on the machine for "x4 {9f30c367-b7b3-44d2-9d8f-9bdab4c709ae}" with
error code: The parameter is incorrect.
>>>>>>>>>>>>>>>>>>>>>>>>>>>Another trial with 10.10.10.0 as Remote Network
Address>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
ipsectool log FILE IS;
11:24:22: Starting Tunnel
11:24:23: IKE Encryption: 3des
IKE Integrity: md5
Remote Gateway Address: 192.168.1.55
Remote Monitor Address: 10.10.10.10
Remote Network: 10.10.10.0/255.255.255.0
Local Address: 192.168.1.68
Local Network: 192.168.1.68/255.255.255.255
11:24:24: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
11:24:29: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
11:24:34: 45 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
11:24:36: Stoping Tunnel
WINDOWS log FILE FOR THIS IS;
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)
Filter:
Source IP Address 192.168.1.68
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.1.55
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.68
IKE Peer Addr 192.168.1.55
Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject C=CA, S=Ontario, O=Springboard Retail Networks Inc., CN=laptop,
E=laptop at springboardnetworks.com
My SHA Thumbprint 9f120fd256be49e28c1df547aef9a1256ebef09e
Peer IP Address: 192.168.1.55
Failure Point:
Me
Failure Reason:
New policy invalidated SAs formed with old policy
And, how do I check the log file for openswan at the linux box? There is
not a file called "securtiy" at /var/log at the linux box as I read
somewhere.
Thank you
Can Akalin
On 3/15/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Wed, 15 Mar 2006, Can Akalin wrote:
>
> > I installed lsipsectool.exe and used it. The result was not a success.
> I am
> > gonna paste the log file below. Before that, I have a few questions;
>
> Odd.
>
> > 1. At the GUI of lsipsectool.exe, under the Remote Side of the
> Tunnel,
> > I put the IP address of the gateway which is 192.168.1.55. But I am
> > confused with Remote Internal IP and Private Address/Network Mask
> part. I
> > put 10.10.10.10 for both of them which is linux box's IP address
> > within that LAN behind the gateway. Is that correct?
>
> Yes. The reason for that option is that Microsoft IPsec only initiates the
> tunnel when there is traffic for it. Just like you need to "ping" first
> after the ipsec.exe command ran before you see "Negotiating IPsec
> security".
> The lsipsectool uses that internal IP to sent a ping when you click on
> bringing
> the connection up.
>
> > 2. At the IPSec Options windows, I selected Certificate as an
> > Authentication Method and write the challange password below which I
> was
> > asked when I created the certificate at CA in linux box.For the
> > Proto/Encryption/Integrity part I did not change the default
> settings, which
> > are ESP/3DES/MD5. Should I change them? If so, to what values I
> should
> > change them?
>
> No you shouldn't need to.
>
> > Remote Gateway Address: 192.168.1.55
> > Remote Monitor Address: 10.10.10.10
> > Remote Network: 10.10.10.10/255.255.255.0
>
> Can you try 10.10.10.0/255.255.255.0 instead?
>
> > IPSec Services: PAStore Engine failed to apply some rules of the active
> > IPSec policy "x4 {0529745e-57f5-4c99-adc9-951d9c14a149}" on the machine
> with
> > error code: The parameter is incorrect.
> >
> > . Please run IPSec monitor snap-in to further diagnose the problem
>
> Check in the administration tools/services to see if the IPsec service is
> running? Some other clients (I believe ncp/astaro) might turn it off when
> you install their software, but do not re-enable them.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060316/47a7879f/attachment.htm
More information about the Users
mailing list