[Openswan Users] Windows Xp client to openswan

Can Akalin canakalin77 at gmail.com
Fri Mar 17 16:42:40 CET 2006 

Hi Paul,

I have restarted the ipsec services in both Windows and linux with

#ipsec setup restart
and on windows C:/>net stop policyagent and C:/>net start policyagent

commands.

And then I tried to make connection again. Unfortunatelly it did not work.
All the log files are the same. so there is no need to post the log files
again.

But as you can see below, the  linux log file at /var/log/messages gave some
errors. It seems that there is something wrong with the line 21 and 25 of
the /etc/ipsec.secrets file. I copied the ipsec.secrets file below. In case
it helps, I also posted the /etc/ipsec.conf as well.

Could you please take a look at it and tell me what is wrong?

One other question that I have is according to windows event viever,


IKE security association established.

 Mode:

Key Exchange Mode (Main Mode)



AND



KE security association established.

 Mode:

Data Protection Mode (Quick Mode)



How come then there is no connection yet?

I was also wondering if it is possible for someone to post  log files for a
running openswan VPN connection between a linux box and a windows client
based on x509 certificates. It might help to learn the steps that are taken
with a successful connection.


I really appreciate for all the help I am getting from Paul and possible
future responders.


Thank you

Can Akalin



>>>>>>>>>>>>>>>LOG FILE FROM LINUX MACHINE
/var/log/messages<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
...
Mar 17 15:41:08 linuxserver pluto[6715]: loading secrets from
"/etc/ipsec.secrets"

Mar 17 15:41:08 linuxserver pluto[6715]: "/etc/ipsec.secrets" line 21:
malformed end of RSA private key -- indented '}' required

Mar 17 15:41:08 linuxserver pluto[6715]: ERROR "/etc/ipsec.secrets" line 21:
index "}" illegal (non-DNS-name) character in name

Mar 17 15:41:08 linuxserver pluto[6715]: "/etc/ipsec.secrets" line 25:
unexpected end of id list

Mar 17 15:41:08 linuxserver pluto[6715]:   loaded private key file
'/etc/ipsec.d/private/host.example.com.key' (1728 bytes)

Mar 17 15:41:08 linuxserver ipsec__plutorun: 003 "/etc/ipsec.secrets" line
21: malformed end of RSA private key -- indented '}' required

Mar 17 15:41:08 linuxserver ipsec__plutorun: 003 ERROR "/etc/ipsec.secrets"
line 21: index "}" illegal (non-DNS-name) character in name

Mar 17 15:41:08 linuxserver ipsec__plutorun: 003 "/etc/ipsec.secrets" line
25: unexpected end of id list
Mar 17 16:01:36 linuxserver pluto[6715]: packet from 192.168.1.76:500:
ignoring
...




>>>>>>>>>>>>>/etc/ipsec.secrets<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
#
# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA {
 # RSA 2048 bits   linuxserver   Mon Mar 13 10:54:17 2006
 # for signatures only, UNSAFE FOR ENCRYPTION
 #pubkey=0sAQO1BQlk3q4J5+6gd/17HH3Osm9oOs6YPUiFTPfnHwBmI/O0/dAHruDB6ZQwvN0CIBXXavCFlOaO4nCabM0czn9J+COhYG0DDUn43ERPUN+bKWM6c5OpsIo0KfXNQlILetSLPRlzqYxz8Cu337mL/i8W8sazEVkl04g3dB3ORx6/CaQHfVtRvC02hMo06tT8QEU3osdnbRtWQWjcUDC/4SAeb1VjCbzDPvnvmLONRfPSePrxJdKm1upRnNVGbJNWeqpW56EbuYeFKlTYj7/pOSAFrJtKHeL02JS1hbqKxsyKQ2Hch5S7m2YErRmgZGPciXUGna/9s6tt4oI+m5eQl2+1
 Modulus:
0xb5050964deae09e7eea077fd7b1c7dceb26f683ace983d48854cf7e71f006623f3b4fdd007aee0c1e99430bcdd022015d76af08594e68ee2709a6ccd1cce7f49f823a1606d030d49f8dc444f50df9b29633a7393a9b08a3429f5cd42520b7ad48b3d1973a98c73f02bb7dfb98bfe2f16f2c6b3115925d38837741dce471ebf09a4077d5b51bc2d3684ca34ead4fc404537a2c7676d1b564168dc5030bfe1201e6f556309bcc33ef9ef98b38d45f3d278faf125d2a6d6ea519cd5466c93567aaa56e7a11bb987852a54d88fbfe9392005ac9b4a1de2f4d894b585ba8ac6cc8a4361dc8794bb9b6604ad19a06463dc8975069daffdb3ab6de2823e9b9790976fb5
 PublicExponent: 0x03
 # everything after this point is secret
 PrivateExponent:
0x1e2b8190cfc7ac51527013ff9484bfa27312915f226eb4e16b8cd3fbda801105fdf37fa2abf27acafc435d74cf805aae4e91d2c0ee266d25bd6f12222f77bfe1a95b4590122b2ce1a97a0b628d7a99dc3b3468989c481708b1a8f78b0dac9478c1df843df19768a807494ff441ffb283d3211dd839864dec093e04f7b6851fd6a8d200582e20d30fe844190baa83b3c9fdb8bd70e074568e7b539d9bb6a691799c6b05589345d4c57cfdadb6d82343da477e3c6e545ee149c3e4266b43b66e424e30c9dbc050b014afac259db7b91804432d12a4716f98759d15215d12486bd686a865c4871cb27f14ef69e6c23715fc3893843768dab201f61ff080e5d89e2b
 Prime1:
0xe29d68594c89a3ffd246a569d0f0636fc538ec281faa0dab9694008f3b6555feb97ce3e66e8195016b5128460c54aa00d4002bd82e17f2016f6631d794ec755fbea2ff8fc38a1b214d87f811cdd3f37de82c96d00a444d48bb922950f1e36f3b291d85a90638ba6a4869d6170c991bdf7cfe35df93985b823a8289e91ffcde41
 Prime2:
0xcc7e12f0f06d96d740eaf93b04f5a61980156a9a0ab7413eee529dfb3c9461460b565f0fda9ead57965578fe28cb915a79fb8f647e85b09596162e1168236fbcc31fe6657419498ce947b5fbcd0e9c6e316043733012f88a4b74c90b6736940110cc9f508ab67c9fe7134ee4c9f8e9ac362a60d1aaf2e65482fc6ea90d86dc75
 Exponent1:
0x97139ae633066d5536d9c39be0a0424a837b481abfc6b3c7b9b8005f7cee39547ba897eef4566356478b702eb2e31c008d5572901ebaa1564a44213a63484e3fd46caa5fd7b1676b8905500bde8d4cfe9ac8648ab182de307d0c1b8b4becf4d21b6903c60425d19c30468eba08661294fdfece950d103d017c57069b6aa8942b
 Exponent2:
0x88540ca0a0490f3a2b4750d2034e6ebbaab8f1bc0724d629f43713fcd30d962eb23994b53c69c8e50ee3a5fec5dd0b91a6a7b4eda9ae75b90eb9740b9ac24a7dd76a9998f810dbb3462fcea7de09bd9ecb95824ccab7505c324ddb5cef79b800b5ddbf8b0724531544b789eddbfb4672cec6eb3671f744385752f470b3af3da3
 Coefficient:
0x2d291976cf82e845bf708e8c4b0ac5fcaa8f954c47be1410e6c8ea6fb2ed5651df0d054b97d2ad83bfa87383c8ffd607b3072266bbceaaea9647a1bb55499b2a17b7d34ff76e92210fffba811cca9988d43c9b8448376e5d97ca47714247250d093edf726ce8aa9dc1a5b7b3b66d0e938669d4ca935f40af8c4b9b441c148661
}

# do not change the indenting of that "}"

: RSA host.example.com.key "123ABC"

>>>>>>>>>>>>>>>>>>>>>>>/etc/ipsec.conf<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.1 2005/07/26 12:28:39 ken Exp $

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
 # plutodebug / klipsdebug = "all", "none" or a combation from below:
 # "raw crypt parsing emitting control klips pfkey natt x509 private"
 # eg:
 # plutodebug="control parsing"
 #
 # Only enable klipsdebug=all if you are a developer
 #
 # NAT-TRAVERSAL support, see README.NAT-Traversal
 # nat_traversal=yes
 # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
 #
 # Certificate Revocation List handling:
 #crlcheckinterval=600
 #strictcrlpolicy=yes
 #
 # Change rp_filter setting? (default is 0, disabled)
 # See also setting in the /etc/sysctl.conf file!
 #rp_filter=%unchanged
 #
 # Workaround to setup all tunnels immediately, since the new default
 # of "plutowait=no" causes "Resource temporarily unavailable" errors
 # for the first connect attempt over each tunnel, that is delayed to
 # be established later / on demand.
 #
 plutowait=yes
 interfaces=%defaultroute
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# default settings for connections
conn %default
 # keyingtries default to %forever
 keyingtries=1
 compress=yes
 disablearrivalcheck=no
 authby=rsasig
 # Sig keys (default: %dnsondemand)
 leftrsasigkey=%cert
 rightrsasigkey=%cert
 # Lifetimes, defaults are 1h/8hrs
 #ikelifetime=20m
 #keylife=1h
 #rekeymargin=8m

conn roadwarrior-net
 leftsubnet=10.10.10.0/24
 also=roadwarrior

conn roadwarrior
 left=%defaultroute
 leftcert=host.example.com.pem
 right=%any
 rightsubnet=vhost:%no,%priv
 auto=add
 pfs=yes

conn block
 auto=ignore

conn private
 auto=ignore

conn private-or-clear
 auto=ignore

conn clear
 auto=ignore

conn packetdefault
 auto=ignore

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

# Add connections here

# sample VPN connection
# conn sample
#  # Left security gateway, subnet behind it, nexthop toward right.
#  left=10.0.0.1
#  leftsubnet=172.16.0.0/24
#  leftnexthop=10.22.33.44
#  # Right security gateway, subnet behind it, nexthop toward left.
#  right=10.12.12.1
#  rightsubnet=192.168.0.0/24
#  rightnexthop=10.101.102.103
#  # To authorize this connection, but not actually start it,
#  # at startup, uncomment this.
#  #auto=start

 ______________________________________________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060317/aff1e99b/attachment-0001.htm

More information about the Users mailing list