[Openswan Users] Windows Xp client to openswan
Paul Wouters
paul at xelerance.com
Fri Mar 17 22:58:29 CET 2006
On Fri, 17 Mar 2006, Can Akalin wrote:
> But as you can see below, the linux log file at /var/log/messages gave some
> errors. It seems that there is something wrong with the line 21 and 25 of
> the /etc/ipsec.secrets file. I copied the ipsec.secrets file below. In case
> it helps, I also posted the /etc/ipsec.conf as well.
Oh. those werent in the logs before?
> malformed end of RSA private key -- indented '}' required
>
> Mar 17 15:41:08 linuxserver pluto[6715]: ERROR "/etc/ipsec.secrets" line 21:
> index "}" illegal (non-DNS-name) character in name
Looks like a missing quote or something.
> # with "ipsec showhostkey".
> : RSA {
> # RSA 2048 bits linuxserver Mon Mar 13 10:54:17 2006
> # for signatures only, UNSAFE FOR ENCRYPTION
> #pubkey=0sAQO1BQlk3q4J5+6gd/17HH3Osm9oOs6YPUiFTPfnHwBmI/O0/dAHruDB6ZQwvN0CIBXXavCFlOaO4nCabM0czn9J+COhYG0DDUn43ERPUN+bKWM6c5OpsIo0KfXNQlILetSLPRlzqYxz8Cu337mL/i8W8sazEVkl04g3dB3ORx6/CaQHfVtRvC02hMo06tT8QEU3osdnbRtWQWjcUDC/4SAeb1VjCbzDPvnvmLONRfPSePrxJdKm1upRnNVGbJNWeqpW56EbuYeFKlTYj7/pOSAFrJtKHeL02JS1hbqKxsyKQ2Hch5S7m2YErRmgZGPciXUGna/9s6tt4oI+m5eQl2+1
> Modulus:
> 0xb5050964deae09e7eea077fd7b1c7dceb26f683ace983d48854cf7e71f006623f3b4fdd007aee0c1e99430bcdd022015d76af08594e68ee2709a6ccd1cce7f49f823a1606d030d49f8dc444f50df9b29633a7393a9b08a3429f5cd42520b7ad48b3d1973a98c73f02bb7dfb98bfe2f16f2c6b3115925d38837741dce471ebf09a4077d5b51bc2d3684ca34ead4fc404537a2c7676d1b564168dc5030bfe1201e6f556309bcc33ef9ef98b38d45f3d278faf125d2a6d6ea519cd5466c93567aaa56e7a11bb987852a54d88fbfe9392005ac9b4a1de2f4d894b585ba8ac6cc8a4361dc8794bb9b6604ad19a06463dc8975069daffdb3ab6de2823e9b9790976fb5
> PublicExponent: 0x03
> # everything after this point is secret
> PrivateExponent:
> 0x1e2b8190cfc7ac51527013ff9484bfa27312915f226eb4e16b8cd3fbda801105fdf37fa2abf27acafc435d74cf805aae4e91d2c0ee266d25bd6f12222f77bfe1a95b4590122b2ce1a97a0b628d7a99dc3b3468989c481708b1a8f78b0dac9478c1df843df19768a807494ff441ffb283d3211dd839864dec093e04f7b6851fd6a8d200582e20d30fe844190baa83b3c9fdb8bd70e074568e7b539d9bb6a691799c6b05589345d4c57cfdadb6d82343da477e3c6e545ee149c3e4266b43b66e424e30c9dbc050b014afac259db7b91804432d12a4716f98759d15215d12486bd686a865c4871cb27f14ef69e6c23715fc3893843768dab201f61ff080e5d89e2b
> Prime1:
> 0xe29d68594c89a3ffd246a569d0f0636fc538ec281faa0dab9694008f3b6555feb97ce3e66e8195016b5128460c54aa00d4002bd82e17f2016f6631d794ec755fbea2ff8fc38a1b214d87f811cdd3f37de82c96d00a444d48bb922950f1e36f3b291d85a90638ba6a4869d6170c991bdf7cfe35df93985b823a8289e91ffcde41
> Prime2:
> 0xcc7e12f0f06d96d740eaf93b04f5a61980156a9a0ab7413eee529dfb3c9461460b565f0fda9ead57965578fe28cb915a79fb8f647e85b09596162e1168236fbcc31fe6657419498ce947b5fbcd0e9c6e316043733012f88a4b74c90b6736940110cc9f508ab67c9fe7134ee4c9f8e9ac362a60d1aaf2e65482fc6ea90d86dc75
> Exponent1:
> 0x97139ae633066d5536d9c39be0a0424a837b481abfc6b3c7b9b8005f7cee39547ba897eef4566356478b702eb2e31c008d5572901ebaa1564a44213a63484e3fd46caa5fd7b1676b8905500bde8d4cfe9ac8648ab182de307d0c1b8b4becf4d21b6903c60425d19c30468eba08661294fdfece950d103d017c57069b6aa8942b
> Exponent2:
> 0x88540ca0a0490f3a2b4750d2034e6ebbaab8f1bc0724d629f43713fcd30d962eb23994b53c69c8e50ee3a5fec5dd0b91a6a7b4eda9ae75b90eb9740b9ac24a7dd76a9998f810dbb3462fcea7de09bd9ecb95824ccab7505c324ddb5cef79b800b5ddbf8b0724531544b789eddbfb4672cec6eb3671f744385752f470b3af3da3
> Coefficient:
> 0x2d291976cf82e845bf708e8c4b0ac5fcaa8f954c47be1410e6c8ea6fb2ed5651df0d054b97d2ad83bfa87383c8ffd607b3072266bbceaaea9647a1bb55499b2a17b7d34ff76e92210fffba811cca9988d43c9b8448376e5d97ca47714247250d093edf726ce8aa9dc1a5b7b3b66d0e938669d4ca935f40af8c4b9b441c148661
> }
Note that now you have published your secret key, you should delete it and not use it. I don't think you are using
it (It is only used for openswan-openswan in raw key mode). but please delete this part.
> # do not change the indenting of that "}"
>
> : RSA host.example.com.key "123ABC"
Put this line at the first line in your ipsec.secrets.
And also here, you should probably change the password of your key, since you just mailed it to all of us.
> conn roadwarrior-net
> leftsubnet=10.10.10.0/24
> also=roadwarrior
>
> conn roadwarrior
> left=%defaultroute
> leftcert=host.example.com.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> auto=add
> pfs=yes
btw you need to add rekey=no to conn roadwarrior.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list