[Openswan Users] Windows Xp client to openswan

Fri Mar 17 17:49:45 CET 2006

Hello,

Thank you for your warning for the secret keys but since I use them in my
totally insulated test LAN, there won't be any harm or issue regarding
security.

Actually those error messages in ipsec.secrets file were there before but I
noticed them recently and thought they might have a role for unsuccessful
connection. I added rekey=no to conn roadwarrior in ipsec.conf and moved
: RSA host.example.com.key "XXXXXXXX"

line at the beginning of the ipsec.secrets file.

After those changes, I still don't have the VPN connection.
The point that I don't understand is that  according to windows everything
is alright. It shows at the even viewer that SAs  are established.

I gotta do a lot of reading this weekend to figure out this issue. I will
write back again.

Best Regards

Can Akalin

On 3/17/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Fri, 17 Mar 2006, Can Akalin wrote:
>
> > But as you can see below, the  linux log file at /var/log/messages gave
> some
> > errors. It seems that there is something wrong with the line 21 and 25
> of
> > the /etc/ipsec.secrets file. I copied the ipsec.secrets file below. In
> case
> > it helps, I also posted the /etc/ipsec.conf as well.
>
> Oh. those werent in the logs before?
>
> > malformed end of RSA private key -- indented '}' required
> >
> > Mar 17 15:41:08 linuxserver pluto[6715]: ERROR "/etc/ipsec.secrets" line
> 21:
> > index "}" illegal (non-DNS-name) character in name
>
> Looks like a missing quote or something.
>
> > # with "ipsec showhostkey".
> > : RSA {
> >  # RSA 2048 bits   linuxserver   Mon Mar 13 10:54:17 2006
> >  # for signatures only, UNSAFE FOR ENCRYPTION
>
> >  #pubkey=0sAQO1BQlk3q4J5+6gd/17HH3Osm9oOs6YPUiFTPfnHwBmI/O0/dAHruDB6ZQwvN0CIBXXavCFlOaO4nCabM0czn9J+COhYG0DDUn43ERPUN+bKWM6c5OpsIo0KfXNQlILetSLPRlzqYxz8Cu337mL/i8W8sazEVkl04g3dB3ORx6/CaQHfVtRvC02hMo06tT8QEU3osdnbRtWQWjcUDC/4SAeb1VjCbzDPvnvmLONRfPSePrxJdKm1upRnNVGbJNWeqpW56EbuYeFKlTYj7/pOSAFrJtKHeL02JS1hbqKxsyKQ2Hch5S7m2YErRmgZGPciXUGna/9s6tt4oI+m5eQl2+1
> >  Modulus:
> >
> 0xb5050964deae09e7eea077fd7b1c7dceb26f683ace983d48854cf7e71f006623f3b4fdd007aee0c1e99430bcdd022015d76af08594e68ee2709a6ccd1cce7f49f823a1606d030d49f8dc444f50df9b29633a7393a9b08a3429f5cd42520b7ad48b3d1973a98c73f02bb7dfb98bfe2f16f2c6b3115925d38837741dce471ebf09a4077d5b51bc2d3684ca34ead4fc404537a2c7676d1b564168dc5030bfe1201e6f556309bcc33ef9ef98b38d45f3d278faf125d2a6d6ea519cd5466c93567aaa56e7a11bb987852a54d88fbfe9392005ac9b4a1de2f4d894b585ba8ac6cc8a4361dc8794bb9b6604ad19a06463dc8975069daffdb3ab6de2823e9b9790976fb5
> >  PublicExponent: 0x03
> >  # everything after this point is secret
> >  PrivateExponent:
> >
> 0x1e2b8190cfc7ac51527013ff9484bfa27312915f226eb4e16b8cd3fbda801105fdf37fa2abf27acafc435d74cf805aae4e91d2c0ee266d25bd6f12222f77bfe1a95b4590122b2ce1a97a0b628d7a99dc3b3468989c481708b1a8f78b0dac9478c1df843df19768a807494ff441ffb283d3211dd839864dec093e04f7b6851fd6a8d200582e20d30fe844190baa83b3c9fdb8bd70e074568e7b539d9bb6a691799c6b05589345d4c57cfdadb6d82343da477e3c6e545ee149c3e4266b43b66e424e30c9dbc050b014afac259db7b91804432d12a4716f98759d15215d12486bd686a865c4871cb27f14ef69e6c23715fc3893843768dab201f61ff080e5d89e2b
> >  Prime1:
> >
> 0xe29d68594c89a3ffd246a569d0f0636fc538ec281faa0dab9694008f3b6555feb97ce3e66e8195016b5128460c54aa00d4002bd82e17f2016f6631d794ec755fbea2ff8fc38a1b214d87f811cdd3f37de82c96d00a444d48bb922950f1e36f3b291d85a90638ba6a4869d6170c991bdf7cfe35df93985b823a8289e91ffcde41
> >  Prime2:
> >
> 0xcc7e12f0f06d96d740eaf93b04f5a61980156a9a0ab7413eee529dfb3c9461460b565f0fda9ead57965578fe28cb915a79fb8f647e85b09596162e1168236fbcc31fe6657419498ce947b5fbcd0e9c6e316043733012f88a4b74c90b6736940110cc9f508ab67c9fe7134ee4c9f8e9ac362a60d1aaf2e65482fc6ea90d86dc75
> >  Exponent1:
> >
> 0x97139ae633066d5536d9c39be0a0424a837b481abfc6b3c7b9b8005f7cee39547ba897eef4566356478b702eb2e31c008d5572901ebaa1564a44213a63484e3fd46caa5fd7b1676b8905500bde8d4cfe9ac8648ab182de307d0c1b8b4becf4d21b6903c60425d19c30468eba08661294fdfece950d103d017c57069b6aa8942b
> >  Exponent2:
> >
> 0x88540ca0a0490f3a2b4750d2034e6ebbaab8f1bc0724d629f43713fcd30d962eb23994b53c69c8e50ee3a5fec5dd0b91a6a7b4eda9ae75b90eb9740b9ac24a7dd76a9998f810dbb3462fcea7de09bd9ecb95824ccab7505c324ddb5cef79b800b5ddbf8b0724531544b789eddbfb4672cec6eb3671f744385752f470b3af3da3
> >  Coefficient:
> >
> 0x2d291976cf82e845bf708e8c4b0ac5fcaa8f954c47be1410e6c8ea6fb2ed5651df0d054b97d2ad83bfa87383c8ffd607b3072266bbceaaea9647a1bb55499b2a17b7d34ff76e92210fffba811cca9988d43c9b8448376e5d97ca47714247250d093edf726ce8aa9dc1a5b7b3b66d0e938669d4ca935f40af8c4b9b441c148661
> > }
>
> Note that now you have published your secret key, you should delete it and
> not use it. I don't think you are using
> it (It is only used for openswan-openswan in raw key mode). but please
> delete this part.
>
> > # do not change the indenting of that "}"
> >
> > : RSA host.example.com.key "123ABC"
>
> Put this line at the first line in your ipsec.secrets.
> And also here, you should probably change the password of your key, since
> you just mailed it to all of us.
>
> > conn roadwarrior-net
> >  leftsubnet=10.10.10.0/24
> >  also=roadwarrior
> >
> > conn roadwarrior
> >  left=%defaultroute
> >  leftcert=host.example.com.pem
> >  right=%any
> >  rightsubnet=vhost:%no,%priv
> >  auto=add
> >  pfs=yes
>
> btw you need to add rekey=no to conn roadwarrior.
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060317/059353d3/attachment.htm