[Openswan Users] Again... no luck: no connection is known
Arno Lehmann
al at its-lehmann.de
Wed Jul 25 19:34:23 EDT 2007
Hi,
25.07.2007 16:15,, Arno Lehmann wrote::
> Hi,
>
> 25.07.2007 15:29,, Paul Wouters wrote::
>> On Tue, 24 Jul 2007, Arno Lehmann wrote:
>>
>>> The VPN Gateway has the IP address 172.20.3.100 and it gets forwarded
>>> The VPN Gateway is running Linux Openswan U2.2.0/K2.6.8-24.19-smp (native)
>> Both openswan, and the netkey kernel module are very old and have a lot
>> of known problems. Upgrade.
>
> That's bad news... I will try another machine as VPN gateway. Thanks
> for the hints.
>
>>> In the log, when I try to connect from the Road warrior (Windows
>>> Vista, IPsec/L2TP, certificates and CA certificates installed so it
>>> does trust the VPN gateway) I get:
>> 2.2.0 will surely never work with Vista.
>
> again, bad news, but I'll try a VPN gateway with a more recent OS then.
Ok, I moved the VPN Gateway to a more recent OS version.
Now I'm running into the same problem as in my other thread:
Jul 26 00:51:54 file pluto[31890]: "test"[4] 89.166.148.156 #2: cannot
respond to IPsec SA request because no connection is known for
sta.tic.ipa.ddr/32===172.20.3.110[C=DE, L=..., O=XXXXXX, OU=Network,
CN=VPN Gateway, E=xx at xxxxxx.de]:17/1701...dyn.ami.cip.add[C=DE, L=...,
O=XXXXXX, OU=Network, CN=...,
E=al at its-lehmann.de]:17/1701===192.168.0.88/32
which should, according to the about 3000 web pages I read today,
indicate the connection is not defined properly.
Somewhere there must be a mismatch between what I defined and what
actually happens.
The connection is
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
plutowait=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.20.0.0/
16,%v:!4172.20.3.0/24
fragicmp=yes
conn test
authby=rsasig
auto=add
keyingtries=3
left=172.20.3.110
leftnexthop=172.20.3.1
leftprotoport=17/1701
leftcert=VPNGW-cert.pem
leftrsasigkey=%cert
pfs=no
rekey=no
right=%any
rightprotoport=17/1701
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
rightca=%same
As a corresponding test installation works in the LAN, I assume the
certificates are ok, and the problem has to do with NAT traversal.
I think that NAT traversal is done mostly automatic - ports 500 and
4500 are forwarded to the VPN Gateway.
NAT traversal itself is detected: Jul 26 00:51:54 file pluto[31890]:
"test"[3] 89.166.148.156 #2: NAT-Traversal: Result using 3: both are NATed
The peer ID is recognized and the GW sends its own certificate:
Jul 26 00:51:54 file pluto[31890]: "test"[4] 89.166.148.156 #2: I am
sending my cert
Jul 26 00:51:54 file pluto[31890]: "test"[4] 89.166.148.156 #2:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 26 00:51:54 file pluto[31890]: | NAT-T: new mapping
89.166.148.156:500/4500)
Jul 26 00:51:54 file pluto[31890]: "test"[4] 89.166.148.156 #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Afterwards, the connection is determined to be undefined.
right=%any
rightsubnet=vhost:%no,%priv
should allow all clients, right? (no pun intended...)
rightrsasigkey=%cert
rightca=%same
And these two lines should be sufficient to authenticate using
certificates that are signed by the same CA.
Some of the examples and hints I found insisted that I gave a
lefsubnet= line, but that did not help, nor should it be necessary
since, finally, this IPsec connection will be used by L2TP only.
The missing information: The client is Windows Vista business, the
openswan server versions 2.4.4 (SuSE 10.2 and 10.1 distribution) and
2.4.9 (as downloaded from openswan.org) have been tried.
Any suggestions?
I had assumed that OpenSwan as a VPN Gateway for Windows roadwarriors
would work more or less out of the box, so I'm really astonished that
it takes so long to fix such a straightforward configuration...
Thanks for your help,
Arno
> Arno
>
>> Paul
>
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
More information about the Users
mailing list