[Openswan Users] Road warrior setup for Windows 7 on OpenSwan 2.4.10

Ronald loloski at yahoo.com
Wed Jan 13 05:18:41 EST 2010 


I have a similar setup with you, the only difference is listed below, in my case OSX/Winxp SP3/Windows 7 is working as it should, i'll attach a config snippet on my production server
for your reference

version 2.0     # conforms to second version of ipsec.conf specification
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/24,%v4:192.168.1.0/24,%v4:192.168.2.0/24
        protostack=netkey
        uniqueids=yes
        oe=off

conn %default
        keyingtries=3
        disablearrivalcheck=no
        authby=secret
        type=transport
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.0.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/1701
        rightprotoport=17/%any
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=222.xxx.xxx.162
        leftnexthop=222.xxx.xxx.161
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add



Centos 5.4
Kernel 2.6.18
Openswan 2.6.24
PSK authentication



________________________________
From: Danilo Godec <danilo.godec at agenda.si>
To: users at openswan.org
Sent: Wed, January 13, 2010 4:51:18 PM
Subject: [Openswan Users] Road warrior setup for Windows 7 on OpenSwan 2.4.10

Hi,

I have a DIY linux router running 2.4.34 kernel and OpenSwan 2.4.10. I
use it to connect to my home network occasionally. I'm using the 'road
warrior' setup with L2TP and certificates. It worked well for years, but
now I got a new laptop with Windows 7. I've set up everything just as I
would on XP, but it doesn't work. This shows up in my server logs:

> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot
> respond to IPsec SA request because no connection is known for
> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF, CN=I,
> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME,
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*
> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot
> respond to IPsec SA request because no connection is known for
> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF, CN=I,
> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*

My laptop is behind a firewall (NAT) and the firewall's public address
is 'xx.xx.xx.xx'. My laptop's local IP address is 172.16.0.62/24. The
server's public IP address is yy.yy.yy.yy, the network behind the server
is 172.16.10.0/24.

This is my /etc/ipsec.conf:

> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # THIS SETTING MUST BE CORRECT or almost nothing will work;
>         # %defaultroute is okay for most simple cases.
>         interfaces=%defaultroute
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         klipsdebug=none
>         plutodebug=none
>         # Use auto= parameters in conn descriptions to control startup
> actions.
>         #plutoload=%search
>         #plutostart=%search
>         # Close down old connection when new one using same ID shows up.
>         uniqueids=yes
>         nat_traversal=yes
>        
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.10.0/24
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=rsasig
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> include /etc/ipsec.d/road.certs

And the /etc/ipsec.d/road.certs;

> conn rw-net
>         #
>         # Use a certificate. Disable Perfect Forward Secrecy.
>         #
>         authby=rsasig
>         rekey=no
>         pfs=no
>         left=%defaultroute
>         leftupdown=/lib/ipsec/_updown_x509
>         leftprotoport=udp/1701
>         rightprotoport=udp/1701
>         leftrsasigkey=%cert
>         leftcert=mycert.pem
>         rightrsasigkey=%cert
>         right=%any
>         rightca=%same
>         auto=add
>         keyingtries=3
>         keylife=5h
>         ikelifetime=5h
>         rightsubnet=vhost:%priv,%no

This exact configuration works with Windows XP SP3 and Windows Server
2003 SP2, so I know the certificates work.

One thing that I've noticed is that if I deliberately mess-up my
configuration to make it NOT work with XP (change the 'rightprotoport'),
the error message is similar, but yet different - it doesn't show my
client's internal IP at the end:

> Jan 12 19:42:47 fw pluto[15794]: "rw-net"[4] 93.103.128.115 #2: cannot
> respond to IPsec SA request because no connection is known for
> xx.xx.xx.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF CN=I,
> E=vpn]:17/1701...yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME,
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701

My guess is the problem lies in that local IP showing up with Windows 7
- but what can I do about it?

Thanks, Danilo


**

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100113/e4336d56/attachment.html

More information about the Users mailing list