[Openswan Users] Fwd: IPsec configuration
Ana
kentdavies at gmail.com
Mon Nov 18 15:21:14 UTC 2013
Hello.
Many, many thanks for all your help.
I had a problem with one of my certificates and now I believe is all
working as expected.
Regards
Kent Davies
On Mon, Nov 18, 2013 at 12:33 PM, Leto <letoams at gmail.com> wrote:
> you are missing the secret entries, eg:
>
> : RSA "friendlyname"
>
> you also use leftcert=friendlyname
> in the conn
>
> sent from a tiny device
>
> On 2013-11-18, at 7:28, Ana <kentdavies at gmail.com> wrote:
>
> Hello and once again, thanks for your reply.
>
>
> I've then exported the certificates to the pkcs#12 format and imported the
> do my nss database. I've done that on both machines.
>
>
> I've edited both my secrets and conf files to reflect the ninckname that
> nss database shows but i'm still getting problems.
>
> Using the log I've managed to solve some problems but now I'm stuck.
>
>
> Here is my /var/log/secure on machine after service ipsec start:
>
> Nov 18 12:15:48 mainmachine ipsec__plutorun: Starting Pluto subsystem...
> Nov 18 12:15:48 mainmachine pluto[10894]: nss directory plutomain:
> /etc/ipsec.d
> Nov 18 12:15:48 mainmachine pluto[10894]: NSS Initialized
> Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 18 12:15:48 mainmachine pluto[10894]: Starting Pluto (Openswan Version
> 2.6.32; Vendor ID OEhyLdACecfa) pid:10894
> Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 18 12:15:48 mainmachine pluto[10894]: LEAK_DETECTIVE support [disabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: OCF support for IKE [disabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: SAref support [disabled]:
> Protocol not available
> Nov 18 12:15:48 mainmachine pluto[10894]: SAbind support [disabled]:
> Protocol not available
> Nov 18 12:15:48 mainmachine pluto[10894]: NSS support [enabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: HAVE_STATSD notification support
> not compiled in
> Nov 18 12:15:48 mainmachine pluto[10894]: Setting NAT-Traversal port-4500
> floating to on
> Nov 18 12:15:48 mainmachine pluto[10894]: port floating activation
> criteria nat_t=1/port_float=1
> Nov 18 12:15:48 mainmachine pluto[10894]: NAT-Traversal support
> [enabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: starting up 1 cryptographic
> helpers
> Nov 18 12:15:48 mainmachine pluto[10894]: started helper (thread)
> pid=-1217217680 (fd:10)
> Nov 18 12:15:48 mainmachine pluto[10894]: Using Linux 2.6 IPsec interface
> code on 2.6.32-358.23.2.el6.i686 (experimental code)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_ccm_12: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_ccm_16: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_gcm_8: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_gcm_12: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
> Activating aes_gcm_16: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded CA cert file
> 'cacert.crt' (843 bytes)
> Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory
> '/etc/ipsec.d/aacerts': /var/run/pluto
> Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /var/run/pluto
> Nov 18 12:15:48 mainmachine pluto[10894]: Changing to directory
> '/etc/ipsec.d/crls'
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded crl file 'crl.pem' (516
> bytes)
> Nov 18 12:15:48 mainmachine pluto[10894]: | selinux support is enabled.
> Nov 18 12:15:48 mainmachine pluto[10894]: loading certificate from
> www.gwone.pt - ONE
> Nov 18 12:15:48 mainmachine pluto[10894]: added connection description
> "cert"
> Nov 18 12:15:48 mainmachine pluto[10894]: listening for IKE messages
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3
> 172.16.1.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3
> 172.16.1.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2
> 192.168.1.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2
> 192.168.1.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1
> 10.1.1.254:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1
> 10.1.1.254:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo
> 127.0.0.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo
> 127.0.0.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo ::1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: loading secrets from
> "/etc/ipsec.secrets"
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded private key for keyid:
> PPK_RSA:AwEAAd7/L
> Nov 18 12:15:48 mainmachine pluto[10894]: "cert" #1: initiating Main Mode
> Nov 18 12:15:48 mainmachine pluto[10894]: ERROR: asynchronous network
> error report on eth2 (sport=500) for message to 192.168.1.2 port 500,
> complainant 192.168.1.2: Connection refused [errno 111, origin ICMP type
> 3 code 3 (not authenticated)]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: responding to Main
> Mode
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
>
>
> And after ipsec auto --up cert
>
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
> payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
> payload [Dead Peer Detection]
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
> payload [RFC 3947] method set to=109
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: enabling possible
> NAT-traversal with method 4
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending my cert
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending a
> certificate request
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received Vendor ID
> payload [CAN-IKEv2]
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received 1 malformed
> payload notifies
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: responding to Main
> Mode
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: no RSA public key
> known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
> for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: sending encrypted
> notification INVALID_KEY_INFORMATION to 192.168.1.2:500
>
>
>
> Likewise, on macine B I got this:
>
> Nov 18 12:06:13 mainmachine ipsec__plutorun: Starting Pluto subsystem...
> Nov 18 12:06:13 mainmachine pluto[4985]: nss directory plutomain:
> /etc/ipsec.d
> Nov 18 12:06:13 mainmachine pluto[4985]: NSS Initialized
> Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 18 12:06:13 mainmachine pluto[4985]: Starting Pluto (Openswan Version
> 2.6.32; Vendor ID OEhyLdACecfa) pid:4985
> Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 18 12:06:13 mainmachine pluto[4985]: LEAK_DETECTIVE support [disabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: OCF support for IKE [disabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: SAref support [disabled]:
> Protocol not available
> Nov 18 12:06:13 mainmachine pluto[4985]: SAbind support [disabled]:
> Protocol not available
> Nov 18 12:06:13 mainmachine pluto[4985]: NSS support [enabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: HAVE_STATSD notification support
> not compiled in
> Nov 18 12:06:13 mainmachine pluto[4985]: Setting NAT-Traversal port-4500
> floating to on
> Nov 18 12:06:13 mainmachine pluto[4985]: port floating activation
> criteria nat_t=1/port_float=1
> Nov 18 12:06:13 mainmachine pluto[4985]: NAT-Traversal support
> [enabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: starting up 1 cryptographic
> helpers
> Nov 18 12:06:13 mainmachine pluto[4985]: started helper (thread)
> pid=-1220584592 (fd:10)
> Nov 18 12:06:13 mainmachine pluto[4985]: Using Linux 2.6 IPsec interface
> code on 2.6.32-358.23.2.el6.i686 (experimental code)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_ccm_12: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_ccm_16: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_gcm_8: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_gcm_12: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
> already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc():
> Activating aes_gcm_16: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded CA cert file
> 'cacert.crt' (843 bytes)
> Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory
> '/etc/ipsec.d/aacerts': /var/run/pluto
> Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /var/run/pluto
> Nov 18 12:06:13 mainmachine pluto[4985]: Changing to directory
> '/etc/ipsec.d/crls'
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded crl file 'crl.pem' (516
> bytes)
> Nov 18 12:06:13 mainmachine pluto[4985]: | selinux support is enabled.
> Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from
> www.gwtwo.pt - ONE
> Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from
> www.gwone.pt - ONE
> Nov 18 12:06:13 mainmachine pluto[4985]: added connection description
> "cert"
> Nov 18 12:06:13 mainmachine pluto[4985]: listening for IKE messages
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6
> 192.168.1.2:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6
> 192.168.1.2:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5
> 10.1.2.254:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5
> 10.1.2.254:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo
> 127.0.0.1:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo
> 127.0.0.1:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo ::1:500
> Nov 18 12:06:13 mainmachine pluto[4985]: loading secrets from
> "/etc/ipsec.secrets"
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid:
> PPK_RSA:AwEAAd7/L
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid:
> PPK_RSA:AwEAAcFsb
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: initiating Main Mode
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
> payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
> payload [Dead Peer Detection]
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
> payload [RFC 3947] method set to=109
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: enabling possible
> NAT-traversal with method 4
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending my cert
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending a
> certificate request
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received and ignored
> informational message
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: responding to Main Mode
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.1.1'
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: I am sending my cert
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
> prf=oakley_sha group=modp2048}
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: next payload type of
> ISAKMP Hash Payload has an unknown value: 251
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: malformed payload in
> packet
> Nov 18 12:06:19 mainmachine pluto[4985]: | payload malformed after IV
> Nov 18 12:06:19 mainmachine pluto[4985]: | d3 87 42 1b 2b 62 84 1e 13
> 0b 12 57 2d b3 4a 6c
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: sending notification
> PAYLOAD_MALFORMED to 192.168.1.1:500
> Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: received and ignored
> informational message
> Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: received and ignored
> informational message
>
>
> and after ipsec auto --up cert
>
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: max number of
> retransmissions (2) reached STATE_MAIN_I3. Possible authentication
> failure: no acceptable response to our first encrypted message
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: starting keying
> attempt 2 of an unlimited number
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: initiating Main Mode
> to replace #1
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
> payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
> payload [Dead Peer Detection]
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
> payload [RFC 3947] method set to=109
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: enabling possible
> NAT-traversal with method 4
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending my cert
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending a
> certificate request
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received and ignored
> informational message
> Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: received and ignored
> informational message
> Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: received and ignored
> informational message
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: max number of
> retransmissions (2) reached STATE_MAIN_I3. Possible authentication
> failure: no acceptable response to our first encrypted message
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: starting keying
> attempt 3 of an unlimited number
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: initiating Main Mode
> to replace #3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
> payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
> payload [Dead Peer Detection]
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
> payload [RFC 3947] method set to=109
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: enabling possible
> NAT-traversal with method 4
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending my cert
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending a
> certificate request
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received and ignored
> informational message
> Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: received and ignored
> informational message
> Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: ignoring informational
> payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: received and ignored
> informational message
>
>
>
>
> On both machines, the only iptables rules that exists are this:
>
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A FORWARD -p icmp -j ACCEPT
> iptables -A INPUT -p esp -j ACCEPT
> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.0/24 -d 10.1.2.0/24 -j ACCEPT
> iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.0/24 -j ACCEPT
>
>
> Any idea of what I'm doing wrong?
>
> Thanks,
>
> Kent Davies
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Nov 18, 2013 at 10:43 AM, Bart Smink <bartsmink at gmail.com> wrote:
>
>> You could check the logs, and as you're on Centos they're in
>> /var/log/secure . There you find the error that Openswan gives when you try
>> to start the connection.
>>
>>
>> 2013/11/18 Ana <kentdavies at gmail.com>
>>
>>> Hello.
>>>
>>> Thanks for your answer.
>>>
>>> All you said is new to me.
>>>
>>> I've started by converting all my certs to the pkcs#12 format like this:
>>>
>>> openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out
>>> ca.p12
>>>
>>>
>>> And then, I've imported them to ipsec.d like this:
>>>
>>> [root at mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d
>>> /etc/ipsec.d/
>>> Enter Password or Pin for "NSS Certificate DB":
>>> Enter password for PKCS12 file:
>>> pk12util: no nickname for cert in PKCS12 file.
>>> pk12util: using nickname: www.mysite.com - XPTO
>>> pk12util: PKCS12 IMPORT SUCCESSFUL
>>>
>>>
>>> And now I'm completely lost :(
>>>
>>> Sorry, but what should I do next? I can't seem to find a proper tutorial
>>> explaining this steps.
>>>
>>> Thanks,
>>>
>>> Kent Davies
>>>
>>>
>>>
>>>
>>> On Mon, Nov 18, 2013 at 4:47 AM, Leto <letoams at gmail.com> wrote:
>>>
>>>> if using the centos builds, those use nss, so you cannot put private
>>>> key and certs in /etc/ipsec.d/
>>>>
>>>> you need to use ipsec initnss and then ipsec import on the certs in
>>>> pkcs#12 format. see README.NSS
>>>>
>>>> sent from a tiny device
>>>>
>>>> On 2013-11-17, at 6:00, Ana <kentdavies at gmail.com> wrote:
>>>>
>>>> Hi everybody. Hello again.
>>>>
>>>>
>>>> Following my last cry for help, here am I again with some IPsec
>>>> problems.
>>>>
>>>>
>>>> After managing to get IPsec running using secrets, I'm now trying
>>>> (without success) to accomplish the same but now using X.509 certificates.
>>>>
>>>>
>>>> Just for remembering, I’m running two virtual machines with CentOS that
>>>> simulates the network depicted in the bellow picture.
>>>>
>>>> <image.png>
>>>>
>>>>
>>>> I want to create an IPsec tunnel between machine A and machine B. The
>>>> keys should be negotiated using IKE and the tunnel should enable total
>>>> connectivity between the two machines. My goal is to achieve this using
>>>> x.509 certificates.
>>>>
>>>>
>>>> My machine A will act as a gateway and as an Certificate Authority.
>>>>
>>>>
>>>> The first step, was to create my CA and two certificates. One for
>>>> machine A and one for machine B. So, on machine A I've run this commands:
>>>>
>>>> 1) Create the CA:
>>>>
>>>> openssl genrsa -des3 -out cakey.key 1024
>>>>
>>>> openssl req -new -key cakey.key -out cacsr.csr
>>>>
>>>> openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey
>>>> cakey.key
>>>>
>>>>
>>>> 2) For each machine, create a certificate signed using the CA created
>>>> above:
>>>>
>>>>
>>>> openssl genrsa -des3 -out gwonekey.key 1024
>>>>
>>>> openssl req -new -key gwonekey.key -out gwonecsr.csr
>>>>
>>>> openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out
>>>> gwonecert.crt
>>>>
>>>>
>>>> openssl genrsa -des3 -out gwtwokey.key 1024
>>>>
>>>> openssl req -new -key gwtwokey.key -out gwtwocsr.csr
>>>>
>>>> openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out
>>>> gwtwocert.crt
>>>>
>>>>
>>>> 3) I've also created a Certification Revocation list:
>>>>
>>>> echo 01 > /etc/pki/CA/crlnumber
>>>>
>>>> openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
>>>>
>>>>
>>>> On machine A I've done this:
>>>>
>>>> mkdir /etc/ipsec.d/private
>>>>
>>>> mkdir /etc/ipsec.d/certs
>>>>
>>>> mkdir /etc/ipsec.d/cacerts
>>>>
>>>> mkdir /etc/ipsec.d/crls
>>>>
>>>> cp gwonekey.key /etc/ipsec.d/private
>>>>
>>>> cp gwonecert.crt /etc/ipsec.d/certs
>>>>
>>>> cp cacert.crt /etc/ipsec.d/cacerts
>>>>
>>>> cp crl.pem /etc/ipsec.d/crls
>>>>
>>>>
>>>> And on Machine B after copying the files:
>>>>
>>>> mkdir /etc/ipsec.d/private
>>>>
>>>> mkdir /etc/ipsec.d/certs
>>>>
>>>> mkdir /etc/ipsec.d/cacerts
>>>>
>>>> mkdir /etc/ipsec.d/crls
>>>>
>>>> cp gwtwokey.key /etc/ipsec.d/private
>>>>
>>>> cp gwonecert.crt /etc/ipsec.d/certs
>>>>
>>>> cp gwtwocert.crt /etc/ipsec.d/certs
>>>>
>>>> cp cacert.crt /etc/ipsec.d/cacerts
>>>>
>>>>
>>>> I've then edited the *ipsec.secrets* file on both machines:
>>>>
>>>> Machine A:
>>>>
>>>> %any %any : PSK "test"
>>>>
>>>> : RSA gwonecert.crt "test"
>>>>
>>>>
>>>> Machine B:
>>>>
>>>> %any %any : PSK "test"
>>>>
>>>> : RSA gwonecert.crt "test"
>>>>
>>>> : RSA gwtwocert.crt "test"
>>>>
>>>>
>>>> The last step was to edit the *ipsec.conf* on those machines:
>>>>
>>>> Machine A:
>>>>
>>>> config setup
>>>>
>>>> protostack=netkey
>>>>
>>>> dumpdir=/var/run/pluto/
>>>>
>>>> nat_traversal=yes
>>>>
>>>> virtual_private=%v4:
>>>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>>>
>>>>
>>>>
>>>> #conn gw-to-gw
>>>>
>>>> # authby=secret
>>>>
>>>> # left=192.168.1.1
>>>>
>>>> # leftsubnet=10.1.1.0/24
>>>>
>>>> # right=192.168.1.2
>>>>
>>>> # rightsubnet=10.1.2.0/24
>>>>
>>>> # auto=start
>>>>
>>>> # type=tunnel
>>>>
>>>>
>>>>
>>>> conn cert
>>>>
>>>> authby=rsasig
>>>>
>>>> leftrsasigkey=%cert
>>>>
>>>> leftcert=gwonecert.crt
>>>>
>>>> left=192.168.1.1
>>>>
>>>> leftsubnet=10.1.1.0/24
>>>>
>>>> right=192.168.1.2
>>>>
>>>> rightsubnet=10.1.2.0/24
>>>>
>>>> auto=start
>>>>
>>>> type=tunnel
>>>>
>>>>
>>>> Machine B:
>>>>
>>>> config setup
>>>>
>>>> protostack=netkey
>>>>
>>>> dumpdir=/var/run/pluto/
>>>>
>>>> nat_traversal=yes
>>>>
>>>> virtual_private=%v4:
>>>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>>>
>>>>
>>>>
>>>> #conn gw-to-gw
>>>>
>>>> # authby=secret
>>>>
>>>> # left=192.168.1.1
>>>>
>>>> # leftsubnet=10.1.1.0/24
>>>>
>>>> # right=192.168.1.2
>>>>
>>>> # rightsubnet=10.1.2.0/24
>>>>
>>>> # auto=start
>>>>
>>>> # type=tunnel
>>>>
>>>>
>>>>
>>>> conn cert
>>>>
>>>> authby=rsasig
>>>>
>>>> leftrsasigkey=%cert
>>>>
>>>> rightrsasigkey=%cert
>>>>
>>>> leftcert=gwtwocert.crt
>>>>
>>>> rightcert=gwonecert.crt
>>>>
>>>> left=192.168.1.2
>>>>
>>>> leftsubnet=10.1.2.0/24
>>>>
>>>> right=192.168.1.1
>>>>
>>>> rightsubnet=10.1.1.0/24
>>>>
>>>> auto=start
>>>>
>>>> type=tunnel
>>>>
>>>>
>>>> I've restarted ipsec on both machines using *service ipsec restart*but now, after doing *ipsec
>>>> auto --up* *cert *nothing happens. In terminal I have to hit ctrl C.
>>>>
>>>>
>>>> Once again, can someone tell me what I am doing wrong?
>>>>
>>>>
>>>> Many thanks,
>>>>
>>>>
>>>> Kent Davies
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>>
>> --
>> **** DISCLAIMER ****
>>
>> "This e-mail and any attachment thereto may contain information which is
>> confidential and/or protected by intellectual property rights and are
>> intended for the sole use of the recipient(s) named above.
>> Any use of the information contained herein (including, but not limited
>> to, total or partial reproduction, communication or distribution in any
>> form) by other persons than the designated recipient(s) is prohibited.
>> If you have received this e-mail in error, please notify the sender
>> either by telephone or by e-mail and delete the material from any computer".
>>
>> Thank you for your cooperation.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131118/488705d9/attachment-0001.html>
More information about the Users
mailing list