I'd like to setup a 'roadwarrior' VPN from a win2k/SSH-Sentinel box to a dachstein CD firewall running the ipsec package from Charles's distro.
Following guitarlynn's "Basic IPSec VPN HowTo" I have configured the basics for a PSK authentication. There is udp/500 traffic between the boxes but no success so far... In the auth.log on the firwall I see; "initial Main Mode message received on 150.101.241.70:500 but no connection has been authorized" and on the client I see packets being sent from port 500 on the win2k box to port 500 on the firewall with an eventual roadwarrior-side abort after multiple retries. So starting from the basics, in network.conf I have: EXTERN_UDP_PORT0="0/0 500" EXTERN_PROTO0="50 0/0" EXTERN_PROTO1="51 0/0" and the box has been freshly rebooted since configured. In the ipsec barf there are a few hints of problems: - "hostname --fqdn" and "hostname --ip-address" both fail with the busybox hostname. i guess everyone would see this? There is no domain name associated with this host. - "/bin/sh: md5sum: command not found" -- but i guess this must not be a problem either? - at boot there is a message: "ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work" but i guess this does not affect IKE authentication? - and the following: Jul 19 17:42:39 puppet ipsec__plutorun: auto=start search: (/etc/ipsec.conf, line 27) unknown parameter name "disablearrivalcheck" Jul 19 17:42:39 puppet ipsec__plutorun: unable to determine what conns to start -- starting none this one puzzles me a bit as the "disablearrivalcheck" parameter comes straight from lynn's FAQ. maybe i've stuffed it up somehow? "starting none" sounds bad but the roadwarrior connection is listed as "auto=add"... maybe ok? - and finally: "Pluto[1202]: packet from 150.101.147.250:500: ignoring Vendor ID payload" which doesn't sound fatal? Having spent a good while trawling through google, I'm still at a loss. Is it polite to post the ipsec barf (38kb) to this list? Or has someone the time to scan through it offlist please? A final question (based on Lynn's FAQ) - should the PSK in the secrets file looks something like: # Use this for a "preshared secret key". keep it all on one line: 150.101.241.74 %any: PSK "mysecret" Thanks and regards, matt -- ipsec.config follows... only the barf to come :-) config setup interfaces=%defaultroute klipsdebug=none # I will turn this on! plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default type=tunnel keyexchange=ike keyingtries=0 keylife=8h disablearrivalcheck=no right=150.101.241.74 # local machine's external adr rightsubnet=192.168.1.0/24 # the local subnet address rightnexthop=150.101.241.73 # local default gateway authby=secret pfs=yes conn roadwarrior left=%any auto=add ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html