I'd like to setup a 'roadwarrior' VPN from a win2k/SSH-Sentinel box to a
dachstein CD firewall running the ipsec package from Charles's distro.
Following guitarlynn's "Basic IPSec VPN HowTo" I have configured the
basics for a PSK authentication. There is udp/500 traffic between the
boxes but no success so far...
In the auth.log on the firwall I see;
"initial Main Mode message received on 150.101.241.70:500 but no
connection has been authorized"
and on the client I see packets being sent from port 500 on the win2k
box to port 500 on the firewall with an eventual roadwarrior-side abort
after multiple retries.
So starting from the basics, in network.conf I have:
EXTERN_UDP_PORT0="0/0 500"
EXTERN_PROTO0="50 0/0"
EXTERN_PROTO1="51 0/0"
and the box has been freshly rebooted since configured.
In the ipsec barf there are a few hints of problems:
- "hostname --fqdn" and "hostname --ip-address" both fail with the
busybox hostname. i guess everyone would see this? There is no domain
name associated with this host.
- "/bin/sh: md5sum: command not found" -- but i guess this must not be a
problem either?
- at boot there is a message: "ipsec_setup: WARNING: ipsec0 has route
filtering turned on, KLIPS may not work" but i guess this does not
affect IKE authentication?
- and the following:
Jul 19 17:42:39 puppet ipsec__plutorun: auto=start search:
(/etc/ipsec.conf, line 27) unknown parameter name "disablearrivalcheck"
Jul 19 17:42:39 puppet ipsec__plutorun: unable to determine what conns
to start -- starting none
this one puzzles me a bit as the "disablearrivalcheck" parameter comes
straight from lynn's FAQ. maybe i've stuffed it up somehow? "starting
none" sounds bad but the roadwarrior connection is listed as
"auto=add"... maybe ok?
- and finally:
"Pluto[1202]: packet from 150.101.147.250:500: ignoring Vendor ID
payload" which doesn't sound fatal?
Having spent a good while trawling through google, I'm still at a loss.
Is it polite to post the ipsec barf (38kb) to this list? Or has someone
the time to scan through it offlist please?
A final question (based on Lynn's FAQ) - should the PSK in the secrets
file looks something like:
# Use this for a "preshared secret key". keep it all on one line:
150.101.241.74 %any: PSK "mysecret"
Thanks and regards,
matt
-- ipsec.config follows... only the barf to come :-)
config setup
interfaces=%defaultroute
klipsdebug=none
# I will turn this on!
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
type=tunnel
keyexchange=ike
keyingtries=0
keylife=8h
disablearrivalcheck=no
right=150.101.241.74 # local machine's external adr
rightsubnet=192.168.1.0/24 # the local subnet address
rightnexthop=150.101.241.73 # local default gateway
authby=secret
pfs=yes
conn roadwarrior
left=%any
auto=add
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
