strongswan xp vpn

Fri, 26 Jan 2007 04:55:48 -0800 

Sziasztok,

Egy kis sgitseg kene strongswan-winxp prof sp2 osszekotesehez.
Ket linux box igy osszekotve mar 2 eve stabilan uzemel.
Ugy tunik valami nem stimmel az authentikacio korul, de nem talalom
hogy mi.
X509-es cert alapu authot szeretnek, a Marcus Mueller fele VPN tool-t
hasznalnam. A tanusitvanyokat beolvastam az mmc-n keresztul, es ugy
tunik rendben vannak. a rightca erteket a kiallito adataibol masoltam.
az xp up-to-date. Tuzfal meg nincs a ket gep kozott..
netet mar atneztem, sok idevago doksit atolvastam, de nem jutottam
elobre... :(

eddig jut a linux:
002 "gd_rw_net" #15: initiating Main Mode
104 "gd_rw_net" #15: STATE_MAIN_I1: initiate
003 "gd_rw_net" #15: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
003 "gd_rw_net" #15: ignoring Vendor ID payload [FRAGMENTATION]
003 "gd_rw_net" #15: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n]
106 "gd_rw_net" #15: STATE_MAIN_I2: sent MI2, expecting MR2
002 "gd_rw_net" #15: we have a cert and are sending it
108 "gd_rw_net" #15: STATE_MAIN_I3: sent MI3, expecting MR3
010 "gd_rw_net" #15: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "gd_rw_net" #15: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "gd_rw_net" #15: ignoring Delete SA payload: ISAKMP SA not established
031 "gd_rw_net" #15: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first encrypted
message
linux box ipsec.conf idevago resze:

config setup
    interfaces="ipsec0=eth0, ipsec1=eth3"
    plutodebug=none
    nat_traversal=no
    strictcrlpolicy=no

conn %default
    keyexchange=ike
    auth=esp
    keyingtries=1
    dpddelay=30
    dpdtimeout=120
    dpdaction=hold
    keylife=60m
    ikelifetime=60m
    rekey=yes
    rekeymargin=10m
    pfs=yes
    authby=rsasig
    compress=no

conn gd_rw_net
    type=tunnel
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    left=192.168.11.254
    leftsourceip=192.168.0.254
    leftsubnet=192.168.0.0/24
    leftcert=firewall_cert.pem
    right=192.168.11.1
    rightcert=gyorgyi-laptop_cert.pem
    auto=add

winxp ipsec.conf:
conn gd_rw_net
    left=%any
    right=192.168.11.254
    rightsubnet=192.168.0.0/24
    rightca="C=XX, O=XXX, CN=XXXXC"
    pfs=yes
    network=lan
    auto=start


Valami otlet ?
elore is koszi a sgitseget.
Zoli

_________________________________________________
linux lista      -      linux@mlf.linux.rulez.org
http://mlf2.linux.rulez.org/mailman/listinfo/linux

válasz