> A cert kornyeken nem nagyon van mit konfiguralni, a win-nel megetetted a > root certet is, es a megfelelo folderbe importaltad oket? Meg, mmc-n keresztul, a gep certje rendesen hivatkozik a root certre a tanusitvanylancban, es a win szerint a cert-ek rendben vannak. az IP biztonsagi hazirendek kozott latszik a FreeSwan hazirendnev, a biztonsagi modszerek kozott az IKE-3de-sha1 es IKE-3des-md5,... szerepel, es az authenticated method alatt bedig a ca subjectje mindket filter mellett.
csatolom amit sikerult kiszednem a win-bol mint log. Kicsit hosszu. hatha Te ertesz belolle valamit. Zoli Receive: (get) SA = 0x00000000 from 192.168.11.254.500 ISAKMP Header: (V1.0), len = 216 I-COOKIE edf58db1173df605 R-COOKIE 0000000000000000 exchange: Oakley Main Mode flags: 0 next payload: SA message ID: 00000000 Filter to match: Src 192.168.11.254 Dst 192.168.11.1 MM PolicyName: 4 MMPolicy dwFlags 2 SoftSAExpireTime 28800 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2 MMOffer[0] Encrypt: Háromszoros DES CBC Hash: SHA MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2 MMOffer[1] Encrypt: Háromszoros DES CBC Hash: MD5 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1 MMOffer[2] Encrypt: DES CBC Hash: SHA MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1 MMOffer[3] Encrypt: DES CBC Hash: MD5 Auth[0]:RSA Sig C=HU, O=VB_LIZING_RT, CN=VBL AuthFlags 0 Responding with new SA f1dc8 processing payload SA Received Phase 1 Transform 0 Life type in Seconds Life duration of 3600 Encryption Alg Háromszoros DES CBC(5) Hash Alg SHA(2) Auth Method RSA-aláírás tanúsítványokkal(3) Oakley Group 5 Received Phase 1 Transform 1 Life type in Seconds Life duration of 3600 Encryption Alg Háromszoros DES CBC(5) Hash Alg SHA(2) Auth Method RSA-aláírás tanúsítványokkal(3) Oakley Group 2 Received Phase 1 Transform 2 Life type in Seconds Life duration of 3600 Encryption Alg Háromszoros DES CBC(5) Hash Alg MD5(1) Auth Method RSA-aláírás tanúsítványokkal(3) Oakley Group 5 Received Phase 1 Transform 3 Life type in Seconds Life duration of 3600 Encryption Alg Háromszoros DES CBC(5) Hash Alg MD5(1) Auth Method RSA-aláírás tanúsítványokkal(3) Oakley Group 2 Phase 1 SA accepted: transform=2 SA - Oakley proposal accepted processing payload VENDOR ID processing payload VENDOR ID ClearFragList constructing ISAKMP Header constructing SA (ISAKMP) Constructing Vendor MS NT5 ISAKMPOAKLEY Constructing Vendor FRAGMENTATION Constructing Vendor draft-ietf-ipsec-nat-t-ike-02 Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 2.500 ISAKMP Header: (V1.0), len = 148 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 0 next payload: SA message ID: 00000000 Ports S:f401 D:f401 Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500 ISAKMP Header: (V1.0), len = 180 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 0 next payload: KE message ID: 00000000 processing payload KE processing payload NONCE ClearFragList constructing ISAKMP Header constructing KE constructing NONCE (ISAKMP) Constructing Cert Request C=HU, O=VB_LIZING_RT, CN=VBL Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 2.500 ISAKMP Header: (V1.0), len = 253 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 0 next payload: KE message ID: 00000000 Ports S:f401 D:f401 Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500 ISAKMP Header: (V1.0), len = 1412 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 1 ( encrypted ) next payload: ID message ID: 00000000 processing payload ID processing payload CERT processing payload CRP processing payload SIG Verifying CertStore SubjectName: C=HU, O=VB_LIZING_RT, CN=firewall.vblizing.hu Cert Serialnumber 01 Cert SHA Thumbprint 9b04b36a994b3554bcd20a761bbb27dc 6ec84b0d failed to get chain -2146885628 isadb_set_status sa:000F1DC8 centry:00000000 status 35e9 Kulcscsere mód (f Forrás IP-címe: 192.168.11.1 Forrás IP-címének maszkja: 255.255.255.255 Cél IP-címe: 192.168.11.254 Cél IP-címének maszkja: 255.255.255.255 Protokoll: 0 Forrás portja: 0 Cél portja: 0 IKE helyi cím 192.168.11.1 IKE peer cím 192.168.11.254 Tanúsítvánnyal hitelesített identitás. Társgép-tulajdonos C=HU, O=VB_LIZING_RT, CN=firewall.vblizing.hu Társgép SHA-ujjlenyomata 0000000000000000000000000000000000000000 Társgép tanúsítványát kiállító szolgáltató Legfels Én Az internetes kulcscsere hitelesít 0x0 0x0 ProcessFailure: sa:000F1DC8 centry:00000000 status:35e9 Not creating notify. Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500 ISAKMP Header: (V1.0), len = 1412 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 1 ( encrypted ) next payload: ID message ID: 00000000 Dropping SA processing because SA status set. SA 000F1DC8 Centry 00000000 Status 35e9 Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500 ISAKMP Header: (V1.0), len = 1412 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: Oakley Main Mode flags: 1 ( encrypted ) next payload: ID message ID: 00000000 Dropping SA processing because SA status set. SA 000F1DC8 Centry 00000000 Status 35e9 SA Dead. sa:000F1DC8 status:35f0 constructing ISAKMP Header constructing HASH (null) constructing DELETE. MM 000F1DC8 constructing HASH (Notify/Delete) Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 1.500 ISAKMP Header: (V1.0), len = 84 I-COOKIE edf58db1173df605 R-COOKIE bd3c890da7627966 exchange: ISAKMP Informational Exchange flags: 1 ( encrypted ) next payload: HASH message ID: 2e238fc5 Ports S:f401 D:f401 ClearFragList _________________________________________________ linux lista - linux@mlf.linux.rulez.org http://mlf2.linux.rulez.org/mailman/listinfo/linux