Re: [Users] IPSec WinXP interop
Strange that the subject Distinguished Name (DN) of your mailhost certificate seems to be identical to the DN of the CA. Could you enable debugging by setting klipsdebug=none plutodebug=all in ipsec.conf and then after you tried to start up the connection generate a barf: ipsec barf > barf.txt end mail it to me. Also the output of ipsec auto --listall could be helpful. Regards Andreas Antony Gelberg wrote: On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote: may be you need this in your ipsec.conf to disable OE Thanks to you and Andreas, that worked great. I'm now getting this in my /var/log/auth.log: Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Here's my current ipsec.conf (excluding the OE disable part): conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw type=transport left=195.54.235.74 leftcert=mailhostCert.pem leftprotoport=17/0 right=%any rightprotoport=17/1701 auto=add keyingtries=1 pfs=no I have tried generating a new CA, certificate, and key, but no joy. I must be very close now, but still no cigar. This might be useful as well: mailhost:/usr/local/sslca# ipsec auto --status 000 interface ipsec0/eth1 195.54.235.74 000 000 debug none 000 000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]:17/0...%any:17/1701 000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'...'%any' 000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted 000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict 000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict 000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, 000 000 If there is any more log info that would be useful, please let me know what to post. A ___ FreeS/WAN Users mailing list users@lists.freeswan.org https://mj2.freeswan.org/cgi-bin/mj_wwwusr -- === Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbHhome: http://www.strongsec.com Alter Zürichweg 20phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax:+41 1 730 80 65 ==[strong internet security]===
Re: [Users] IPSec WinXP interop
Strange that the subject Distinguished Name (DN) of your mailhost certificate seems to be identical to the DN of the CA. Could you enable debugging by setting klipsdebug=none plutodebug=all in ipsec.conf and then after you tried to start up the connection generate a barf: ipsec barf > barf.txt end mail it to me. Also the output of ipsec auto --listall could be helpful. Regards Andreas Antony Gelberg wrote: On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote: may be you need this in your ipsec.conf to disable OE Thanks to you and Andreas, that worked great. I'm now getting this in my /var/log/auth.log: Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Here's my current ipsec.conf (excluding the OE disable part): conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw type=transport left=195.54.235.74 leftcert=mailhostCert.pem leftprotoport=17/0 right=%any rightprotoport=17/1701 auto=add keyingtries=1 pfs=no I have tried generating a new CA, certificate, and key, but no joy. I must be very close now, but still no cigar. This might be useful as well: mailhost:/usr/local/sslca# ipsec auto --status 000 interface ipsec0/eth1 195.54.235.74 000 000 debug none 000 000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]:17/0...%any:17/1701 000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'...'%any' 000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted 000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict 000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict 000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, 000 000 If there is any more log info that would be useful, please let me know what to post. A ___ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr -- === Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbHhome: http://www.strongsec.com Alter Zürichweg 20phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax:+41 1 730 80 65 ==[strong internet security]=== -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Users] IPSec WinXP interop
On Fri, Jan 02, 2004 at 12:47:58AM +, Antony Gelberg wrote: > leftprotoport=17/0 Try with leftprotoport=17/1701. This depends on what version of Windows you're using. > If there is any more log info that would be useful, please let me know > what to post. Key loading is working now? What does ipsec auto --listall say? Valentin
Re: [Users] IPSec WinXP interop
On Fri, Jan 02, 2004 at 12:47:58AM +, Antony Gelberg wrote: > leftprotoport=17/0 Try with leftprotoport=17/1701. This depends on what version of Windows you're using. > If there is any more log info that would be useful, please let me know > what to post. Key loading is working now? What does ipsec auto --listall say? Valentin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Users] IPSec WinXP interop
On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote: > may be you need this in your ipsec.conf to disable OE Thanks to you and Andreas, that worked great. I'm now getting this in my /var/log/auth.log: Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Here's my current ipsec.conf (excluding the OE disable part): conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw type=transport left=195.54.235.74 leftcert=mailhostCert.pem leftprotoport=17/0 right=%any rightprotoport=17/1701 auto=add keyingtries=1 pfs=no I have tried generating a new CA, certificate, and key, but no joy. I must be very close now, but still no cigar. This might be useful as well: mailhost:/usr/local/sslca# ipsec auto --status 000 interface ipsec0/eth1 195.54.235.74 000 000 debug none 000 000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]:17/0...%any:17/1701 000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'...'%any' 000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted 000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict 000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict 000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, 000 000 If there is any more log info that would be useful, please let me know what to post. A
Re: [Users] IPSec WinXP interop
On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote: > may be you need this in your ipsec.conf to disable OE Thanks to you and Andreas, that worked great. I'm now getting this in my /var/log/auth.log: Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Jan 2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2: no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Here's my current ipsec.conf (excluding the OE disable part): conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw type=transport left=195.54.235.74 leftcert=mailhostCert.pem leftprotoport=17/0 right=%any rightprotoport=17/1701 auto=add keyingtries=1 pfs=no I have tried generating a new CA, certificate, and key, but no joy. I must be very close now, but still no cigar. This might be useful as well: mailhost:/usr/local/sslca# ipsec auto --status 000 interface ipsec0/eth1 195.54.235.74 000 000 debug none 000 000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]:17/0...%any:17/1701 000 "mailhost-rw": CAs: 'C=UK, ST=UK, L=London, O=British WIZO, OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'...'%any' 000 "mailhost-rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "mailhost-rw": policy: RSASIG+ENCRYPT; interface: eth1; unrouted 000 "mailhost-rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "mailhost-rw": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict 000 "mailhost-rw": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 000 "mailhost-rw": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict 000 "mailhost-rw": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, 000 000 If there is any more log info that would be useful, please let me know what to post. A -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Users] IPSec WinXP interop
Antony Gelberg wrote: Right, I've upgraded to freeswan 2.01 from backports.org. This was because the 1.96 that I was using from Woody didn't recognise the leftprotoport and rightprotoport commands. I apt-got the source, grepped, and sure enough they weren't there. This leads me to believe that the But now I have a different problem. Upon reboot (recompiled the kernel with the 2.01 patch), I couldn't ssh in. Doh! I was just able to get onsite, and there was a problem with the routing table. Kernel IP routing table Destination Gateway Genmask Metric RefUse Iface localnet* 255.255.255.240 0 00 eth1 localnet* 255.255.255.240 0 00 ipsec0 10.0.0.0* 255.0.0.0 0 00 eth0 default 195.54.235.73 128.0.0.0 0 00 ipsec0 128.0.0.0 195.54.235.73 128.0.0.0 0 00 ipsec0 default 195.54.235.73 0.0.0.0 0 00 eth1 What happens is that pings in or out cause the ipsec0 packet transmit count to increase, and that's about it. I had to /etc/init.d/stop ipsec to get connectivity back. I've googled a bit and don't see the answer. Best I could come up with was http://lists.virus.org/freeswan-0307/msg00363.html. This states that OE can cause freeswan to take over the default route. But I don't want OE, and I can't for the life of me work out how to switch it off. I think it has something to do with the default policies that 1.96 didn't have, but I also can't work out how to switch them off. http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.html#disable_oe Disabling Opportunistic Encryption To disable OE (eg. policy groups and packetdefault), cut and paste the following lines to /etc/ipsec.conf: conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore Regards Andreas === Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbHhome: http://www.strongsec.com Alter Zürichweg 20phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax:+41 1 730 80 65 ==[strong internet security]===
Re: [Users] IPSec WinXP interop
Antony Gelberg schrieb: Right, I've upgraded to freeswan 2.01 from backports.org. This was because the 1.96 that I was using from Woody didn't recognise the leftprotoport and rightprotoport commands. I apt-got the source, grepped, and sure enough they weren't there. This leads me to believe that the But now I have a different problem. Upon reboot (recompiled the kernel with the 2.01 patch), I couldn't ssh in. Doh! I was just able to get onsite, and there was a problem with the routing table. Kernel IP routing table Destination Gateway Genmask Metric RefUse Iface localnet* 255.255.255.240 0 00 eth1 localnet* 255.255.255.240 0 00 ipsec0 10.0.0.0* 255.0.0.0 0 00 eth0 default 195.54.235.73 128.0.0.0 0 00 ipsec0 128.0.0.0 195.54.235.73 128.0.0.0 0 00 ipsec0 default 195.54.235.73 0.0.0.0 0 00 eth1 What happens is that pings in or out cause the ipsec0 packet transmit count to increase, and that's about it. I had to /etc/init.d/stop ipsec to get connectivity back. I've googled a bit and don't see the answer. Best I could come up with was http://lists.virus.org/freeswan-0307/msg00363.html. This states that OE can cause freeswan to take over the default route. But I don't want OE, and I can't for the life of me work out how to switch it off. I think it has something to do with the default policies that 1.96 didn't have, but I also can't work out how to switch them off. may be you need this in your ipsec.conf to disable OE /- # auto=ignore means disable conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn clear-or-private auto=ignore conn private-or-clear auto=ignore conn packetdefault auto=ignore \-- A ___ FreeS/WAN Users mailing list users@lists.freeswan.org https://mj2.freeswan.org/cgi-bin/mj_wwwusr Reinhold
Re: [Users] IPSec WinXP interop
Antony Gelberg wrote: Right, I've upgraded to freeswan 2.01 from backports.org. This was because the 1.96 that I was using from Woody didn't recognise the leftprotoport and rightprotoport commands. I apt-got the source, grepped, and sure enough they weren't there. This leads me to believe that the But now I have a different problem. Upon reboot (recompiled the kernel with the 2.01 patch), I couldn't ssh in. Doh! I was just able to get onsite, and there was a problem with the routing table. Kernel IP routing table Destination Gateway Genmask Metric RefUse Iface localnet* 255.255.255.240 0 00 eth1 localnet* 255.255.255.240 0 00 ipsec0 10.0.0.0* 255.0.0.0 0 00 eth0 default 195.54.235.73 128.0.0.0 0 00 ipsec0 128.0.0.0 195.54.235.73 128.0.0.0 0 00 ipsec0 default 195.54.235.73 0.0.0.0 0 00 eth1 What happens is that pings in or out cause the ipsec0 packet transmit count to increase, and that's about it. I had to /etc/init.d/stop ipsec to get connectivity back. I've googled a bit and don't see the answer. Best I could come up with was http://lists.virus.org/freeswan-0307/msg00363.html. This states that OE can cause freeswan to take over the default route. But I don't want OE, and I can't for the life of me work out how to switch it off. I think it has something to do with the default policies that 1.96 didn't have, but I also can't work out how to switch them off. http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.html#disable_oe Disabling Opportunistic Encryption To disable OE (eg. policy groups and packetdefault), cut and paste the following lines to /etc/ipsec.conf: conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore Regards Andreas === Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbHhome: http://www.strongsec.com Alter Zürichweg 20phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax:+41 1 730 80 65 ==[strong internet security]=== -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Users] IPSec WinXP interop
Antony Gelberg schrieb: Right, I've upgraded to freeswan 2.01 from backports.org. This was because the 1.96 that I was using from Woody didn't recognise the leftprotoport and rightprotoport commands. I apt-got the source, grepped, and sure enough they weren't there. This leads me to believe that the But now I have a different problem. Upon reboot (recompiled the kernel with the 2.01 patch), I couldn't ssh in. Doh! I was just able to get onsite, and there was a problem with the routing table. Kernel IP routing table Destination Gateway Genmask Metric RefUse Iface localnet* 255.255.255.240 0 00 eth1 localnet* 255.255.255.240 0 00 ipsec0 10.0.0.0* 255.0.0.0 0 00 eth0 default 195.54.235.73 128.0.0.0 0 00 ipsec0 128.0.0.0 195.54.235.73 128.0.0.0 0 00 ipsec0 default 195.54.235.73 0.0.0.0 0 00 eth1 What happens is that pings in or out cause the ipsec0 packet transmit count to increase, and that's about it. I had to /etc/init.d/stop ipsec to get connectivity back. I've googled a bit and don't see the answer. Best I could come up with was http://lists.virus.org/freeswan-0307/msg00363.html. This states that OE can cause freeswan to take over the default route. But I don't want OE, and I can't for the life of me work out how to switch it off. I think it has something to do with the default policies that 1.96 didn't have, but I also can't work out how to switch them off. may be you need this in your ipsec.conf to disable OE /- # auto=ignore means disable conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn clear-or-private auto=ignore conn private-or-clear auto=ignore conn packetdefault auto=ignore \-- A ___ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr Reinhold -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]