Thank you for the reply Florin. I guess what is confusing me is that the first configuration file assumes that 2.2.2.2 is the left machine and 3.3.3.3 is the right machine. Well on the machine with the 3.3.3.3 address should it also still be configured as the right machine on that machine? For some reason, that is just not clear to me.
Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florin Sent: Monday, October 18, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: Re: [Security Firewall] More VPN battles Hi, there is a problem with the certificates: first you associate 3.3.3.3 with remote.machine.crt, then on the right side you associate it with local.machine.crt. This cannot be right. >"Jason Whitman" <[EMAIL PROTECTED]> writes: > Here is the ipsec.conf for the left box set up as CA: > > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > conn %default > pfs=yes > keyingtries=1 > compress=yes > disablearrivalcheck=no > left=2.2.2.2 > leftcert=local.machine.crt > leftrsasigkey=%cert > leftsubnet=192.168.0.0/24 > leftnexthop=2.2.2.1 > > conn right.side-vpn > authby=rsasig > auto=start > right=3.3.3.3 > rightcert=remote.machine.crt > rightrsasigkey=%cert > rightsubnet=192.168.1.0/24 > rightnexthop=3.3.3.1 > > and for the right box: > > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > conn %default > pfs=yes > keyingtries=1 > compress=yes > disablearrivalcheck=no > left=3.3.3.3 > leftcert=local.machine.crt > leftrsasigkey=%cert > leftsubnet=192.168.1.0/24 > leftnexthop=3.3.3.1 > > conn right.side-vpn > authby=rsasig > auto=start > right=2.2.2.2 > rightcert=remote.machine.crt > rightrsasigkey=%cert > rightsubnet=192.168.0.0/24 > rightnexthop=2.2.2.1 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jason > Whitman > Sent: Friday, October 15, 2004 11:53 PM > To: [EMAIL PROTECTED] > Subject: [Security Firewall] More VPN battles > > > This VPN setup has turned into a battle. I have followed the > directions (online docs) for setting up a MNF to MNF VPN. I have set > up both firewalls with the fw wan port 500 tcp+udp as directed in a > message on the mailing list. My logs for the left side are as follows: > > Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec. > d/local.machine.crt' (1326 bytes) > Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec. > d/remote.machine.crt' (1326 bytes) > Oct 15 23:04:13 pluto[11479]: added connection description "right.fw-vpn" > Oct 15 23:04:13 pluto[11479]: listening for IKE messages Oct 15 > 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1 Oct 15 > 23:04:13 pluto[11479]: loading secrets from > "/etc/freeswan/ipsec.secrets" > Oct 15 23:04:13 pluto[11479]: loaded private key file > '/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes) Oct 15 > 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode Oct 15 > 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA established > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: initiating Quick Mode > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec SA > established Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received > Delete SA payload: > replace IPSEC State #2 in 10 seconds > Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA payload: > deleting ISAKMP State #1 > Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error report > on > eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: Connection > refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Oct > 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main Mode > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP SA > established Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: > responding to Quick Mode Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" > #4: IPsec SA established > > My logs for the right side connection are as follows: > > Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem... > Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version 1.98b) > Oct 15 23:04:25 pluto[24938]: including X.509 patch (Version 0.9.15) > Oct 15 23:04:25 pluto[24938]: Changing to directory > '/etc/freeswan/ipsec.\ d/cacerts' > Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 bytes) > Oct 15 23:04:25 pluto[24938]: Changing to directory > '/etc/freeswan/ipsec.\ d/crls' > Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 bytes) > Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert file > '/etc/f\ reeswan/x509cert.der' (1325 bytes) Oct 15 23:04:26 > pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > c.d/local.machine.crt' (1325 bytes) Oct 15 23:04:26 pluto[24938]: > loaded host cert file '/etc/freeswan/ipse\ c.d/remote.machine.crt' > (1325 bytes) Oct 15 23:04:26 pluto[24938]: added connection > description "left.fw-vpn" > Oct 15 23:04:26 pluto[24938]: listening for IKE messages Oct 15 > 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2 Oct 15 > 23:04:26 pluto[24938]: loading secrets from > "/etc/freeswan/ipsec.secrets" > Oct 15 23:04:26 pluto[24938]: loaded private key file > '/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes) Oct 15 > 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode Oct 15 > 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is ID_DER_ASN1_DN: > 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA established > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: initiating Quick Mode > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA > established Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: ignoring > Delete SA payload: > IPSEC SA not found (maybe expired) > > I cannot ping hosts on either network. I am stumped on this one. Any > ideas would be appreciated. > > Jason > > > > > ____________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Join the Club : http://www.mandrakeclub.com > ____________________________________________________ -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
