Obviously you have a problem with the certificates generation .. maybe you can explain to us, with details, what you have done exactly ...
>"Jason Whitman" <[EMAIL PROTECTED]> writes: > Well, I set it up as you mentioned, did a clean install on both machines and > carefully generated the certs, copied them with scp from 2.2.2.2 to 3.3.3.3, > set them up with 2.2.2.2 as left on each box and 3.3.3.3 as right. I get the > following in my logs: > > Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: end certificate > with identical subject and issuer not accepted > Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: X.509 > certificate rejected > Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: sent MR3, ISAKMP > SA established > Oct 19 21:29:47 left pluto[28039]: packet from 3.3.3.3:500: Informational > Exchange is for an unknown (expired?) SA > > As I mentioned, I carefully created the certs in the right order and copied > ca.crt, crl.crt, local.machine.crt, remote.machine.crt, remote.machine.key, > x509cert.der to the remote machine and placed them in the correct > directories. This is becoming frustrating. There are no odd entries in the > log for the right machine. > > Jason > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Florin > Sent: Monday, October 18, 2004 3:34 PM > To: [EMAIL PROTECTED] > Subject: Re: [Security Firewall] More VPN battles > > > "Jason Whitman" <[EMAIL PROTECTED]> writes: > > > Thank you for the reply Florin. I guess what is confusing me is that the > > first configuration file assumes that 2.2.2.2 is the left machine and > > 3.3.3.3 is the right machine. Well on the machine with the 3.3.3.3 address > > should it also still be configured as the right machine on that machine? > For > > some reason, that is just not clear to me. > > If you have only two sides: left and right .. then it doesn't matter who > is left or right. Simply, imagine the network picture as if you were > drawing that on a paper. Then, 2.2.2.2 is the left side ... on both sides > and 3.3.3.3 the right side, on both sides, for example but it really > doesn't matter. In any way, make sure the certificates are the same for > 2.2.2.2 on both sides. It's the one you have copied, right ? > > If you have more than two VPN points, then it's more tricky ... > > > Jason > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florin > > Sent: Monday, October 18, 2004 4:18 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [Security Firewall] More VPN battles > > > > Hi, > > > > there is a problem with the certificates: > > > > first you associate 3.3.3.3 with remote.machine.crt, then on the right > side > > you associate it with local.machine.crt. This cannot be right. > > > > > > >"Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > Here is the ipsec.conf for the left box set up as CA: > > > > > > config setup > > > interfaces=%defaultroute > > > klipsdebug=none > > > plutodebug=none > > > plutoload=%search > > > plutostart=%search > > > uniqueids=yes > > > > > > conn %default > > > pfs=yes > > > keyingtries=1 > > > compress=yes > > > disablearrivalcheck=no > > > left=2.2.2.2 > > > leftcert=local.machine.crt > > > leftrsasigkey=%cert > > > leftsubnet=192.168.0.0/24 > > > leftnexthop=2.2.2.1 > > > > > > conn right.side-vpn > > > authby=rsasig > > > auto=start > > > right=3.3.3.3 > > > rightcert=remote.machine.crt > > > rightrsasigkey=%cert > > > rightsubnet=192.168.1.0/24 > > > rightnexthop=3.3.3.1 > > > > > > and for the right box: > > > > > > config setup > > > interfaces=%defaultroute > > > klipsdebug=none > > > plutodebug=none > > > plutoload=%search > > > plutostart=%search > > > uniqueids=yes > > > > > > conn %default > > > pfs=yes > > > keyingtries=1 > > > compress=yes > > > disablearrivalcheck=no > > > left=3.3.3.3 > > > leftcert=local.machine.crt > > > leftrsasigkey=%cert > > > leftsubnet=192.168.1.0/24 > > > leftnexthop=3.3.3.1 > > > > > > conn right.side-vpn > > > authby=rsasig > > > auto=start > > > right=2.2.2.2 > > > rightcert=remote.machine.crt > > > rightrsasigkey=%cert > > > rightsubnet=192.168.0.0/24 > > > rightnexthop=2.2.2.1 > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Jason > > > Whitman > > > Sent: Friday, October 15, 2004 11:53 PM > > > To: [EMAIL PROTECTED] > > > Subject: [Security Firewall] More VPN battles > > > > > > > > > This VPN setup has turned into a battle. I have followed the > > > directions (online docs) for setting up a MNF to MNF VPN. I have set > > > up both firewalls with the fw wan port 500 tcp+udp as directed in a > > > message on the mailing list. My logs for the left side are as follows: > > > > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > '/etc/freeswan/ipsec. > > > d/local.machine.crt' (1326 bytes) > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > '/etc/freeswan/ipsec. > > > d/remote.machine.crt' (1326 bytes) > > > Oct 15 23:04:13 pluto[11479]: added connection description > "right.fw-vpn" > > > Oct 15 23:04:13 pluto[11479]: listening for IKE messages Oct 15 > > > 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1 Oct 15 > > > 23:04:13 pluto[11479]: loading secrets from > > > "/etc/freeswan/ipsec.secrets" > > > Oct 15 23:04:13 pluto[11479]: loaded private key file > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes) Oct 15 > > > 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode Oct 15 > > > 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA established > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: initiating Quick Mode > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec SA > > > established Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received > > > Delete SA payload: > > > replace IPSEC State #2 in 10 seconds > > > Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA > > payload: > > > deleting ISAKMP State #1 > > > Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error report > > > on > > > eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: Connection > > > refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Oct > > > 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main Mode > > > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP SA > > > established Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: > > > responding to Quick Mode Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" > > > #4: IPsec SA established > > > > > > My logs for the right side connection are as follows: > > > > > > Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem... > > > Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version 1.98b) > > > Oct 15 23:04:25 pluto[24938]: including X.509 patch (Version 0.9.15) > > > Oct 15 23:04:25 pluto[24938]: Changing to directory > > > '/etc/freeswan/ipsec.\ d/cacerts' > > > Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 bytes) > > > Oct 15 23:04:25 pluto[24938]: Changing to directory > > > '/etc/freeswan/ipsec.\ d/crls' > > > Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 bytes) > > > Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert file > > > '/etc/f\ reeswan/x509cert.der' (1325 bytes) Oct 15 23:04:26 > > > pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > > > c.d/local.machine.crt' (1325 bytes) Oct 15 23:04:26 pluto[24938]: > > > loaded host cert file '/etc/freeswan/ipse\ c.d/remote.machine.crt' > > > (1325 bytes) Oct 15 23:04:26 pluto[24938]: added connection > > > description "left.fw-vpn" > > > Oct 15 23:04:26 pluto[24938]: listening for IKE messages Oct 15 > > > 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2 Oct 15 > > > 23:04:26 pluto[24938]: loading secrets from > > > "/etc/freeswan/ipsec.secrets" > > > Oct 15 23:04:26 pluto[24938]: loaded private key file > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes) Oct 15 > > > 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode Oct 15 > > > 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is ID_DER_ASN1_DN: > > > 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA established > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: initiating Quick Mode > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA > > > established Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: ignoring > > > Delete SA payload: > > > IPSEC SA not found (maybe expired) > > > > > > I cannot ping hosts on either network. I am stumped on this one. Any > > > ideas would be appreciated. > > > > > > Jason > > > > > > > > > > > > > > > ____________________________________________________ > > > Want to buy your Pack or Services from MandrakeSoft? > > > Go to http://www.mandrakestore.com > > > Join the Club : http://www.mandrakeclub.com > > > ____________________________________________________ -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
