Thank you for the reply and help Florin. That was indeed the problem as I now have the VPN established. I think the instructions are wrong as they state that the CA and the first key in "other keys" should have exactly the same common name. Thanks again for the help.
Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Florin Sent: Wednesday, October 20, 2004 5:02 PM To: [EMAIL PROTECTED] Subject: Re: [Security Firewall] More VPN battles "Jason Whitman" <[EMAIL PROTECTED]> writes: > OK, I went to the CA section and created a cert with values in each of the > fields. The common name I used was the name of the mnf.machine. After I > filled in the information I applied it and then generated an auto-signed > cert. I then went to the other keys section and made the first entry the mnf > box. I used the same common name as the CA. This is the common mistake one can do here. Do not use the same name as for the ca otherwise you will overwrite the ca and therefore the certificates will not be good from that point on. When you create a ca, the result will be ca.crt. This will be used to autosign the rest of the certificates. If you create the a certificate with the same name (ca), you will again create a ca.crt that will replace the real certificate. Use "ca" for the ca and the your computer names for the certificates. > I then added the remote machine > and hit apply. I copied the ca.crt, crl.crt, local.machine.crt, > remote.machine.crt, remote.machine.key to the proper directories on the > remote machine using scp. Please let me know if that is enough information, > or if you need something else. I did not enter any information into the CA > section of the remote box, obviously however I did notice in the > /etc/freeswan/ipsec.d/private dir there was a ca.key and server.key. It did > not appear to be loading those so I ignored them. > > Jason > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florin > Sent: Wednesday, October 20, 2004 3:29 AM > To: [EMAIL PROTECTED] > Subject: Re: [Security Firewall] More VPN battles > > > Obviously you have a problem with the certificates generation .. > > maybe you can explain to us, with details, what you have done exactly ... > > >"Jason Whitman" <[EMAIL PROTECTED]> writes: > > > Well, I set it up as you mentioned, did a clean install on both > > machines and carefully generated the certs, copied them with scp from > > 2.2.2.2 to 3.3.3.3, set them up with 2.2.2.2 as left on each box and > > 3.3.3.3 as right. I get the following in my logs: > > > > Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: end > > certificate with identical subject and issuer not accepted Oct 19 > > 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: X.509 certificate > > rejected Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: > > sent MR3, ISAKMP SA established Oct 19 21:29:47 left pluto[28039]: > > packet from 3.3.3.3:500: Informational Exchange is for an unknown > > (expired?) SA > > > > As I mentioned, I carefully created the certs in the right order and > > copied ca.crt, crl.crt, local.machine.crt, remote.machine.crt, > > remote.machine.key, x509cert.der to the remote machine and placed them > > in the correct directories. This is becoming frustrating. There are no > > odd entries in the log for the right machine. > > > > Jason > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > Florin > > Sent: Monday, October 18, 2004 3:34 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Security Firewall] More VPN battles > > > > > > "Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > Thank you for the reply Florin. I guess what is confusing me is that > > > the first configuration file assumes that 2.2.2.2 is the left > > > machine and > > > 3.3.3.3 is the right machine. Well on the machine with the 3.3.3.3 > > > address should it also still be configured as the right machine on that > machine? > > For > > > some reason, that is just not clear to me. > > > > If you have only two sides: left and right .. then it doesn't matter > > who is left or right. Simply, imagine the network picture as if you > > were drawing that on a paper. Then, 2.2.2.2 is the left side ... on > > both sides and 3.3.3.3 the right side, on both sides, for example but > > it really doesn't matter. In any way, make sure the certificates are > > the same for > > 2.2.2.2 on both sides. It's the one you have copied, right ? > > > > If you have more than two VPN points, then it's more tricky ... > > > > > Jason > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Florin > > > Sent: Monday, October 18, 2004 4:18 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Security Firewall] More VPN battles > > > > > > Hi, > > > > > > there is a problem with the certificates: > > > > > > first you associate 3.3.3.3 with remote.machine.crt, then on the > > > right > > side > > > you associate it with local.machine.crt. This cannot be right. > > > > > > > > > >"Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > > > Here is the ipsec.conf for the left box set up as CA: > > > > > > > > config setup > > > > interfaces=%defaultroute > > > > klipsdebug=none > > > > plutodebug=none > > > > plutoload=%search > > > > plutostart=%search > > > > uniqueids=yes > > > > > > > > conn %default > > > > pfs=yes > > > > keyingtries=1 > > > > compress=yes > > > > disablearrivalcheck=no > > > > left=2.2.2.2 > > > > leftcert=local.machine.crt > > > > leftrsasigkey=%cert > > > > leftsubnet=192.168.0.0/24 > > > > leftnexthop=2.2.2.1 > > > > > > > > conn right.side-vpn > > > > authby=rsasig > > > > auto=start > > > > right=3.3.3.3 > > > > rightcert=remote.machine.crt > > > > rightrsasigkey=%cert > > > > rightsubnet=192.168.1.0/24 > > > > rightnexthop=3.3.3.1 > > > > > > > > and for the right box: > > > > > > > > config setup > > > > interfaces=%defaultroute > > > > klipsdebug=none > > > > plutodebug=none > > > > plutoload=%search > > > > plutostart=%search > > > > uniqueids=yes > > > > > > > > conn %default > > > > pfs=yes > > > > keyingtries=1 > > > > compress=yes > > > > disablearrivalcheck=no > > > > left=3.3.3.3 > > > > leftcert=local.machine.crt > > > > leftrsasigkey=%cert > > > > leftsubnet=192.168.1.0/24 > > > > leftnexthop=3.3.3.1 > > > > > > > > conn right.side-vpn > > > > authby=rsasig > > > > auto=start > > > > right=2.2.2.2 > > > > rightcert=remote.machine.crt > > > > rightrsasigkey=%cert > > > > rightsubnet=192.168.0.0/24 > > > > rightnexthop=2.2.2.1 > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > Jason Whitman > > > > Sent: Friday, October 15, 2004 11:53 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [Security Firewall] More VPN battles > > > > > > > > > > > > This VPN setup has turned into a battle. I have followed the > > > > directions (online docs) for setting up a MNF to MNF VPN. I have > > > > set up both firewalls with the fw wan port 500 tcp+udp as directed > > > > in a message on the mailing list. My logs for the left side are as > follows: > > > > > > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > > '/etc/freeswan/ipsec. > > > > d/local.machine.crt' (1326 bytes) > > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > > '/etc/freeswan/ipsec. > > > > d/remote.machine.crt' (1326 bytes) Oct 15 23:04:13 pluto[11479]: > > > > added connection description > > "right.fw-vpn" > > > > Oct 15 23:04:13 pluto[11479]: listening for IKE messages Oct 15 > > > > 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1 Oct 15 > > > > 23:04:13 pluto[11479]: loading secrets from > > > > "/etc/freeswan/ipsec.secrets" > > > > Oct 15 23:04:13 pluto[11479]: loaded private key file > > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes) Oct > > > > 15 > > > > 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode Oct 15 > > > > 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is > > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA > > > > established Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: > > > > initiating Quick Mode > > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec > > > > SA established Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: > > > > received Delete SA payload: > > > > replace IPSEC State #2 in 10 seconds Oct 15 23:04:23 pluto[11479]: > > > > "right.fw-vpn" #1: received Delete SA > > > payload: > > > > deleting ISAKMP State #1 > > > > Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error > > > > report on > > > > eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: > > > > Connection refused [errno 111, origin ICMP type 3 code 3 (not > > > > authenticated)] Oct > > > > 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main > > > > Mode Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is > > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP > > > > SA established Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: > > > > responding to Quick Mode Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" > > > > #4: IPsec SA established > > > > > > > > My logs for the right side connection are as follows: > > > > > > > > Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem... > > > > Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version > > > > 1.98b) Oct 15 23:04:25 pluto[24938]: including X.509 patch > > > > (Version 0.9.15) Oct 15 23:04:25 pluto[24938]: Changing to > > > > directory '/etc/freeswan/ipsec.\ d/cacerts' > > > > Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 > > > > bytes) Oct 15 23:04:25 pluto[24938]: Changing to directory > > > > '/etc/freeswan/ipsec.\ d/crls' > > > > Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 > > > > bytes) Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert > > > > file '/etc/f\ reeswan/x509cert.der' (1325 bytes) Oct 15 23:04:26 > > > > pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > > > > c.d/local.machine.crt' (1325 bytes) Oct 15 23:04:26 pluto[24938]: > > > > loaded host cert file '/etc/freeswan/ipse\ c.d/remote.machine.crt' > > > > (1325 bytes) Oct 15 23:04:26 pluto[24938]: added connection > > > > description "left.fw-vpn" > > > > Oct 15 23:04:26 pluto[24938]: listening for IKE messages Oct 15 > > > > 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2 Oct 15 > > > > 23:04:26 pluto[24938]: loading secrets from > > > > "/etc/freeswan/ipsec.secrets" > > > > Oct 15 23:04:26 pluto[24938]: loaded private key file > > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes) Oct > > > > 15 > > > > 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode Oct > > > > 15 > > > > 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is ID_DER_ASN1_DN: > > > > 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA > > > > established Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: > > > > initiating Quick Mode > > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA > > > > established Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: > > > > ignoring Delete SA payload: > > > > IPSEC SA not found (maybe expired) > > > > > > > > I cannot ping hosts on either network. I am stumped on this one. > > > > Any ideas would be appreciated. > > > > > > > > Jason > > > > > > > > > > > > > > > > > > > > ____________________________________________________ > > > > Want to buy your Pack or Services from MandrakeSoft? > > > > Go to http://www.mandrakestore.com Join the Club : > > > > http://www.mandrakeclub.com > > > > ____________________________________________________ -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
