"Jason B. Whitman" <[EMAIL PROTECTED]> writes: > I just downloaded the English version of the .pdf and it says: > > "It is mandatory for the first entry you add to be the VPN server one, that > is your MandrakeSecurity system in our example. Now go ahead and enter the > same values you did for the CA Key and click on the Next button."
There is indeed an error there, in the manual. You are right. > That last sentence was the one that caused me to believe that the values > should be the same. I can ping across the tunnel and do other stuff across > the tunnel but am still getting this error message: > > packet from 2.2.2.2:500: Informational Exchange is for an unknown (expired?) > SA so the things are working, why bother with this warning ? More seriously, it may come because of the time difference between the two MNF boxes ... my 2 cts, > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Florin > Sent: Thursday, October 21, 2004 4:19 AM > To: [EMAIL PROTECTED] > Subject: Re: [Security Firewall] More VPN battles > > > "Jason Whitman" <[EMAIL PROTECTED]> writes: > > > Thank you for the reply and help Florin. That was indeed the problem as I > > now have the VPN established. I think the instructions are wrong as they > > state that the CA and the first key in "other keys" should have exactly > the > > same common name. Thanks again for the help. > > I have checked the online help in other keys. It simply says that the > first entry HAS TO BE the local server. I might be wrong but it doesn't > say that it has to be the same as the ca. > > > Jason > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > Florin > > Sent: Wednesday, October 20, 2004 5:02 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Security Firewall] More VPN battles > > > > > > "Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > OK, I went to the CA section and created a cert with values in each of > the > > > fields. The common name I used was the name of the mnf.machine. After I > > > filled in the information I applied it and then generated an auto-signed > > > cert. I then went to the other keys section and made the first entry the > > mnf > > > box. I used the same common name as the CA. > > > > This is the common mistake one can do here. Do not use the same name as > > for the ca otherwise you will overwrite the ca and therefore the > > certificates will not be good from that point on. > > > > When you create a ca, the result will be ca.crt. This will be used to > > autosign the rest of the certificates. If you create the a certificate > > with the same name (ca), you will again create a ca.crt that will replace > > the real certificate. > > > > Use "ca" for the ca and the your computer names for the certificates. > > > > > I then added the remote machine > > > and hit apply. I copied the ca.crt, crl.crt, local.machine.crt, > > > remote.machine.crt, remote.machine.key to the proper directories on the > > > remote machine using scp. Please let me know if that is enough > > information, > > > or if you need something else. I did not enter any information into the > CA > > > section of the remote box, obviously however I did notice in the > > > /etc/freeswan/ipsec.d/private dir there was a ca.key and server.key. It > > did > > > not appear to be loading those so I ignored them. > > > > > > Jason > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Florin > > > Sent: Wednesday, October 20, 2004 3:29 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Security Firewall] More VPN battles > > > > > > > > > Obviously you have a problem with the certificates generation .. > > > > > > maybe you can explain to us, with details, what you have done exactly > ... > > > > > > >"Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > > > Well, I set it up as you mentioned, did a clean install on both > > > > machines and carefully generated the certs, copied them with scp from > > > > 2.2.2.2 to 3.3.3.3, set them up with 2.2.2.2 as left on each box and > > > > 3.3.3.3 as right. I get the following in my logs: > > > > > > > > Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: end > > > > certificate with identical subject and issuer not accepted Oct 19 > > > > 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: X.509 certificate > > > > rejected Oct 19 21:15:09 left pluto[28039]: "remote.machine-vpn" #4: > > > > sent MR3, ISAKMP SA established Oct 19 21:29:47 left pluto[28039]: > > > > packet from 3.3.3.3:500: Informational Exchange is for an unknown > > > > (expired?) SA > > > > > > > > As I mentioned, I carefully created the certs in the right order and > > > > copied ca.crt, crl.crt, local.machine.crt, remote.machine.crt, > > > > remote.machine.key, x509cert.der to the remote machine and placed them > > > > in the correct directories. This is becoming frustrating. There are no > > > > odd entries in the log for the right machine. > > > > > > > > Jason > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > > > Florin > > > > Sent: Monday, October 18, 2004 3:34 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [Security Firewall] More VPN battles > > > > > > > > > > > > "Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > > > > > Thank you for the reply Florin. I guess what is confusing me is that > > > > > the first configuration file assumes that 2.2.2.2 is the left > > > > > machine and > > > > > 3.3.3.3 is the right machine. Well on the machine with the 3.3.3.3 > > > > > address should it also still be configured as the right machine on > > that > > > machine? > > > > For > > > > > some reason, that is just not clear to me. > > > > > > > > If you have only two sides: left and right .. then it doesn't matter > > > > who is left or right. Simply, imagine the network picture as if you > > > > were drawing that on a paper. Then, 2.2.2.2 is the left side ... on > > > > both sides and 3.3.3.3 the right side, on both sides, for example but > > > > it really doesn't matter. In any way, make sure the certificates are > > > > the same for > > > > 2.2.2.2 on both sides. It's the one you have copied, right ? > > > > > > > > If you have more than two VPN points, then it's more tricky ... > > > > > > > > > Jason > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > > > Florin > > > > > Sent: Monday, October 18, 2004 4:18 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Re: [Security Firewall] More VPN battles > > > > > > > > > > Hi, > > > > > > > > > > there is a problem with the certificates: > > > > > > > > > > first you associate 3.3.3.3 with remote.machine.crt, then on the > > > > > right > > > > side > > > > > you associate it with local.machine.crt. This cannot be right. > > > > > > > > > > > > > > > >"Jason Whitman" <[EMAIL PROTECTED]> writes: > > > > > > > > > > > Here is the ipsec.conf for the left box set up as CA: > > > > > > > > > > > > config setup > > > > > > interfaces=%defaultroute > > > > > > klipsdebug=none > > > > > > plutodebug=none > > > > > > plutoload=%search > > > > > > plutostart=%search > > > > > > uniqueids=yes > > > > > > > > > > > > conn %default > > > > > > pfs=yes > > > > > > keyingtries=1 > > > > > > compress=yes > > > > > > disablearrivalcheck=no > > > > > > left=2.2.2.2 > > > > > > leftcert=local.machine.crt > > > > > > leftrsasigkey=%cert > > > > > > leftsubnet=192.168.0.0/24 > > > > > > leftnexthop=2.2.2.1 > > > > > > > > > > > > conn right.side-vpn > > > > > > authby=rsasig > > > > > > auto=start > > > > > > right=3.3.3.3 > > > > > > rightcert=remote.machine.crt > > > > > > rightrsasigkey=%cert > > > > > > rightsubnet=192.168.1.0/24 > > > > > > rightnexthop=3.3.3.1 > > > > > > > > > > > > and for the right box: > > > > > > > > > > > > config setup > > > > > > interfaces=%defaultroute > > > > > > klipsdebug=none > > > > > > plutodebug=none > > > > > > plutoload=%search > > > > > > plutostart=%search > > > > > > uniqueids=yes > > > > > > > > > > > > conn %default > > > > > > pfs=yes > > > > > > keyingtries=1 > > > > > > compress=yes > > > > > > disablearrivalcheck=no > > > > > > left=3.3.3.3 > > > > > > leftcert=local.machine.crt > > > > > > leftrsasigkey=%cert > > > > > > leftsubnet=192.168.1.0/24 > > > > > > leftnexthop=3.3.3.1 > > > > > > > > > > > > conn right.side-vpn > > > > > > authby=rsasig > > > > > > auto=start > > > > > > right=2.2.2.2 > > > > > > rightcert=remote.machine.crt > > > > > > rightrsasigkey=%cert > > > > > > rightsubnet=192.168.0.0/24 > > > > > > rightnexthop=2.2.2.1 > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > > > Jason Whitman > > > > > > Sent: Friday, October 15, 2004 11:53 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: [Security Firewall] More VPN battles > > > > > > > > > > > > > > > > > > This VPN setup has turned into a battle. I have followed the > > > > > > directions (online docs) for setting up a MNF to MNF VPN. I have > > > > > > set up both firewalls with the fw wan port 500 tcp+udp as directed > > > > > > in a message on the mailing list. My logs for the left side are as > > > follows: > > > > > > > > > > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > > > > '/etc/freeswan/ipsec. > > > > > > d/local.machine.crt' (1326 bytes) > > > > > > Oct 15 23:04:13 pluto[11479]: loaded host cert file > > > > > '/etc/freeswan/ipsec. > > > > > > d/remote.machine.crt' (1326 bytes) Oct 15 23:04:13 pluto[11479]: > > > > > > added connection description > > > > "right.fw-vpn" > > > > > > Oct 15 23:04:13 pluto[11479]: listening for IKE messages Oct 15 > > > > > > 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1 Oct 15 > > > > > > 23:04:13 pluto[11479]: loading secrets from > > > > > > "/etc/freeswan/ipsec.secrets" > > > > > > Oct 15 23:04:13 pluto[11479]: loaded private key file > > > > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes) Oct > > > > > > 15 > > > > > > 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode Oct 15 > > > > > > 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is > > > > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA > > > > > > established Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: > > > > > > initiating Quick Mode > > > > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > > > > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec > > > > > > SA established Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: > > > > > > received Delete SA payload: > > > > > > replace IPSEC State #2 in 10 seconds Oct 15 23:04:23 pluto[11479]: > > > > > > "right.fw-vpn" #1: received Delete SA > > > > > payload: > > > > > > deleting ISAKMP State #1 > > > > > > Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error > > > > > > report on > > > > > > eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: > > > > > > Connection refused [errno 111, origin ICMP type 3 code 3 (not > > > > > > authenticated)] Oct > > > > > > 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main > > > > > > Mode Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is > > > > > > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > > > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP > > > > > > SA established Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: > > > > > > responding to Quick Mode Oct 15 23:04:27 pluto[11479]: > > "right.fw-vpn" > > > > > > #4: IPsec SA established > > > > > > > > > > > > My logs for the right side connection are as follows: > > > > > > > > > > > > Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem... > > > > > > Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version > > > > > > 1.98b) Oct 15 23:04:25 pluto[24938]: including X.509 patch > > > > > > (Version 0.9.15) Oct 15 23:04:25 pluto[24938]: Changing to > > > > > > directory '/etc/freeswan/ipsec.\ d/cacerts' > > > > > > Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 > > > > > > bytes) Oct 15 23:04:25 pluto[24938]: Changing to directory > > > > > > '/etc/freeswan/ipsec.\ d/crls' > > > > > > Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 > > > > > > bytes) Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert > > > > > > file '/etc/f\ reeswan/x509cert.der' (1325 bytes) Oct 15 23:04:26 > > > > > > pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > > > > > > c.d/local.machine.crt' (1325 bytes) Oct 15 23:04:26 pluto[24938]: > > > > > > loaded host cert file '/etc/freeswan/ipse\ c.d/remote.machine.crt' > > > > > > (1325 bytes) Oct 15 23:04:26 pluto[24938]: added connection > > > > > > description "left.fw-vpn" > > > > > > Oct 15 23:04:26 pluto[24938]: listening for IKE messages Oct 15 > > > > > > 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2 Oct 15 > > > > > > 23:04:26 pluto[24938]: loading secrets from > > > > > > "/etc/freeswan/ipsec.secrets" > > > > > > Oct 15 23:04:26 pluto[24938]: loaded private key file > > > > > > '/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes) Oct > > > > > > 15 > > > > > > 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode Oct > > > > > > 15 > > > > > > 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is > ID_DER_ASN1_DN: > > > > > > 'C=US, ST=, L=, O=, OU=, CN=, E=' > > > > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA > > > > > > established Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: > > > > > > initiating Quick Mode > > > > > > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > > > > > > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA > > > > > > established Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: > > > > > > ignoring Delete SA payload: > > > > > > IPSEC SA not found (maybe expired) > > > > > > > > > > > > I cannot ping hosts on either network. I am stumped on this one. > > > > > > Any ideas would be appreciated. > > > > > > > > > > > > Jason > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ____________________________________________________ > > > > > > Want to buy your Pack or Services from MandrakeSoft? > > > > > > Go to http://www.mandrakestore.com Join the Club : > > > > > > http://www.mandrakeclub.com > > > > > > ____________________________________________________ > > my 2cts, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
