1) leftcert=freeswanCert.pem is missing
The X.509 patch for freeswan-2.0x does not support
the default cert /etc/x509cert.der anymore.2) do not use rightid=%any, because this restricts the ID to an IP address. right=%any without an rightid parameter will define a general roadwarrior connection with arbitrary ID type.
3) you cannot initiate a roadwarrior connection with auto=start. Use auto=add instead. The W2k peer must be the initiator.
Regards
Andreas
Philip Tong wrote:
I can't seem to get connected to the Freeswan gateway from a Windows 2000 Professional mobile user. The user connects via a local ISP on a dial up line which dynamically assigns an IP everytime the user connects.
Any help or pointers would be greatly appreciated. Below are information pertaining to my configuration.
Diagram ~~~~~~~
__________________ / \ | Internal network | | 10.0.0.0/8 | \__________________/ | | | eth0 : 10.0.0.1/8 +----------------+ | Linux box | | Freeswan+x509 | +----------------+ | eth1 : 202.10.10.54 | | | 202.10.10.53 +-----------------+ | ADSL Router | | Lucent Cellpipe | +-----------------+ | | ____|____ / \ |Internet | \_________/ | | | +----------------+ | Win2K using | | dial-up | | w/dynamic IP | +----------------+
/etc/l2tpd/l2ptd.conf ~~~~~~~~~~~~~~~~~~~~~
[global]
port=1701
[lns default]
ip range = 10.0.0.2-10.2.255.255
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = gw.yltrd
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes
/etc/ppp/options ~~~~~~~~~~~~~~~~
ipcp-accept-local ipcp-accept-remote ms-dns 10.10.10.1 ms-wins 10.10.10.1 auth crtscts idle 1800 nodefaultroute debug lock proxyarp connect-delay 15000 mtu 1430 mru 1430
/etc/ipsec.conf ~~~~~~~~~~~~~~~
version 2.0 config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=dns
fragicmp=yes
overridemtu=1430
conn %default
keyingtries=0
compress=yes
authby=rsasig
pfs=no
disablearrivalcheck=yes
conn road
left=202.10.10.54
leftsubnet=10.0.0.0/8
leftnexthop=202.10.10.53
leftid="CN=gw.yltrd"
leftrsasigkey=%cert
leftprotoport=17/0
right=%any
rightid=%any
rightrsasigkey=%cert
rightprotoport=17/1701
auto=start
ipsec auto --status ~~~~~~~~~~~~~~~~~~~
000 interface ipsec0/eth1 202.10.10.54 000 000 debug dns 000 000"road"[1]:10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/0---202.10.10.53...61.6.103.62:17/1701 000 "road"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:540s; rekey_fuzz: 100%; keyingtries: 0 000 "road"[1]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+DISABLEARRIVALCHECK; interface: eth1; unrouted 000 "road"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 "road": 10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/0---202.10.10.53...%any:17/1701 000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "road": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+DISABLEARRIVALCHECK; interface: eth1; unrouted 000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 #1: "road"[1] 61.6.103.62 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 16s 000
/var/log/secure ~~~~~~~~~~~~~~~
Aug 2 12:14:37 gw ipsec__plutorun: Starting Pluto subsystem... Aug 2 12:14:37 gw pluto[5845]: Starting Pluto (FreeS/WAN Version 2.01 X.509-1.4.2 PLUTO_USES_KEYRR) Aug 2 12:14:37 gw pluto[5845]: Changing to directory '/etc/ipsec.d/cacerts' Aug 2 12:14:37 gw pluto[5845]: loaded cacert file 'cacert.pem' (1367 bytes) Aug 2 12:14:37 gw pluto[5845]: Changing to directory '/etc/ipsec.d/crls' Aug 2 12:14:37 gw pluto[5845]: loaded crl file 'crl.pem' (601 bytes) Aug 2 12:14:38 gw pluto[5845]: added connection description "road" Aug 2 12:14:38 gw pluto[5845]: listening for IKE messages Aug 2 12:14:38 gw pluto[5845]: adding interface ipsec0/eth1 202.10.10.54 Aug 2 12:14:38 gw pluto[5845]: loading secrets from "/etc/ipsec.secrets" Aug 2 12:14:38 gw pluto[5845]: loaded private key file '/etc/ipsec.d/private/gw.yltrd.key' (1743 bytes) Aug 2 12:14:38 gw pluto[5845]: "road": cannot route Road Warrior template Aug 2 12:14:38 gw pluto[5845]: "road": cannot initiate connection without knowing peer IP address Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177 Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received Vendor ID Payload; ASCII hash: \020K Aug 2 12:15:28 gw pluto[5845]: "road"[1] 61.6.103.62 #1: responding to Main Mode from unknown peer 61.6.103.62 Aug 2 12:15:28 gw pluto[5845]: "road"[1] 61.6.103.62 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is ID_DER_ASN1_DN: 'CN=ussenterprise.pract' Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable connection for peer 'CN=ussenterprise.pract' Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending notification INVALID_ID_INFORMATION to 61.6.103.62:500 Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is ID_DER_ASN1_DN: 'CN=ussenterprise.pract' Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable connection for peer 'CN=ussenterprise.pract' Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending notification INVALID_ID_INFORMATION to 61.6.103.62:500 Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is ID_DER_ASN1_DN: 'CN=ussenterprise.pract' Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable connection for peer 'CN=ussenterprise.pract' Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending notification INVALID_ID_INFORMATION to 61.6.103.62:500 Aug 2 12:16:38 gw pluto[5845]: "road"[1] 61.6.103.62 #1: max number of retransmissions (2) reached STATE_MAIN_R2 Aug 2 12:16:38 gw pluto[5845]: "road"[1] 61.6.103.62: deleting connection "road" instance with peer 61.6.103.62
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Z�richweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
