Freeswan 2.01+x509

Philip Tong Mon, 04 Aug 2003 03:22:33 -0700

Thank you for the response Andreas, for the 'leftcert' entry, should I
be putting the CA's pem or the Gateway's pem? The pem files were
generated using help file from Nate Carlson's homepage.


I have since changed the /etc/ipsec.conf to the following:-

/etc/ipsec.conf
~~~~~~~~~~~~~~~
version 2.0
                                                                                       
                       
config setup
       interfaces="ipsec0=eth1"
       klipsdebug=none
       plutodebug=dns
       uniqueids=yes
       fragicmp=yes
       overridemtu=1430
                                                                                       
                       
conn %default
     keyingtries=0
     compress=yes
     authby=rsasig
     pfs=yes
     disablearrivalcheck=yes
                                                                                       
                       
conn road
     left=202.10.10.54
     leftsubnet=10.0.0.0/8
     leftid="CN=gw.yltrd"
     leftrsasigkey=%cert
     leftcert=/etc/ipsec.d/cacerts/cacert.pem
     leftprotoport=17/1701
     right=%any
     rightsubnet=192.168.1.0/24
     rightrsasigkey=%cert
     rightprotoport=17/1701
     auto=add


/var/log/secure
~~~~~~~~~~~~~~~
Aug  4 16:21:57 gw ipsec__plutorun: Starting Pluto subsystem...
Aug  4 16:21:57 gw pluto[3181]: Starting Pluto (FreeS/WAN Version 2.01
X.509-1.4.2 PLUTO_USES_KEYRR)
Aug  4 16:21:57 gw pluto[3181]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug  4 16:21:57 gw pluto[3181]:   loaded cacert file 'cacert.pem' (1367
bytes)
Aug  4 16:21:57 gw pluto[3181]: Changing to directory
'/etc/ipsec.d/crls'
Aug  4 16:21:57 gw pluto[3181]:   loaded crl file 'crl.pem' (601 bytes)
Aug  4 16:21:57 gw pluto[3181]:   loaded host cert file
'/etc/ipsec.d/cacerts/cacert.pem' (1367 bytes)
Aug  4 16:21:57 gw pluto[3181]: added connection description "road"
Aug  4 16:21:57 gw pluto[3181]: listening for IKE messages
Aug  4 16:21:57 gw pluto[3181]: adding interface ipsec0/eth1
202.10.10.54
Aug  4 16:21:57 gw pluto[3181]: loading secrets from
"/etc/ipsec.secrets"
Aug  4 16:21:57 gw pluto[3181]:   loaded private key file
'/etc/ipsec.d/private/gw.yltrd.key' (1743 bytes)
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: \020K
Aug  4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: responding to
Main Mode from unknown peer 61.6.104.76
Aug  4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76 #1: max number of
retransmissions (2) reached STATE_MAIN_R2
Aug  4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76: deleting
connection "road" instance with peer 61.6.104.76
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: \020K
Aug  4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: responding to
Main Mode from unknown peer 61.6.103.101
Aug  4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Aug  4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:24:58 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:00 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:04 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:12 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:20 gw pluto[3181]: "road"[2] 61.6.103.101 #2: encrypted
Informational Exchange message is invalid because it is for incomplete
ISAKMP SA
Aug  4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101 #2: max number of
retransmissions (2) reached STATE_MAIN_R2
Aug  4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101: deleting
connection "road" instance with peer 61.6.103.101








On Mon, 2003-08-04 at 14:10, Andreas Steffen wrote:
> At a first glance I detect three errors in your ipsec.conf:
> 
> 1) leftcert=freeswanCert.pem is missing
>      The X.509 patch for freeswan-2.0x does not support
>      the default cert /etc/x509cert.der anymore.
> 
> 2) do not use rightid=%any, because this restricts the ID to an
>     IP address. right=%any without an rightid parameter will define
>     a general roadwarrior connection with arbitrary ID type.
> 
> 3) you cannot initiate a roadwarrior connection with auto=start.
>     Use auto=add instead. The W2k peer must be the initiator.
> 
> Regards
> 
> Andreas
> 
> Philip Tong wrote:
> > I can't seem to get connected to the Freeswan gateway from a Windows
> > 2000 Professional mobile user. The user connects via a local ISP on a
> > dial up line which dynamically assigns an IP everytime the user
> > connects.
> > 
> > Any help or pointers would be greatly appreciated. Below are information
> > pertaining to my configuration.
> > 
> > 
> > 
> > Diagram
> > ~~~~~~~
> > 
> >  __________________
> > /                  \
> > | Internal network |
> > | 10.0.0.0/8       |
> > \__________________/
> >          |
> >          |
> >          | eth0 : 10.0.0.1/8
> >  +----------------+
> >  | Linux box      |
> >  | Freeswan+x509  |
> >  +----------------+
> >          | eth1 : 202.10.10.54
> >          |
> >          |
> >          | 202.10.10.53
> > +-----------------+
> > | ADSL Router     |
> > | Lucent Cellpipe |
> > +-----------------+
> >          |
> >          |
> >      ____|____
> >     /         \
> >     |Internet |
> >     \_________/
> >          |
> >          |
> >          |
> >  +----------------+
> >  | Win2K using    |
> >  | dial-up        |
> >  | w/dynamic IP   |
> >  +----------------+
> > 
> > 
> > 
> > 
> > 
> > /etc/l2tpd/l2ptd.conf
> > ~~~~~~~~~~~~~~~~~~~~~
> > 
> > [global]
> > port=1701
> >  
> > [lns default]
> > ip range = 10.0.0.2-10.2.255.255
> > local ip = 10.0.0.1
> > require chap = yes
> > refuse pap = yes
> > require authentication = yes
> > name = gw.yltrd
> > ppp debug = yes
> > pppoptfile = /etc/ppp/options
> > length bit = yes
> > 
> > 
> > 
> > 
> > 
> > /etc/ppp/options
> > ~~~~~~~~~~~~~~~~
> > 
> > ipcp-accept-local
> > ipcp-accept-remote
> > ms-dns  10.10.10.1
> > ms-wins 10.10.10.1
> > auth
> > crtscts
> > idle 1800
> > nodefaultroute
> > debug
> > lock
> > proxyarp
> > connect-delay 15000
> > mtu 1430
> > mru 1430
> > 
> >

Re: [Users] Problem w/ Win2K Client --> Freeswan 2.01+x509

Reply via email to