-----Forwarded Message-----
From: Philip Tong <[EMAIL PROTECTED]>
To: Andreas Steffen <[EMAIL PROTECTED]>
Subject: Re: [Users] Problem w/ Win2K Client --> Freeswan 2.01+x509
patch+l2tpd+pppd
Date: 05 Aug 2003 14:17:49 +0800
/etc/ipsec.conf
~~~~~~~~~~~~~~~
version 2.0
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=dns
uniqueids=yes
fragicmp=yes
overridemtu=1430
conn %default
keyingtries=0
compress=yes
authby=rsasig
pfs=yes
disablearrivalcheck=yes
conn road
left=202.10.10.54
leftsubnet=10.0.0.0/8
leftid="CN=gw.yltrd"
leftrsasigkey=%cert
leftcert=gw.yltrd.pem
leftprotoport=17/1701
right=%any
rightsubnet=192.168.1.0/24
rightrsasigkey=%cert
rightprotoport=17/1701
auto=add
/var/log/secure
~~~~~~~~~~~~~~~
Aug 5 14:01:32 gw pluto[1462]: packet from 61.6.103.23:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug 5 14:01:32 gw pluto[1462]: packet from 61.6.103.23:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug 5 14:01:32 gw pluto[1462]: packet from 61.6.103.23:500: received
Vendor ID Payload; ASCII hash: \020K
Aug 5 14:01:32 gw pluto[1462]: "road"[4] 61.6.103.23 #4: responding to
Main Mode from unknown peer 61.6.103.23
Aug 5 14:01:32 gw pluto[1462]: "road"[4] 61.6.103.23 #4: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
Aug 5 14:01:34 gw pluto[1462]: "road"[4] 61.6.103.23 #4: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug 5 14:01:34 gw pluto[1462]: "road"[5] 61.6.103.23 #4: deleting
connection "road" instance with peer 61.6.103.23
Aug 5 14:01:34 gw pluto[1462]: "road"[5] 61.6.103.23 #4: sent MR3,
ISAKMP SA established
Aug 5 14:01:35 gw pluto[1462]: "road"[5] 61.6.103.23 #4: retransmitting
in response to duplicate packet; already STATE_MAIN_R3
Aug 5 14:01:36 gw pluto[1462]: "road"[5] 61.6.103.23 #4: cannot respond
to IPsec SA request because no connection is known for
202.10.10.54[CN=gw.yltrd]:17/1701...61.6.103.23[CN=ussenterprise.pract]:17/1701
Aug 5 14:01:36 gw pluto[1462]: "road"[5] 61.6.103.23 #4: no Phase1
state for Quick mode notification
Aug 5 14:01:38 gw pluto[1462]: "road"[5] 61.6.103.23 #4: Quick Mode I1
message is unacceptable because it uses a previously used Message ID
0xdab85fea (perhaps this is a duplicated packet)
Aug 5 14:01:38 gw pluto[1462]: "road"[5] 61.6.103.23 #4: sending
encrypted notification INVALID_MESSAGE_ID to 61.6.103.23:500Aug 5
14:01:42 gw pluto[1462]: "road"[5] 61.6.103.23 #4: Quick Mode I1 message
is unacceptable because it uses a previously used Message ID 0xdab85fea
(perhaps this is a duplicated packet)
Aug 5 14:01:42 gw pluto[1462]: "road"[5] 61.6.103.23 #4: sending
encrypted notification INVALID_MESSAGE_ID to 61.6.103.23:500Aug 5
14:01:55 gw pluto[1462]: "road"[5] 61.6.103.23 #4: received Delete SA
payload: deleting ISAKMP State #4
Aug 5 14:01:55 gw pluto[1462]: "road"[5] 61.6.103.23: deleting
connection "road" instance with peer 61.6.103.23
ipsec auto --status
~~~~~~~~~~~~~~~~~~~
000 interface ipsec0/eth1 202.10.10.54
000
000 debug dns
000
000 "road"[7]:
10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/1701...61.6.103.222[CN=ussenterprise.pract]:17/1701===192.168.1.0/24000
"road"[7]: CAs: 'C=my, ST=perak, L=ipoh, O=yltrd, CN=ca.yltrd'...'%any'
000 "road"[7]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "road"[7]: policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1;
unrouted
000 "road"[7]: newest ISAKMP SA: #5; newest IPsec SA: #0; eroute
owner: #0
000 "road":
10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/1701...%any:17/1701===192.168.1.0/24
000 "road": CAs: 'C=my, ST=perak, L=ipoh, O=yltrd,
CN=ca.yltrd'...'%any'
000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "road": policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1;
unrouted
000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner:
#0
000
000 #5: "road"[7] 61.6.103.222 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3325s; newest ISAKMP
000
> On Mon, 2003-08-04 at 17:49, Andreas Steffen wrote:
> > You must use the gateway certificate. Put it into
> > the directory /etc/ipsec.d/certs and define
> >
> > leftcert=gatewayCert.pem
> >
> > There seems to be some additional error in your
> > connection definition. What does
> >
> > ipsec auto --status
> >
> > show?
> >
> > Regards
> >
> > Andreas
> >
> > Philip Tong wrote:
> > > Thank you for the response Andreas, for the 'leftcert' entry, should I
> > > be putting the CA's pem or the Gateway's pem? The pem files were
> > > generated using help file from Nate Carlson's homepage.
> > >
> > > I have since changed the /etc/ipsec.conf to the following:-
> > >
> > > /etc/ipsec.conf
> > > ~~~~~~~~~~~~~~~
> > > version 2.0
> > >
> > >
> > > config setup
> > > interfaces="ipsec0=eth1"
> > > klipsdebug=none
> > > plutodebug=dns
> > > uniqueids=yes
> > > fragicmp=yes
> > > overridemtu=1430
> > >
> > >
> > > conn %default
> > > keyingtries=0
> > > compress=yes
> > > authby=rsasig
> > > pfs=yes
> > > disablearrivalcheck=yes
> > >
> > >
> > > conn road
> > > left=202.10.10.54
> > > leftsubnet=10.0.0.0/8
> > > leftid="CN=gw.yltrd"
> > > leftrsasigkey=%cert
> > > leftcert=/etc/ipsec.d/cacerts/cacert.pem
> > > leftprotoport=17/1701
> > > right=%any
> > > rightsubnet=192.168.1.0/24
> > > rightrsasigkey=%cert
> > > rightprotoport=17/1701
> > > auto=add
> > >
> > >
> > > /var/log/secure
> > > ~~~~~~~~~~~~~~~
> > > Aug 4 16:21:57 gw ipsec__plutorun: Starting Pluto subsystem...
> > > Aug 4 16:21:57 gw pluto[3181]: Starting Pluto (FreeS/WAN Version 2.01
> > > X.509-1.4.2 PLUTO_USES_KEYRR)
> > > Aug 4 16:21:57 gw pluto[3181]: Changing to directory
> > > '/etc/ipsec.d/cacerts'
> > > Aug 4 16:21:57 gw pluto[3181]: loaded cacert file 'cacert.pem' (1367
> > > bytes)
> > > Aug 4 16:21:57 gw pluto[3181]: Changing to directory
> > > '/etc/ipsec.d/crls'
> > > Aug 4 16:21:57 gw pluto[3181]: loaded crl file 'crl.pem' (601 bytes)
> > > Aug 4 16:21:57 gw pluto[3181]: loaded host cert file
> > > '/etc/ipsec.d/cacerts/cacert.pem' (1367 bytes)
> > > Aug 4 16:21:57 gw pluto[3181]: added connection description "road"
> > > Aug 4 16:21:57 gw pluto[3181]: listening for IKE messages
> > > Aug 4 16:21:57 gw pluto[3181]: adding interface ipsec0/eth1
> > > 202.10.10.54
> > > Aug 4 16:21:57 gw pluto[3181]: loading secrets from
> > > "/etc/ipsec.secrets"
> > > Aug 4 16:21:57 gw pluto[3181]: loaded private key file
> > > '/etc/ipsec.d/private/gw.yltrd.key' (1743 bytes)
> > > Aug 4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
> > > Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> > > Aug 4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
> > > Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
> > > Aug 4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
> > > Vendor ID Payload; ASCII hash: \020K
> > > Aug 4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: responding to
> > > Main Mode from unknown peer 61.6.104.76
> > > Aug 4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: only
> > > OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
> > > OAKLEY_GROUP_DESCRIPTION
> > > Aug 4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
> > > Aug 4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
> > > connection for peer 'CN=ussenterprise.pract'
> > > Aug 4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
> > > notification INVALID_ID_INFORMATION to 61.6.104.76:500
> > > Aug 4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
> > > Aug 4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
> > > connection for peer 'CN=ussenterprise.pract'
> > > Aug 4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
> > > notification INVALID_ID_INFORMATION to 61.6.104.76:500
> > > Aug 4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
> > > Aug 4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
> > > connection for peer 'CN=ussenterprise.pract'
> > > Aug 4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
> > > notification INVALID_ID_INFORMATION to 61.6.104.76:500
> > > Aug 4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76 #1: max number of
> > > retransmissions (2) reached STATE_MAIN_R2
> > > Aug 4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76: deleting
> > > connection "road" instance with peer 61.6.104.76
> > > Aug 4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
> > > Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> > > Aug 4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
> > > Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
> > > Aug 4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
> > > Vendor ID Payload; ASCII hash: \020K
> > > Aug 4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: responding to
> > > Main Mode from unknown peer 61.6.103.101
> > > Aug 4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: only
> > > OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
> > > OAKLEY_GROUP_DESCRIPTION
> > > Aug 4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug 4 16:24:58 gw pluto[3181]:
> > > "road"[2] 61.6.103.101 #2: no suitable connection for peer
> > > 'CN=ussenterprise.pract'
> > > Aug 4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
> > > notification INVALID_ID_INFORMATION to 61.6.103.101:500
> > > Aug 4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug 4 16:25:00 gw pluto[3181]:
> > > "road"[2] 61.6.103.101 #2: no suitable connection for peer
> > > 'CN=ussenterprise.pract'
> > > Aug 4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
> > > notification INVALID_ID_INFORMATION to 61.6.103.101:500
> > > Aug 4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug 4 16:25:04 gw pluto[3181]:
> > > "road"[2] 61.6.103.101 #2: no suitable connection for peer
> > > 'CN=ussenterprise.pract'
> > > Aug 4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
> > > notification INVALID_ID_INFORMATION to 61.6.103.101:500
> > > Aug 4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
> > > ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug 4 16:25:12 gw pluto[3181]:
> > > "road"[2] 61.6.103.101 #2: no suitable connection for peer
> > > 'CN=ussenterprise.pract'
> > > Aug 4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
> > > notification INVALID_ID_INFORMATION to 61.6.103.101:500
> > > Aug 4 16:25:20 gw pluto[3181]: "road"[2] 61.6.103.101 #2: encrypted
> > > Informational Exchange message is invalid because it is for incomplete
> > > ISAKMP SA
> > > Aug 4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101 #2: max number of
> > > retransmissions (2) reached STATE_MAIN_R2
> > > Aug 4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101: deleting
> > > connection "road" instance with peer 61.6.103.101
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, 2003-08-04 at 14:10, Andreas Steffen wrote:
> > >
> > >>At a first glance I detect three errors in your ipsec.conf:
> > >>
> > >>1) leftcert=freeswanCert.pem is missing
> > >> The X.509 patch for freeswan-2.0x does not support
> > >> the default cert /etc/x509cert.der anymore.
> > >>
> > >>2) do not use rightid=%any, because this restricts the ID to an
> > >> IP address. right=%any without an rightid parameter will define
> > >> a general roadwarrior connection with arbitrary ID type.
> > >>
> > >>3) you cannot initiate a roadwarrior connection with auto=start.
> > >> Use auto=add instead. The W2k peer must be the initiator.
> > >>
> > >>Regards
> > >>
> > >>Andreas
> > >>
> > >>Philip Tong wrote:
> > >>
> > >>>I can't seem to get connected to the Freeswan gateway from a Windows
> > >>>2000 Professional mobile user. The user connects via a local ISP on a
> > >>>dial up line which dynamically assigns an IP everytime the user
> > >>>connects.
> > >>>
> > >>>Any help or pointers would be greatly appreciated. Below are information
> > >>>pertaining to my configuration.
> > >>>
> > >>>
> > >>>
> > >>>Diagram
> > >>>~~~~~~~
> > >>>
> > >>> __________________
> > >>>/ \
> > >>>| Internal network |
> > >>>| 10.0.0.0/8 |
> > >>>\__________________/
> > >>> |
> > >>> |
> > >>> | eth0 : 10.0.0.1/8
> > >>> +----------------+
> > >>> | Linux box |
> > >>> | Freeswan+x509 |
> > >>> +----------------+
> > >>> | eth1 : 202.10.10.54
> > >>> |
> > >>> |
> > >>> | 202.10.10.53
> > >>>+-----------------+
> > >>>| ADSL Router |
> > >>>| Lucent Cellpipe |
> > >>>+-----------------+
> > >>> |
> > >>> |
> > >>> ____|____
> > >>> / \
> > >>> |Internet |
> > >>> \_________/
> > >>> |
> > >>> |
> > >>> |
> > >>> +----------------+
> > >>> | Win2K using |
> > >>> | dial-up |
> > >>> | w/dynamic IP |
> > >>> +----------------+
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>/etc/l2tpd/l2ptd.conf
> > >>>~~~~~~~~~~~~~~~~~~~~~
> > >>>
> > >>>[global]
> > >>>port=1701
> > >>>
> > >>>[lns default]
> > >>>ip range = 10.0.0.2-10.2.255.255
> > >>>local ip = 10.0.0.1
> > >>>require chap = yes
> > >>>refuse pap = yes
> > >>>require authentication = yes
> > >>>name = gw.yltrd
> > >>>ppp debug = yes
> > >>>pppoptfile = /etc/ppp/options
> > >>>length bit = yes
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>/etc/ppp/options
> > >>>~~~~~~~~~~~~~~~~
> > >>>
> > >>>ipcp-accept-local
> > >>>ipcp-accept-remote
> > >>>ms-dns 10.10.10.1
> > >>>ms-wins 10.10.10.1
> > >>>auth
> > >>>crtscts
> > >>>idle 1800
> > >>>nodefaultroute
> > >>>debug
> > >>>lock
> > >>>proxyarp
> > >>>connect-delay 15000
> > >>>mtu 1430
> > >>>mru 1430
> > >>>
> > >>>
> > >
> > >
> > >
> >
_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
