Hi,
I am looking to configured my FC14 box as an IPSEC client to connect to
my office VPN. I do not know what server the office VPN is using. All
I know are the specs that they have given me. This is my first attempt
in getting the IPSEC tunnel to work from Linux. I don't know if anyone
else has managed successfully. I do know that Mac users have gotten it
working with ipsecuritas.
I do have a working example of it running in Windows using TheGreenBow
client.
I have been given the following files:
ericb.p12
ericb.pem
ericb.key
(and password for the key/p12 files)
I know the following settings (from looking at the functinoal TGB client
and someone who has gotten it to work with ipsecuritas in Mac):
Gateway IP
Network Addr/CIDR: 10.9.40.0/22
Phase 1:
- Lifetime 1800
- DH Group: 1024(2)
- Encryption: AES 128
- Authen: SHA-1
- Exchange: Main
Phase 2:
- PFS Group: 1024(2)
- Encryption: AES 128
- Authen: HMAC SHA-1
NAT-T: force
Can anyone please help me with getting this configuration to work? I
have attempted to set up the tunnel with the client, but I must be doing
something incorrect. When I try to connect, I get the following error
messages:
config loaded for site 'xx.xx.160.179'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon ...
I enabled debug messages, but that didn't seem to give me a whole lot
more information:
/var/log/ike/iked.log:
11/07/01 00:01:52 ## : IKE Daemon, ver 2.1.7
11/07/01 00:01:52 ## : Copyright 2010 Shrew Soft Inc.
11/07/01 00:01:52 ## : This product linked OpenSSL 1.0.0d-fips 8 Feb 2011
11/07/01 00:01:52 K! : recv X_SPDDUMP message failure ( errno = 2 )
11/07/01 00:01:58 !! : '/home/eric/Documents/VPN/ericb.p12' load failed,
requesting password
11/07/01 00:02:32 !! : unprocessed payload data
11/07/01 00:02:32 !! : unprocessed payload data
11/07/01 00:02:32 !! : unhandled phase1 payload 'unknown' ( 245 )
11/07/01 00:02:32 !! : unprocessed payload data
/var/log/ike/ike-decrypt.pcap is empty.
Just for completeness, here is the vpn profile file:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:phase1-dhgroup:2
n:phase1-keylen:128
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:128
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:xx.xx.160.179
s:client-auto-mode:dhcp
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:0.0.0.0
s:client-dns-suffix:
s:auth-method:mutual-rsa
s:ident-client-type:address
s:ident-server-type:any
s:auth-server-cert:/home/eric/Documents/VPN/ericb.p12
s:auth-client-cert:/home/eric/Documents/VPN/ericb.pem
s:auth-client-key:/home/eric/Documents/VPN/ericb.key
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:auto
Thanks for any help that you can provide! It is possible that I have
some settings that are inconsistent, but am not sure what I should be
setting them to.
Thanks!
Eric
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
