Hi!
This is to folloup my mail from today morning and to report
that I found the solution of this problem. It was quite
sophisticated...
Executive summary: W2000 certificate management doesn't like
characters like "+" in the DSN!
Here's the story:
Andreas Haumer wrote:
>
> Hi!
>
> Thanks for the reply!
>
> George Pop wrote:
> >
[...]
>
> > thing would be to make two freeswans talk together using certificates and
> > after you are sure the config works make the connection from Win2k ..
>
> This is what I try to do now.
> I did setup lots of FreeS/WAN based IPsec tunnels in the
> past years, and they all work well. So I now how to work
> with IPsec, though only with PSK configurations so far.
>
I had no problem getting two FreeS/WAN VPN gateways
work together using my x509 certificates. It was a
matter of 3 minutes to set this up, because I already
had one side (including all the certificates) set up.
> With Linux & FreeS/WAN I have logfiles and tools like
> strace and tcpdump to debug in case something is not working.
> But on this damned W2K box I have nothing. This drives me crazy... :-(
>
Marcus Müller wrote me how to change the windows registry
in order to get useful log information out of it.
Thanks, Marcus! That did help a lot!
If someone is interested, here's how to get Windows log
this information:
Add the following registry entry (on my system I didn't have this):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
And here, add the a REG_DWORD entry named EnableLogging
and set it's value to "1"
(ah, isn't that intuitive and user-friendly? I really
like Windows, it makes an administrator's life so full
of joy and fun. But I wonder how it comes Microsoft
calls a fully commented configuration file in /etc
complicated???)
Anyway, after a reboot (!) W2K creates a logfile called
%SystemRoot%\debug\Oakley.log
Here I found a first hint: Windows complained something with
the following messages:
[...]
error in CertStrToName = -2146885597
Failed to get issuer DN
[...]
I was then looking at my W2000 ipsec.conf file and
noticed the syntax of my root CA ID. As my company
is called "xS+S", I used the following DSN:
C=AT, S=Austria, L=Vienna, O=xS+S, CN=xS+S CA
In a wild guess, I changed my Root CA and all other certificates
to have names without special characters like "+", so I now
have a root CA DSN like
C=AT, S=Austria, L=Vienna, O=xss, CN=xss CA
and now it works!!!
The IPsec tunnel now goes up in the second I transmit the
first packet from the W2K computer to the network behind
my FreeS/WAN gateway.
But remember, with two FreeS/WAN gateways I didn't have a
single problem with my original certificates including
the "xS+S" DSN! Very strange.
Is there a RFC which specifies the legal characters in
a DSN or is this "feature" a "Microsoftism"?
Anyway, this seems to be the solution for a strange problem.
Thanks to all who responded to my request for help.
Special thanks goes to Marcus Müller, for his hint with
the registry, and of course for his W2K ipsec tool!
- andreas
-- Andreas Haumer | mailto:andreas_at_xss.co.at *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST