darlock_at_tinet.org wrote:
>
> Hi all,
>
> I have a win2k warrior using the VPN Tool and a fresh configured
> FreeS/WAN firewall (The best things to get into problems, I know).
>
> I have created a CA and two certificates, added the certificate into
> the firewall, added the CA and the certificate into the Win2k box,
> applied the SP2, added the ipsectool from M$, and checked the config of
> Security Policies.
>
> All seems to be well configured, I have readed 3 howtos and a few e-
> mail messages from this list (I think that I have done the homework :-
> ) )
>
> Well, after disabling my firewall deny rules a few hours later :-) I
> can't get to work the road warrior. My freeswan config follows:
>
> --------------------------------
> conn %default
> #use RSA based authentication with certificates
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> #freeswan security gateway
> left=x.y.z.t
>
> leftid="/C=ES/ST=MyCity/O=MyCompany/OU=MyDept/CN=myhost.mydomain.com/Ema
> il=admin_at_mydomain.com"
> leftsubnet=192.168.1.0/24
> --------------------------------------------
>
> And my road warrior config follows:
> --------------------------------------------
> conn rw
> left=%any
> right=213.97.37.172
> rightca="C=ES, S=MyState, L=MyCity, O=My Company, OU=MyDept,
> E=admin_at_mydomain.com"
> network=ras
> auto=start
> rekey=1800S/30000K
> authmode=MD5
> pfs=yes
> --------------------------------------------
>
> When I start the ipsec.exe app, one connected to internet, I get the
> next log in the Firewall. What I'm doing wrong? One strange thing is
> the CA is diferent under FreeS/WAN and Win2k.... is it my problem?
>
leftid and rightca are not the same string. leftid is the subject
distinguished name (DN) whereas rightca should be the issuer DN
of the FreeS/WAN certificate. The issuer DN is identical to
the subject DN of the CA certificate!!!
Regards
Andreas
> --------------------------------------------
> Mar 14 16:33:52 r2d2 Pluto[20847]: packet from a.b.c.d:500: ignoring
> Vendor ID payload
> Mar 14 16:33:52 r2d2 Pluto[20847]: "rw" a.b.c.d #2: responding to Main
> Mode from unknown peer a.b.c.d
> Mar 14 16:33:53 r2d2 Pluto[20847]: "rw" a.b.c.d #2: encrypted
> Informational Exchange message is invalid because it is for incomplete
> ISAKMP SA
> Mar 14 16:35:03 r2d2 Pluto[20847]: "rw" a.b.c.d #2: max number of
> retransmissions (2) reached STATE_MAIN_R2
> Mar 14 16:35:03 r2d2 Pluto[20847]: "rw" a.b.c.d : deleting
> connection "rw" instance with peer a.b.c.d
> Mar 14 16:35:58 r2d2 Pluto[20847]: packet from a.b.c.d:500:
> Informational Exchange is for an unknown (expired?) SA
> --------------------------------------------
>
> Thanx.
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/ CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56 ===============================================================[ZHW]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST