IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Difficult time - Sentinel

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Fri Mar 15 2002 - 13:52:54 CET

> Freeswan wrote:
>
> I have been trying for weeks to get a VPN connection from my WinXP box to my
> Linux box running Freeswan 1.96 with the x509 patches. Lately, I have been
> trying SSH's Sentinel and I think I'm a little closer, but I still need some
> help.
>
> This is my simple network:
>
> Remote:
> c600.bdunn.com (WinXP) (10.10.10.3) connects to Efficient 8561 Router
> (10.10.10.254 & 65.65.125.161) connects to Internet.
>
> Host:
> gateway.fielder.org (Linux) (192.168.132.3) connects to Cisco 1720 Router
> (192.168.132.1 & 66.137.141.190) connects to Internet.
>
> All ports are left open for these while I'm trying to get this to work.
> Obviously I'm natting using the Routers to do it.
>
> ipsec.conf from the Linux box:
> -----(snip)-----
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> type=tunnel
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> authby=rsasig
> auto=add
> #
> left=192.168.132.3
> leftsubnet=192.168.132.0/24
> #
> right=%any
> #
>
> conn remoteuser1
> rightcert=c600.bdunn.com.pem
> leftcert=gateway.fielder.org.pem
>
> -----(snip)-----
>
> Output from /var/log/secure:
> -----(snip)-----
> Mar 15 03:28:11 gateway Pluto[17802]: "remoteuser1" 65.65.125.161 #1: Peer ID
> is ID_FQDN: '@c600.bdunn.com'

The peer seems to possess a DNS subjectAltName. Try

        rightid=@c600.bdunn.com
        rightcert=c600.bdunn.com.pem

if c600.bdunn.com.pem possesses such a subjectAltName

> Mar 15 03:28:11 gateway Pluto[17802]: "remoteuser1" 65.65.125.161 #1: Issuer
> CA certificate not found

This error message just means that no CA certificate is present. This is
not fatal if you load the cert directly using rightcert=c600.bdunn.com.pem

> Mar 15 03:28:11 gateway Pluto[17802]: "remoteuser1" 65.65.125.161 #1: X.509
> certificate rejected

Not fatal, see above comment

> Mar 15 03:28:11 gateway Pluto[17802]: "remoteuser1" 65.65.125.161 #1: no
> suitable connection for peer '@c600.bdunn.com'

Just add the rightid=@c600.bdunn.com entry in ipsec.conf

> Mar 15 03:28:15 gateway Pluto[17802]: "remoteuser1" 65.65.125.161 #1: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
>
> -----(snip)-----
>
> ANY help you might provide will be GREATLY appreciated!!! I've also tried the
> vpn.ebootis.de Windows 2000 VPN tool following various directions with limited
> success. I really don't want to give up on this. Please help!

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:43 CEST