IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] No acceptable response to our first IKE message

From: Jean-Robert WIAME (jrw_at_ngi.be)
Date: Fri Mar 29 2002 - 14:07:14 CET

Hi,
I'm currently trying to implement a vpn between a window 2000 pro and a
Linux Debian 2.4 through a router.
Structure of the network :

|-----------------|
|pc1 |
|192.168.200.1 |
|windows 2000 pro |
|-----------------|
        |
        |
        |
|-----------------|
|routeur | (no address translation)
|192.168.200.254 |
|linux debian |
|10.1.110.17 |
|-----------------|
        |
    -----------------------------
   | |
|-----------------| |-----------------|
|pc2 | |pc3 |
|10.1.110.15 | |10.1.110.16 |
|linux debian | |windows 2000 pro |
|-----------------| |-----------------|

Until now, I was able to connect pc1 and pc3 through the router, pc2 and pc3
on the same network.
But I can't create a secure connection between pc1 and pc2
I use certificates

Here the configuration of the pc1 :
-----------------------------------
conn pc3-pc1
        left=192.168.200.1
        leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        right=10.1.110.16
        rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        network=auto
        auto=start
        pfs=yes

conn pc1-pc2
        left=192.168.200.1
        leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        right=10.1.110.15
        rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        network=auto
        auto=start
        pfs=yes

Here the configuration of pc3 :
-------------------------------
conn pc2-pc1
        left=192.168.200.1
        leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        right=10.1.110.16
        rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        network=auto
        auto=start
        pfs=yes

conn pc1-pc2
        left=192.168.200.1
        leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        right=10.1.110.15
        rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
        network=auto
        auto=start
        pfs=yes

Here the configuration of pc2 :
-------------------------------
[pc2:/root]# more /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        syslog=daemon.error
 
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        right=10.1.110.15
        rightcert=pc2.int.ngi.be.cert.pem
        auto=add
        pfs=yes
 
 
conn pc1-pc2
        left=192.168.200.1
        leftid="C=BE, ST=BRUSSEL, L=BRUSSEL, O=NGI, OU=CTI, CN=CA,
E=ca_at_ngi.be"
        leftnexthop=10.1.110.17
        leftsubnet=192.168.0.0/16
 
conn pc3-pc2
        left=10.1.110.16
        leftid="C=BE, ST=BRUSSEL, L=BRUSSEL, O=NGI, OU=CTI, CN=CA,
E=ca_at_ngi.be"

I follow a tutorial find on :
http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
for the exportation of certificate.

With this configuration, when I launch the following command :

[pc2:/root]# more vpn/cert_initiate.sh
#!/bin/sh
ipsec setup restart
sleep 1
ipsec whack --listen
sleep 5
ipsec whack --name pc1-pc2 --initiate
ipsec look

I get the following result :

[pc2:vpn]# ./cert_initiate.sh
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.96...
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loaded private key file '/etc/ipsec.d/private/pc2.key' (963 bytes)
002 "pc1-pc2" #1: initiating Main Mode
104 "pc1-pc2" #1: STATE_MAIN_I1: initiate
010 "pc1-pc2" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "pc1-pc2" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "pc1-pc2" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
No acceptable response to our first IKE message
pc2 Fri Mar 29 15:15:46 CET 2002
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 10.254.254.254 0.0.0.0 UG 40 0 0
eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
ipsec0
192.168.0.0 10.1.110.17 255.255.0.0 UG 40 0 0
eth0

On pc1 windows box; "ping 10.1.110.15" gives "Negociating IP Security."
I use http://vpn.ebootis.de/ ipsec tools on the two windows 2000 pro box.
I don't find the reason of the connection failure.

I find strange the definition of the leftid on the pc2 ipsec configuration
file. I try to put the same leftid that I set on the configuration files
from the two windows (pc1 and pc3) but, I only get a invalid Id error.

Thanks for any help or information. 

--
Jean-Robert WIAME		email: jrw_at_ngi.be
BELGIUM
--
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST