Jean-Robert WIAME wrote:
>
> Hi,
> I'm currently trying to implement a vpn between a window 2000 pro and a
> Linux Debian 2.4 through a router.
> Structure of the network :
>
> |-----------------|
> |pc1 |
> |192.168.200.1 |
> |windows 2000 pro |
> |-----------------|
> |
> |
> |
> |-----------------|
> |routeur | (no address translation)
> |192.168.200.254 |
> |linux debian |
> |10.1.110.17 |
> |-----------------|
> |
> -----------------------------
> | |
> |-----------------| |-----------------|
> |pc2 | |pc3 |
> |10.1.110.15 | |10.1.110.16 |
> |linux debian | |windows 2000 pro |
> |-----------------| |-----------------|
>
> Until now, I was able to connect pc1 and pc3 through the router, pc2 and pc3
> on the same network.
> But I can't create a secure connection between pc1 and pc2
> I use certificates
>
> Here the configuration of the pc1 :
> -----------------------------------
> conn pc3-pc1
> left=192.168.200.1
> leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> right=10.1.110.16
> rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> network=auto
> auto=start
> pfs=yes
>
> conn pc1-pc2
> left=192.168.200.1
> leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> right=10.1.110.15
> rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> network=auto
> auto=start
> pfs=yes
>
> Here the configuration of pc3 :
> -------------------------------
> conn pc2-pc1
> left=192.168.200.1
> leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> right=10.1.110.16
> rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> network=auto
> auto=start
> pfs=yes
>
> conn pc1-pc2
> left=192.168.200.1
> leftca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> right=10.1.110.15
> rightca="C=BE, S=BR, L=BR, O=IGN, OU=CTI, CN=CA, E=ca_at_ngi.be"
> network=auto
> auto=start
> pfs=yes
>
> Here the configuration of pc2 :
> -------------------------------
> [pc2:/root]# more /etc/ipsec.conf
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> # basic configuration
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> syslog=daemon.error
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> rightrsasigkey=%cert
> leftrsasigkey=%cert
> right=10.1.110.15
> rightcert=pc2.int.ngi.be.cert.pem
> auto=add
> pfs=yes
>
>
> conn pc1-pc2
> left=192.168.200.1
> leftid="C=BE, ST=BRUSSEL, L=BRUSSEL, O=NGI, OU=CTI, CN=CA,
> E=ca_at_ngi.be"
> leftnexthop=10.1.110.17
> leftsubnet=192.168.0.0/16
Window 2000 Professional cannot have a subnet behind itself, since
it is not able to route it.
>
> conn pc3-pc2
> left=10.1.110.16
> leftid="C=BE, ST=BRUSSEL, L=BRUSSEL, O=NGI, OU=CTI, CN=CA,
> E=ca_at_ngi.be"
>
With uniqueid=yes the connections pc1-pc2 and pc3-pc2 cannot be
up simultaneously, since pc1 and pc2 seem to have the same ID
"C=BE, ST=BRUSSEL, L=BRUSSEL, O=NGI, OU=CTI, CN=CA, E=ca_at_ngi.be".
Please use different certificates for pc1 and pc3.
> I follow a tutorial find on :
> http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
> for the exportation of certificate.
>
> With this configuration, when I launch the following command :
>
> [pc2:/root]# more vpn/cert_initiate.sh
> #!/bin/sh
> ipsec setup restart
> sleep 1
> ipsec whack --listen
> sleep 5
> ipsec whack --name pc1-pc2 --initiate
> ipsec look
>
> I get the following result :
>
> [pc2:vpn]# ./cert_initiate.sh
> ipsec_setup: Stopping FreeS/WAN IPsec...
> ipsec_setup: stop ordered, but IPsec does not appear to be running!
> ipsec_setup: doing cleanup anyway...
> ipsec_setup: Starting FreeS/WAN IPsec 1.96...
> 002 listening for IKE messages
> 002 forgetting secrets
> 002 loading secrets from "/etc/ipsec.secrets"
> 002 loaded private key file '/etc/ipsec.d/private/pc2.key' (963 bytes)
> 002 "pc1-pc2" #1: initiating Main Mode
> 104 "pc1-pc2" #1: STATE_MAIN_I1: initiate
> 010 "pc1-pc2" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "pc1-pc2" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "pc1-pc2" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
No answer from pc1. Have you applied Service Pack 2 with strong encryption
on Windows 2000, since FreeS/WAN does not support singel DES. Activate the
oakley.log on W2k to see what is wrong.
> No acceptable response to our first IKE message
> pc2 Fri Mar 29 15:15:46 CET 2002
> ipsec0->eth0 mtu=16260(1500)->1500
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 0.0.0.0 10.254.254.254 0.0.0.0 UG 40 0 0
> eth0
> 10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
> eth0
> 10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
> ipsec0
> 192.168.0.0 10.1.110.17 255.255.0.0 UG 40 0 0
> eth0
>
> On pc1 windows box; "ping 10.1.110.15" gives "Negociating IP Security."
> I use http://vpn.ebootis.de/ ipsec tools on the two windows 2000 pro box.
> I don't find the reason of the connection failure.
>
> I find strange the definition of the leftid on the pc2 ipsec configuration
> file. I try to put the same leftid that I set on the configuration files
> from the two windows (pc1 and pc3) but, I only get a invalid Id error.
>
> Thanks for any help or information.
>
> --
> Jean-Robert WIAME email: jrw_at_ngi.be
> BELGIUM
Regards
Andreas
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST