Hello,
i´ve some problems with securing WLAN connections from some Windows XP
clients. There are some problems with the key exchange.
My system:
SuSE Linux 7.3. FreeS/WAN updated to 1.96 with X.509 patch 0.9.9. Internal
Network is 192.168.9.0 where .1 is the linux server. The WLAN clients get
their IP via DHCP from .200 to .254. The network is connected to the
Internet via ADSL.
I´ve created 3 certs. First the cert of my own little CA (placed in
/etc/ipsec.d/cacerts). With help of the CA, i created the Gateway cert for
the Linux machine (installed in /etc/x509cert.der). Finally i created the
client certificate and put the result into an *.p12 file. I installed this
cert with the Management console in the computer account on the XP client.
Here the details of the linux side of my configuration:
/etc/ipsec.conf (Linux)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from certs.
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn wlanuser
left=192.168.9.1
leftsubnet=192.168.9.0/24
leftid="C=DE, O=JetSys, CN=daolin.dyndns.org"
right=%any
auto=add
That´s what ipsec is reporting on startup:
Mar 31 08:36:44 daolin ipsec__plutorun: Starting Pluto subsystem...
Mar 31 08:36:44 daolin ipsec_setup: ...FreeS/WAN IPsec started
Mar 31 08:36:44 daolin Pluto[16181]: Starting Pluto (FreeS/WAN Version 1.96)
Mar 31 08:36:44 daolin Pluto[16181]: including X.509 patch (Version 0.9.9)
Mar 31 08:36:45 daolin Pluto[16181]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 31 08:36:45 daolin Pluto[16181]: loaded cacert file 'cacert.pem' (1724
bytes)
Mar 31 08:36:45 daolin Pluto[16181]: Changing to directory
'/etc/ipsec.d/crls'
Mar 31 08:36:45 daolin Pluto[16181]: loaded crl file 'crl.pem' (719 bytes)
Mar 31 08:36:45 daolin Pluto[16181]: loaded my X.509 cert file
'/etc/x509cert.der' (1126 bytes)
Mar 31 08:36:47 daolin Pluto[16181]: added connection description "wlanuser"
Mar 31 08:36:47 daolin Pluto[16181]: listening for IKE messages
Mar 31 08:36:47 daolin Pluto[16181]: adding interface ipsec0/eth0
192.168.9.1
Mar 31 08:36:47 daolin Pluto[16181]: loading secrets from
"/etc/ipsec.secrets"
Mar 31 08:36:47 daolin Pluto[16181]: loaded private key file
'/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
Mar 31 08:36:52 daolin kernel: ipsec0: no IPv6 routers present
Ok, here the ipsec.conf on windows (activated by the tool ipsec.exe):
ipsec.conf (Windows)
conn Daolin
left=%any
right=192.168.9.1
rightsubnet=192.168.9.0/255.255.255.0
rightca="C=DE, O=JetSys, CN=daolin.dyndns.org"
network=auto
auto=start
pfs=yes
And now a ping from the client to my gateway:
Connection try:
Mar 31 08:37:40 daolin Pluto[16181]: packet from 192.168.9.253:500: ignoring
Vendor ID payload
Mar 31 08:37:40 daolin Pluto[16181]: "wlanuser" 192.168.9.253 #1: responding
to Main Mode from unknown peer 192.168.9.253
Mar 31 08:37:41 daolin Pluto[16181]: "wlanuser" 192.168.9.253 #1: encrypted
Informational Exchange message is invalid because it is for incomplete
ISAKMP SA
What´s wrong here? Did i mess up something with the certs?
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST