Hello,
Andreas Haumer wrote:
>>I am trying to get W2k to connect to my FreeS/WAN gateway (freeswan
>>1.96, x509 0.9.9). I had a test environment working and got a W2k
>>notebook to connect to FreeS/WAN properly.
>>I am using Marcus Müller's tool and the very nice help page from Nate
>>Carlson.
>>
>>After setting up my real life environment, replacing the test
>>certificates and configuring another W2k machine I have no furtger idea
>>about what to do.
>>
>>The W2k machine does not even send a single data packet into the network
>>when it tries to start the VPN connection. The statistics about the
>>network interface and Ethereal do not show any outgoing data.
>>The former test notebook still works fine and even sends data with wrong
>>or no certificate at all (which fails during the authentication of course).
>>
>>Now the question is: What is wrong that the W2k client does not send any
>>packets?
>>
>>
> I had a similar problem when I tried to set up a VPN between
> W2K and Free/SWAN
>
> First: The "ipsec.exe" tool only installs the Windows IPsec policy,
> it does _not_ actually start the tunnel!
> The tunnel is activated the first time windows sees a packet sent
> to the internal network on the other side of the tunnel.
> Try to ping some host in your rightsubnet behind your FreeS/WAN
> gateway.
> This should activate your tunnel. (Though from your problem
> description it looks like you knew that already, didn't you?)
Yes, I knew that and when I run e.g. a "ping 192.168.100.1" I get the
message about negotiating IP security but even with "ping -n 1000
192.168.100.1" and alot of these messages not even a single packet
leaves my ethernet card.
> Second: Windows is very picky about special characters in the DN.
> In our case, it was the "+" in "xS+S" which Windows didn't like,
> and the VPN configuration was ignored completely, resulting in the
> same symptoms you describe.
What exactly do you mean by that?
> I don't see this problem in your example
> configuration file, but it is something to be aware of. Maybe it
> also doesn't like the "-" in your "O=" field?
The "-" was in my test certificate already and working fine there. :-/
> You can also activate some Windows debugging feature to get
> more information out of this "operating system"
>
> You have to add the following key to your registry:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
>
> and add a REG_DWORD named "EnableLogging" with a value of
> "1" to this key.
>
> After a reboot windows writes some debugging information
> to a file called "Oakley.log" in your %SystemRoot%\debug folder.
I tried that too but the debug information there is kind of useless. It
shows alot of debug stuff which might be useful if you could look at the
source code but since I don't have this its kinda useless.
The only error message I get there is "No response from peer" and that
is not really astonishing since the peer never gets any data sent and
hence does not answer.
Maybe you have any other ideas?
I guess it might be that the client does not find my certificate but it
is in the right place and in my config I use the root ca data which I
can also see when I look at properties of the imported certificate.
Any kind of error message would be very helpful if the ipsec command
could not find any valid certificate. :-/
Harry
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST