IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] x509 certs and win2k

From: Segree, Gareth (Gareth.Segree_at_gleanerjm.com)
Date: Sat Apr 27 2002 - 00:22:05 CEST

I have freeswan 1.97 connecting our two offices but now I've patched the
freeswan with the x509 certificate patch.
I am now trying to get w2k hosts to connect to the gateway but there is no
authentication message in the logs.
I followed the setup at
http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509

here is the config:
/etc/ipsec.conf
# Mobile to office VPN
conn mobile-office
        # Left security gateway, subnet behind it, next hop toward right.
        compress=yes
        disablearrivalcheck=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=officegw.gleanerjm.com.pem
        left=%defaultroute
        leftsubnet=89.0.0.0/8
        leftnexthop=
        #leftnexthop=208.138.31.1
        # Right security gateway, subnet behind it, next hop toward left.
        right=%any
        #right=0.0.0.0
        auto=add
        pfs=yes
/etc/ipsec.secrets
: RSA {
        # RSA 1024 bits host.gleanerjm.com Wed Apr 24 17:17:10 2002
......
}
: RSA host.gleanerjm.com.key "password!!!"

/var/log/message reports
------------------------
Apr 26 12:26:36 fw01 ipsec_setup: Stopping FreeS/WAN IPsec...
Apr 26 12:26:37 fw01 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Apr 26 12:26:37 fw01 ipsec_setup: ...FreeS/WAN IPsec stopped
Apr 26 12:26:38 fw01 ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Apr 26 12:26:38 fw01 ipsec_setup: KLIPS debug `none'
Apr 26 12:26:38 fw01 ipsec_setup: KLIPS ipsec0 on eth1
208.138.31.25/255.255.255.
0 broadcast 208.138.31.255
Apr 26 12:26:38 fw01 ipsec_setup: ...FreeS/WAN IPsec started
Apr 26 12:26:38 fw01 ipsec__plutorun: 003 "/etc/ipsec.secrets" line 20:
error loa
ding RSA private key file
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "sii-to-mobay": cannot route Road
Warri
or template
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "sii-to-mobay": could not route
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn "sii-to-mobay"
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgnfw-to-mbyfw": cannot route
Road War
rior template
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgnfw-to-mbyfw": could not route
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn
"kgnfw-to-mbyfw"
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgn-to-mobay-rsa": cannot route
Road W
arrior template
Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgn-to-mobay-rsa": could not
route
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn
"kgn-to-mobay-rsa"
Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "sii-to-mobay": cannot initiate
connect
ion without knowing peer IP address
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn "sii-to-mobay"
Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "kgnfw-to-mbyfw": cannot initiate
conne
ction without knowing peer IP address
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn
"kgnfw-to-mbyfw"
Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "kgn-to-mobay-rsa": cannot
initiate con
nection without knowing peer IP address
Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn
"kgn-to-mobay-rsa"

+------------------------------------------------------------+
|I deleted then added the connection and this was the message|
+------------------------------------------------------------+

Apr 26 12:38:31 fw01 Pluto[18937]: "mobile-kgn": deleting connection
Apr 26 12:38:34 fw01 Pluto[18937]: loaded host cert file
'/etc/ipsec.d/fw01.gleanerjm.com.pem' (3826 bytes)
Apr 26 12:38:34 fw01 Pluto[18937]: added connection description "mobile-kgn"
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:56 CEST