Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] x509 certs and win2k

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Mon Apr 29 2002 - 12:01:32 CEST

Next message: ipsec_at_kloosterman.org: "Re: [Users] It is not funny anymore: VIRUS / WORMS over this list"
Previous message: Josep Llauradó Selvas: "[Users] connecting Win2k with Freeswan"
In reply to: Segree, Gareth: "[Users] x509 certs and win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In you log I see the error msg

> Apr 26 12:26:38 fw01 ipsec__plutorun: 003 "/etc/ipsec.secrets" line 20:
> error loading RSA private key file

But the additional message detailing the reason of this failure is missing.
Have you put "host.gleanerjm.com.key" into /etc/ipsec.d/private and
encrypted it with 3DES?

Regards

Andreas

"Segree, Gareth" wrote:
>
> I have freeswan 1.97 connecting our two offices but now I've patched the
> freeswan with the x509 certificate patch.
> I am now trying to get w2k hosts to connect to the gateway but there is no
> authentication message in the logs.
> I followed the setup at
> http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
>
> here is the config:
> /etc/ipsec.conf
> # Mobile to office VPN
> conn mobile-office
> # Left security gateway, subnet behind it, next hop toward right.
> compress=yes
> disablearrivalcheck=no
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> leftcert=officegw.gleanerjm.com.pem
> left=%defaultroute
> leftsubnet=89.0.0.0/8
> leftnexthop=
> #leftnexthop=208.138.31.1
> # Right security gateway, subnet behind it, next hop toward left.
> right=%any
> #right=0.0.0.0
> auto=add
> pfs=yes
> /etc/ipsec.secrets
> : RSA {
> # RSA 1024 bits host.gleanerjm.com Wed Apr 24 17:17:10 2002
> ......
> }
> : RSA host.gleanerjm.com.key "password!!!"
>
> /var/log/message reports
> ------------------------
> Apr 26 12:26:36 fw01 ipsec_setup: Stopping FreeS/WAN IPsec...
> Apr 26 12:26:37 fw01 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
> Apr 26 12:26:37 fw01 ipsec_setup: ...FreeS/WAN IPsec stopped
> Apr 26 12:26:38 fw01 ipsec_setup: Starting FreeS/WAN IPsec 1.97...
> Apr 26 12:26:38 fw01 ipsec_setup: KLIPS debug `none'
> Apr 26 12:26:38 fw01 ipsec_setup: KLIPS ipsec0 on eth1
> 208.138.31.25/255.255.255.
> 0 broadcast 208.138.31.255
> Apr 26 12:26:38 fw01 ipsec_setup: ...FreeS/WAN IPsec started
> Apr 26 12:26:38 fw01 ipsec__plutorun: 003 "/etc/ipsec.secrets" line 20:
> error loa
> ding RSA private key file
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "sii-to-mobay": cannot route Road
> Warri
> or template
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "sii-to-mobay": could not route
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn "sii-to-mobay"
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgnfw-to-mbyfw": cannot route
> Road War
> rior template
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgnfw-to-mbyfw": could not route
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn
> "kgnfw-to-mbyfw"
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgn-to-mobay-rsa": cannot route
> Road W
> arrior template
> Apr 26 12:26:38 fw01 ipsec__plutorun: 025 "kgn-to-mobay-rsa": could not
> route
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not route conn
> "kgn-to-mobay-rsa"
> Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "sii-to-mobay": cannot initiate
> connect
> ion without knowing peer IP address
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn "sii-to-mobay"
> Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "kgnfw-to-mbyfw": cannot initiate
> conne
> ction without knowing peer IP address
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn
> "kgnfw-to-mbyfw"
> Apr 26 12:26:38 fw01 ipsec__plutorun: 029 "kgn-to-mobay-rsa": cannot
> initiate con
> nection without knowing peer IP address
> Apr 26 12:26:38 fw01 ipsec__plutorun: ...could not start conn
> "kgn-to-mobay-rsa"
>
> +------------------------------------------------------------+
> |I deleted then added the connection and this was the message|
> +------------------------------------------------------------+
>
> Apr 26 12:38:31 fw01 Pluto[18937]: "mobile-kgn": deleting connection
> Apr 26 12:38:34 fw01 Pluto[18937]: loaded host cert file
> '/etc/ipsec.d/fw01.gleanerjm.com.pem' (3826 bytes)
> Apr 26 12:38:34 fw01 Pluto[18937]: added connection description "mobile-kgn"
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: ipsec_at_kloosterman.org: "Re: [Users] It is not funny anymore: VIRUS / WORMS over this list"
Previous message: Josep Llauradó Selvas: "[Users] connecting Win2k with Freeswan"
In reply to: Segree, Gareth: "[Users] x509 certs and win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:56 CEST