Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] IPSec connection FreeS/WAN<->FreeS/WAN works, but NOT FS <-> WinXP

From: Ralf G. R. Bergs (rabe_at_RWTH-Aachen.DE)
Date: Tue May 14 2002 - 10:09:57 CEST

Next message: Ralf G. R. Bergs: "[Users] Further info about IPSec setup probs WinXP <-> FreeSWAN"
Previous message: Carles Xavier Munyoz Baldó: "[Users] Is SSH Sentinel free ?"
In reply to: Andreas Steffen: "Re: [Users] IPSec connection FreeS/WAN<->FreeS/WAN works, but NOT FS <-> WinXP"
Next in thread: Emilio Hoxha: "Re: [Users] IPSec connection FreeS/WAN<->FreeS/WAN works, but NOT FS <-> WinXP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 13 May 2002 22:25:03 +0200, Andreas Steffen wrote:

>If you type
>
> ipsec auto --status
>
>do you see the correct definition of connection lkt-hostA listed in the
output?
>It could be that the connection does not get loaded correctly when Pluto
starts
>up.

This clearly seems to be the problem, because it only shows me the connection
to the Linux host (that IS working.) The connection to the Win2000 host does
NOT appear.

Ok, I've now changed the connection back to how it once looked like (but which
would also prevent us from establishing the IPSec connection,) and now the
connection gets loaded:

000 "hostA": aaa.bbb.118.0/24===aaa.bbb.28.10[C=DE, ST=Bavaria, O=University
of Bavaria, OU=Institute of Common Confusion, CN=WWW.Uni.DE, E=him_at_Uni.DE]---
aaa.bbb.28.9...ccc.dd.82.68[C=DE, O=University of Bavaria, OU=Institute of
Common Confusion, CN=him_at_uni.DE]
000 "hostA": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "hostA": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted
000 "hostA": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "hostA": ESP algorithms wanted: 3/000-1/000, 3/000-2/000,
000 "hostA": ESP algorithms loaded: 3/168-1/128, 3/168-2/160,

Now we frequently see messages like this:

Pluto[24749]: ERROR: asynchronous network error report on eth0 for message to
ccc.dd.82.68 port 500, complainant ddd.eee.5.1: No route to host [errno 113,
origin ICMP type 3 code 1 (not authenticated)]

Is this because the IPSec tunnel to the peer hasn't yet been created, or can
it be that we have a network (routing) problem of some kind? When I traceroute
the (non-encrypted) connection to the peer the "complainant" from the error
message above does NOT appear in the list of the hops. I don't see why it
could interfere with our IPSec experiments... :-(

-- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Ralf G. R. Bergs: "[Users] Further info about IPSec setup probs WinXP <-> FreeSWAN"
Previous message: Carles Xavier Munyoz Baldó: "[Users] Is SSH Sentinel free ?"
In reply to: Andreas Steffen: "Re: [Users] IPSec connection FreeS/WAN<->FreeS/WAN works, but NOT FS <-> WinXP"
Next in thread: Emilio Hoxha: "Re: [Users] IPSec connection FreeS/WAN<->FreeS/WAN works, but NOT FS <-> WinXP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:59 CEST