IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeS/WAN an Win2000 with x509 Certificates problems

From: Holger Marzen (holger_at_marzen.de)
Date: Sun May 26 2002 - 01:15:53 CEST

I want to run a Linux gateway for Win2000 roadwarriors with
freeswan-1.97
x509patch-0.9.11-freeswan-1.97

I made a self-signed root-c anficatet a client certificate, imported it
on the win2000 machine and set up a policy. A ping triggers
"IP-Sicherheit wird verhandelt" on the client (10.66.53.100) and
triggers something on the gateway (10.66.53.130), but it's not working:

|May 26 01:07:38 muckel Pluto[3750]: loaded crl file 'crl.pem' (703 bytes)
|May 26 01:07:38 muckel Pluto[3750]: could not open my default X.509 cert file '/etc/x509cert.der'
|May 26 01:07:38 muckel Pluto[3750]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
|May 26 01:07:40 muckel Pluto[3750]: loaded host cert file '/etc/ipsec.d/muckelCert.pem' (1513 bytes)
|May 26 01:07:41 muckel Pluto[3750]: added connection description "rw"
|May 26 01:07:41 muckel Pluto[3750]: listening for IKE messages
|May 26 01:07:41 muckel Pluto[3750]: adding interface ipsec0/eth0 10.66.53.130
|May 26 01:07:41 muckel Pluto[3750]: loading secrets from "/etc/ipsec.secrets"
|May 26 01:07:41 muckel Pluto[3750]: loaded private key file '/etc/ipsec.d/private/cakey.pem' (1743 bytes)
|May 26 01:10:40 muckel Pluto[3750]: packet from 10.66.53.100:500: ignoring Vendor ID payload
|May 26 01:10:40 muckel Pluto[3750]: "rw" 10.66.53.100 #1: responding to Main Mode from unknown peer 10.66.53.100
|May 26 01:10:41 muckel Pluto[3750]: "rw" 10.66.53.100 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saarland, O=BLA, OU=Fasel, CN=i201405, E=holger_at_marzen.de'
|May 26 01:10:41 muckel Pluto[3750]: "rw" 10.66.53.100 #1: deleting connection "rw" instance with peer 10.66.53.100
|May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: sent MR3, ISAKMP SA established
|May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: ignoring informational payload, type AUTHENTICATION_FAILED
|May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: received and ignored informational message

What does it mean: "AUTHENTICATION_FAILED"? Does the client send this to the
gateway telling that the gateway cannot authenticate on the client?

My ipsec.conf is:
-----------------
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        #keyingtries=0
        #disablearrivalcheck=no
        authby=rsasig
        rightrsasigkey=%cert
        left=10.66.53.130
        leftcert=muckelCert.pem
        # load connection definitions automatically
        auto=add
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns

conn rw
        right=%any 

-- 
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST