FreeS/WAN should sign its MR3 message using its own
/etc/ipsec.d/private/muckelKey.pem
and not the CA's private key cakey.pem !!!
In any case, the CA's key is too valuable to lie around
on a border-line security gateway. Please put it either
on a floppy or keep it on a box behind the firewall.
Regards
Holger Marzen wrote:
>
> I want to run a Linux gateway for Win2000 roadwarriors with
> freeswan-1.97
> x509patch-0.9.11-freeswan-1.97
>
> I made a self-signed root-c anficatet a client certificate, imported it
> on the win2000 machine and set up a policy. A ping triggers
> "IP-Sicherheit wird verhandelt" on the client (10.66.53.100) and
> triggers something on the gateway (10.66.53.130), but it's not working:
>
> |May 26 01:07:38 muckel Pluto[3750]: loaded crl file 'crl.pem' (703 bytes)
> |May 26 01:07:38 muckel Pluto[3750]: could not open my default X.509 cert file '/etc/x509cert.der'
> |May 26 01:07:38 muckel Pluto[3750]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
> |May 26 01:07:40 muckel Pluto[3750]: loaded host cert file '/etc/ipsec.d/muckelCert.pem' (1513 bytes)
> |May 26 01:07:41 muckel Pluto[3750]: added connection description "rw"
> |May 26 01:07:41 muckel Pluto[3750]: listening for IKE messages
> |May 26 01:07:41 muckel Pluto[3750]: adding interface ipsec0/eth0 10.66.53.130
> |May 26 01:07:41 muckel Pluto[3750]: loading secrets from "/etc/ipsec.secrets"
> |May 26 01:07:41 muckel Pluto[3750]: loaded private key file '/etc/ipsec.d/private/cakey.pem' (1743 bytes)
> |May 26 01:10:40 muckel Pluto[3750]: packet from 10.66.53.100:500: ignoring Vendor ID payload
> |May 26 01:10:40 muckel Pluto[3750]: "rw" 10.66.53.100 #1: responding to Main Mode from unknown peer 10.66.53.100
> |May 26 01:10:41 muckel Pluto[3750]: "rw" 10.66.53.100 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saarland, O=BLA, OU=Fasel, CN=i201405, E=holger_at_marzen.de'
> |May 26 01:10:41 muckel Pluto[3750]: "rw" 10.66.53.100 #1: deleting connection "rw" instance with peer 10.66.53.100
> |May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: sent MR3, ISAKMP SA established
> |May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: ignoring informational payload, type AUTHENTICATION_FAILED
> |May 26 01:10:42 muckel Pluto[3750]: "rw" 10.66.53.100 #1: received and ignored informational message
>
> What does it mean: "AUTHENTICATION_FAILED"? Does the client send this to the
> gateway telling that the gateway cannot authenticate on the client?
>
> My ipsec.conf is:
> -----------------
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> #keyingtries=0
> #disablearrivalcheck=no
> authby=rsasig
> rightrsasigkey=%cert
> left=10.66.53.130
> leftcert=muckelCert.pem
> # load connection definitions automatically
> auto=add
> #leftrsasigkey=%dns
> #rightrsasigkey=%dns
>
> conn rw
> right=%any
>
> --
> PGP/GPG Key-ID:
> http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
Content Security by MailMarshal
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST