IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob

From: killhead_at_pandora.be
Date: Wed May 29 2002 - 13:22:36 CEST

This is difficulter then a thought:

Here is the log of IKE:

SPD: Can not determine per-rule trusted CA root set for remote identity der_asn1_dn(any:0,[0..71]=C=BE, O=Cameleon Projects Int, CN=hermes.ignl.be). Using only globally trusted roots.
Phase-1 [initiator] between der_asn1_dn(udp:500,[0..70]=C=BE, O=Cameleon Projects Int, CN=calin.ignl.be) and ipv4(udp:500,[0..3]=213.224.16.200) failed; Authentication failed.

And here is the log of freeswan (secure.log):

May 29 13:16:50 hermes Pluto[29627]: packet from 192.168.0.1:500: ignoring Vendor ID payload
May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: responding to Main Mode from unknown peer 192.168.0.1
May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: Peer ID is ID_DER_ASN1_DN: 'C=BE, O=Cameleon Projects Int, CN=calin.ignl.be'
May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: sent MR3, ISAKMP SA established
May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: Informational Exchange message for an established ISAKMP SA must be encrypted

The message log doesn't produce any errors/info.

If you want i'll will give you a detailled mail about my ipsec config/setup.
Need to get this VPN to work :)

Greetz (and allready thx for your time about this issue)
Tom

------------------------
 Jussi Torhonen <jt_at_ssh.com> wrote:
------------------------
        
>killhead_at_pandora.be wrote:
>
>> Seems to me the client cert is valid and is binded with the openssl CA
>> The common name on Issuer of host key is:
>> CN=hermes.ignl.be
>> The subject here is:
>> CN=calin.ignl.be
>>
>> The common name of the issuer of CA is:
>> CN=hermes.ignl.be
>> The subject here is:
>> CN=hermes.ignl.be
>>
>> Is that correct ?
>
>Yes, they look ok to me. Please check Trust Policy -> Trusted
>Certificates -> Remote Hosts. You should not find there any
>hermes.ignl.be or calin.ignl.be certificates. If one exists, please
>remove it and press Apply to update PM database.
>
>Restart FreeSWAN IPSec and check both /var/log/secure and
>/var/log/messages logfiles for possible error messages.
>
>Setup a VPN rule for SSH Sentinel, enable it (via tray icon or by
>setting up it to open on start-up), open IKE log windows for
>logging=Detailed and send one single ping packet to a remote host (or
>inner interface of the FreeSWAN SGW) as
>
> ping -n 1 ipaddr.of.remote.host
>
>Setup IKE logging=Off and start browsing the logfile. Also check
>FreeSWAN logs for the same timeframe. I'm sure you'll find the reason
>somewhere.
>
>Regards,
>Jussi
>
>--
>______________________________________________________________
>Jussi Törhönen, Kuopio R&D unit, e-mail jussi.torhonen_at_ssh.com
>SSH Communications Security Corp, http://www.ssh.com
>SSH Sentinel VPN Client, http://www.ipsec.com
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST