IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] ipsec 1.98b and SSH sentinel 1.3 (build 47)

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Jul 22 2002 - 18:13:07 CEST

I think FreeS/WAN is signing with the wrong RSA private key:

> Jul 22 16:42:52 vpn1 pluto[14174]: | emitting length of ISAKMP
          Certificate Payload: 985
> Jul 22 16:42:52 vpn1 pluto[14174]: | hashing 408 bytes of SA
> Jul 22 16:42:52 vpn1 pluto[14174]: | signing hash with RSA Key *AQOjC/HQf

The keyid AQOjC/HQf looks like that of the original FreeS/WAN key that was
generated during installation. Your OpenSSL generated key should be of the
form AwEAA.... If you have loaded the FreeS/WAN certificate with
leftcert=... and not via the deprecated /etc/x509cert.der then the command

   ipsec auto --listpubkeys

should show you the keyid of FreeS/WAN's public/private key pair.
With the new version 0.9.14 of the X.509 patch the command

   ipsec auto --listcerts

will show you directly whether there is an RSA private key matched
to FreeS/WAN's certificate.

Regards

Andreas

Michele Ferritto wrote:
> Hello...
>
> My network (is for testing the freeswan)
>
> dexter---------------------------------vpn1=========michelef (Roadwarrior)
> 192.168.160.30 192.168.168.30
>
> interfaces on vpn1: eth0=192.168.168.224 (external) eth1=192.168.160.1
> (gw for dexter)
>
> I need to reach dexter trough vpn1 (w/freeswan) with SSH sentinel on
> michelef (Win98 SE)
> I've followed the instructions on the well-documented:
> http://www.ssh.com/products/sentinel/SSH_Sentinel_Config_Examples.pdf
>
> and on the installation istructions from freeswan.org,
>
> The system on wich freeswan reside:
>
> RH 72
> kernel 2.4.9-34 from RH
> 0.9.13 X509 patch
> freeswan 1.98b
> Before create connection do a "Diagnostics.." from Sentinel policy
> editor and I obtain:
>
> "Cannot run the diagnostics. The remote end cannot find suitable IKE
> proposal (phase1)..."
>
> at the end of /var/log/secure I have:
>
> "rw"[2] 192.168.168.60 #2: Informational Exchange message for an
> established ISAKMP SA mu
> st be encrypted
>
> What's wrong???
>
> I know that's not the first time for the message above to appear in this
> list but the other cases don't match my problem...
> at compile time I don't have any errors and the roadwarrior seems talk
> to freeswan gateway and viceversa.....
> At the following URL are available the log and the barf output....
>
> http://www.rpmonline.it/various/
>
> Thanks in advance....
>
> -----------------------------------------------
> Michele Ferritto
> RPM s.p.a. Sistemi Informativi
> C.da Marignano 27
> 62018 Potenza Picena (MC) Italy
> +39 0733 675507
> http://www.rpmonline.it/
> ------------------------------------------------

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:25 CEST