It seems that special characters like e.g. '@' or "umlauts" in
the issuer distinguished name may cause these W2k problems.
Try to generate a CA certificate containing CN=gateway.spezifikum.de
instead of CN=gateway_at_spezifikum.de.
Regards
Andreas
Malte Müller wrote:
> Hello,
> I can not establish a connection between w2k and freeS/WAN over a lan. I
> don't know
> why "IKE could not find computer certificate".
> My config:
>
> Road Worrior-config trial 1:
> rightca is what
> openssl x509 -in /var/sslca/demoCA/cacert.pem -noout -subject
> says:
> subject= /C=DE/ST=Nds/O=Spezifikum/CN=rootCA_at_spezifikum.de
> right is remote IP.
> #this is the ipsec.conf:
> conn spezifikum
> left=%any
> right=192.168.123.2
> rightca="C=DE,S=Nds,L=Emden,O=Spezifikum,CN=gateway_at_spezifikum.de"
> network=lan
> auto=start
> pfs=yes
>
> ---------------------------------------------
> I tried to write the same directly with ipsecpol:
>
> ipsecpol -w REG -p FreeSwan -r win-linux -t 192.168.123.2 -f
> 192.168.123.6/255.255.255.255=192.168.123.2/255.255.255.255 -n
> ESP[3DES,MD5]3600S/50000KPFS -a
> CERT:"C=DE,S=Nds,O=Spezifikum,CN=work_at_spezifikum.de" -lan -1p
>
> ipsecpol -w REG -p FreeSwan -r linux-win -t 192.168.123.6 -f
> 192.168.123.2/255.255.255.255=192.168.123.6/255.255.255.255 -n
> ESP[3DES,MD5]3600S/50000KPFS -a
> CERT:"C=DE,S=Nds,O=Spezifikum,CN=rootCA_at_spezifikum.de" -lan -1p
>
> ipsecpol -w REG -p FreeSwan -x
>
> ---------------------------------------------
> My Linux-Box conf.
> "roadwarrior" [readonly] 81L, 3346C
>
> rightid is what
> openssl x509 -in /var/sslca/demoCA/workCert.pem -noout -subject
> says:
> subject= /C=DE/ST=Nds/O=Spezifikum/CN=work_at_spezifikum.de
>
> /etc/ipsec.conf:
> conn work
> left=192.168.123.2
> right=%any
> leftid="C=DE,O=Spezifikum,CN=gateway_at_spezifikum.de"
> rightid="C=DE,ST=Nds,O=Spezifikum,CN=work_at_spezifikum.de"
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> auto=add
>
> I start ipsec on the w2k client and try a ping:
> ping 192.168.123.2
> IP-Security is negotiated
> The linux-log says:
> Jul 2 05:41:56 malte Pluto[19169]: "work" 192.168.123.6 #4: encrypted
> Informational Exchange message is invalid
> because it is for incomplete ISAKMP SA
> At startup freeswan logs:
> malte Pluto[19169]: Starting Pluto (FreeS/WAN Version 1.95)
> malte Pluto[19169]: including X.509 patch (Version 0.9.8)
> malte Pluto[19169]: Changing to directory '/etc/ipsec.d/cacerts'
> malte Pluto[19169]: loaded cacert file 'workCert.pem' (1289 bytes)
> malte Pluto[19169]: loaded cacert file 'gatewayCert.pem' (1294 bytes)
> malte Pluto[19169]: loaded cacert file 'cacert.pem' (1432 bytes)
> malte Pluto[19169]: Changing to directory '/etc/ipsec.d/crls'
> malte Pluto[19169]: loaded crl file 'crl.pem' (625 bytes)
> malte Pluto[19169]: loaded my X.509 cert file '/etc/x509cert.der' (913
> bytes)
> malte Pluto[19169]: added connection description "work"
> malte Pluto[19169]: listening for IKE messages
> malte Pluto[19169]: adding interface ipsec0/eth1 192.168.123.2
> malte Pluto[19169]: loading secrets from "/etc/ipsec.secrets"
> malte Pluto[19169]: loaded private key file
> '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> malte Pluto[19169]: packet from 192.168.123.6:500: ignoring Vendor ID
> payload
> malte Pluto[19169]: "work" 192.168.123.6 #1: responding to Main Mode from
> unknown peer 192.168.123.6
>
> I cut off date and time.
> I tried many things don't know what to do now.
> Please help anyone.
>
> Thanks in advance,
>
> Malte
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:28 CEST