From: Andreas.Mueller_at_varetis.de
Date: Thu Aug 01 2002 - 18:50:19 CEST
Hello,
concerning a W2k+Sentinel to Suse 8.0+freeswan VPN:
basically, i dont get certificates accepted on the sentinel side, but its
a bit more complicated.
All udp 500 esp 50 ah 51 are getting through the router.
First, i started with plain W2k to Freeswan with Marcus tool, and could
set up a working tunnel with
openssl-created certificates. So i knew, that the certificates were ok (i
followed vpn.ebootis.de).
Then, i came to the point, that i need the "virtual ip address" feature of
sentinel.
So i removed the ipsec setup on the notebook and installed sentinel, and
tried to get it
running with the previously created certificates for the
plain2k<->freeswan setup.
The diagnostic of sentinel tells me, that it is possible to establish a
connection to my gateway.
Everything worked like described in the documents (eg "ssh sentinel 1.3
and frees/wan ipsec") found
at www.ssh.com. I also did a pretty complete RTFM.
But IKE-Phase1 fails somewhere on the sentinel-side.
On the Freeswan side, i get:
Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70 #1:
Peer ID is ID_DER_ASN1_DN: 'O=varetis, OU=ti,
CN=andreas.mueller_at_varetis.com'
Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70 #1:
multiple ipsec.secrets entries with distinct secrets match endpoints:
first secret used
Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70 #1:
sent MR3, ISAKMP SA established
Aug 1 17:57:26 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70 #1:
Informational Exchange message for an established ISAKMP SA must be
encrypted
The 4th line looks like everything is ok for freeswan. The 5th line
possible is the outcome of the error on the freeswan side.
On the sentinel side, i get in the detailed ike-log:
Decoded ID =der_asn1_dn(any:0,[0..134]=C=DE and so on (its the cert of
the root CA)
SPD: Can not determine per-rule trusted CA root set for remote identity
der_asn1_dn...... (like above) . Using only globally trusted roots.
Then a few cryptic lines, and finally a
IP;Signature check failed.
Phase-1 [initioator] between ...local der_asn1_dn... and ipv4 ...
(external gateway-address) failed;invalid signature
I tried
a) working with the certificates from the previously working plain W2k
setup.
b) working with openssl created certifiactes as described in chapter 6.2
of "SSH Sentinel 1.3 and FreeS/WAN IPSec"
c) working with the certificate created by sentinel, as described in
chapter 6.1 of the manual
None worked.
The certificates are always imported from floppy as described.
I did import the root CA certificate.
Network:
internalNet-router-VPNGateway-Router-Internet-Roadwarrior
Finally, the ipsec.conf (its still pretty close to the working plain2k
setup):
conn %default
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=rsasig
auth=esp
leftrsasigkey=%cert
rightrsasigkey=%cert
right=VPNGateway-external
rightnexthop=border-router internal
rightsubnet=internal
rightcert=cacerts/cacert.pem
left=%any
auto=add
conn andreasmueller
type=tunnel
leftsubnet=private virtual address as entered manually in the
sentinel setup/32
leftcert=clientcerts/andreasmuellerCert.pem
keyingtries=1
Are there any hints ?
Thanks
-- Andreas Mueller varetis AG E-mail: andreas.mueller_at_varetis.de _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST