Re: [Users] hi im new in the list

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Aug 15 2002 - 19:36:16 CEST

• Next message: Ken Bantoft: "Re: [Users] how to patch?"
• Previous message: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• In reply to: Alejo Raśl Torres Molina: "[Users] hi im new in the list"
• Next in thread: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• Reply: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

you must add the line

rightid="C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000,
          OU=nets, CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com"

since otherwise the peer's IP address is taken as the ID
by default.

Regards

Andreas

Alejo Raśl Torres Molina wrote:
> Hi i subscribe today to the list.
>
> I install freeswan with x509 patch as its explain in
> http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509 by
> Nate Carlson and http://vpn.ebootis.de/ my marcus. I have the connection for
> the examples in this docs. I want to connect win2000 with linux redhat 7.2
> and walk arounf the private subnet. (VPN)
> My problem its when I run ipsec.exe in win side the logs of ipsec in linux
> side say me this
>
> 104 "roadwarrior-net" #6: STATE_MAIN_I1: initiate
> 003 "roadwarrior-net" #6: ignoring Vendor ID payload
> 106 "roadwarrior-net" #6: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "roadwarrior-net" #6: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "roadwarrior-net" #6: discarding duplicate packet; already STATE_MAIN_I3
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 010 "roadwarrior-net" #6: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 010 "roadwarrior-net" #6: STATE_MAIN_I3: retransmission; will wait 40s for
> response
> 003 "roadwarrior-net" #6: we require peer to have ID '212.170.12.173', but
> peer declares 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000, OU=nets,
> CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 218 "roadwarrior-net" #6: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 003 "roadwarrior-net" #6: encrypted Informational Exchange message is
> invalid because it is for incomplete ISAKMP SA
> 031 "roadwarrior-net" #6: max number of retransmissions (2) reached
> STATE_MAIN_I3. Possible authentication failure: no acceptable response to
> our first encrypted messa
>
> In windows side the certificate is correct and the logs seay me IKE
> asociation established correctly
>
> i do ipsec whack --listall for view the keys
>
>
> 000
> 000 List of Public Keys:
> 000
> 000 Aug 13 01:12:53 2002, 2048 RSA Key AwEAAcV7s, until Aug 10 00:21:47 2012
> ok
> 000 ID_DER_ASN1_DN 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win
> 2000, OU=nets, CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 000
> 000 List of User/Host Certificates:
> 000
> 000 Aug 13 01:00:56 2002, count: 2
> 000 subject: 'C=es, ST=barcelona, L=bcn, O=Clara GateWay Win 2000,
> OU=nets, CN=bichyllo.isthar.net, E=alex_rtm_at_ya.com'
> 000 issuer: 'C=es, ST=barcelona, L=bcn, O=claranet CA, OU=network,
> CN=ROOT CA, E=alex_at_es.clara.net'
> 000 pubkey: 2048 RSA Key AwEAAcV7s, has private key
> 000 validity: not before Aug 13 00:21:47 2002 ok
> 000 not after Aug 10 00:21:47 2012 ok
> 000
> 000 List of CA Certificates:
> 000
> 000 Aug 13 01:00:54 2002, count: 1
> 000 subject: 'C=es, ST=barcelona, L=bcn, O=claranet CA, OU=network,
> CN=ROOT CA, E=alex_at_es.clara.net'
> 000 issuer: 'C=es, ST=barcelona, L=bcn, O=claranet CA, OU=network,
> CN=ROOT CA, E=alex_at_es.clara.net'
> 000 pubkey: 2048 RSA Key AwEAAbfyC
> 000 validity: not before Aug 12 23:58:01 2002 ok
> 000 not after Oct 27 23:58:01 2017 ok
> 000
> 000 List of CRLs:
> 000
> 000 Aug 13 01:00:54 2002, revoked certs: 0
> 000 issuer: 'C=es, ST=barcelona, L=bcn, O=claranet CA, OU=network,
> CN=ROOT CA, E=alex_at_es.clara.net'
> 000 updates: this Aug 13 00:01:59 2002
> 000 next Sep 12 00:01:59 2002 ok
>
>
> I think that i dont write the correct rightid in somwhere but where?
>
> Here is the ipsec verify
>
> Checking your system to see if IPsec got installed and started correctly
> Version check and ipsec on-path [OK]
> Checking for KLIPS support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Checking if IPchains has port 500 hole (all) accepted
> [OK]
> Checking if IPchains has port 500 hole (default) accepted
> [OK]
> Checking if IPchains has port 500 hole (eth0) accepted
> [OK]
> Checking if IPchains has port 500 hole (ipsec0) accepted
> [OK]
> Checking if IPchains has port 500 hole (lo) accepted
> [OK]
> Checking if IPchains has port 500 hole (vmnet1) accepted
> [OK]
> Checking if IPchains has port 500 hole (vmnet8) accepted
> [OK]
> DNS checks.
> Looking for forward key for alex [FAILED]
> Does the machine have at least one non-private address [OK]
>
>
> Looking for forward key for alex, i don't know how i can repair it How?
>
> Is this important to my vpn connection ?
>
> Can you see any strange in all the email?
>
> Any hints about this?
>
> Thanks again,,,
>
>
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] how to patch?"
• Previous message: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• In reply to: Alejo Raśl Torres Molina: "[Users] hi im new in the list"
• Next in thread: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• Reply: Alejo Raśl Torres Molina: "[Users] vpn windows and linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Aug 15 2002 - 23:19:49 CEST