RE: [Users] Newbie: Following Nate Carlsons document...

From: Alistair Nelson (alistair.nelson_at_eb2b.com.au)
Date: Mon Aug 19 2002 - 09:04:26 CEST

• Next message: Holzhacker Paul: "[Users] freeswan singleDES Patch"
• Previous message: Maria Backlund: "SV: [Users] ipsec with FreeS/Wan on Redhat"
• In reply to: Sam Sgro: "Re: [Users] Newbie: Following Nate Carlsons document..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for your reply, that was great. I had made the change you
mentioned but had forgotten
to save it!

I do have the X.509 patch, I installed an RPM which includes it with
1.98b.

Freeswan appears to be running now, however I still can't get the client
(on the same subnet for my first stage testing) to "Negotiate IP
Security" --- as ping keeps replying.

As mentioned before, I am currently trying to test with a client
connecting to the Freeswan
gateway on the same subnet.

When I try to ping the gateway from the client (using the vpn.ebootis.de
ipsec tool), it just
keeps responding with "Negotiating IP Security". Nate's document says
this is normal a few
times, however I am doing this on the same subnet (so it should be
quick) and I can't get rid
of the message.

Nate's document did not mention a private key requirement in
/etc/ipsec.d... however the
log (logs are shown below) shows FreeS/WAN is looking for it.

Thanks again for your help anyone.

Alistair.

------/var/log/secure when I ping the gateway from the client--------
Aug 19 16:56:47 localhost pluto[3870]: packet from 192.168.1.150:500:
ignoring Vendor ID payload
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior"[1] 192.168.1.150
#1: responding to Main Mode from unknown peer 192.168.1.150
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior"[1] 192.168.1.150
#1: Peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, L=Burwood, O=eB2Bcom,
CN=Alistair Nelson, E=alistair.nelson_at_eb2b.com.au'
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior"[1] 192.168.1.150
#1: multiple ipsec.secrets entries with distinct secrets match
endpoints: first secret used
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior"[1] 192.168.1.150
#1: multiple ipsec.secrets entries with distinct secrets match
endpoints: first secret used
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior-net"[1]
192.168.1.150 #1: deleting connection "roadwarrior" instance with peer
192.168.1.150
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior-net"[1]
192.168.1.150 #1: multiple ipsec.secrets entries with distinct secrets
match endpoints: first secret used
Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior-net"[1]
192.168.1.150 #1: sent MR3, ISAKMP SA established

======/var/log/secure when I execute "service ipsec start"=======
Aug 19 16:53:43 localhost ipsec__plutorun: Starting Pluto subsystem...
Aug 19 16:53:43 localhost pluto[3870]: Starting Pluto (FreeS/WAN Version
1.98b)
Aug 19 16:53:43 localhost pluto[3870]: including X.509 patch (Version
0.9.14)
Aug 19 16:53:43 localhost pluto[3870]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 19 16:53:43 localhost pluto[3870]: loaded cacert file 'RootCA.der'
(1084 bytes)
Aug 19 16:53:43 localhost pluto[3870]: Changing to directory
'/etc/ipsec.d/crls'
Aug 19 16:53:43 localhost pluto[3870]: loaded crl file 'crl.pem' (654
bytes)
Aug 19 16:53:43 localhost pluto[3870]: could not open my default X.509
cert file '/etc/x509cert.der'
Aug 19 16:53:43 localhost pluto[3870]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Aug 19 16:53:44 localhost pluto[3870]: could not open host cert file
'/etc/ipsec.d/vpn.key'
Aug 19 16:53:44 localhost pluto[3870]: added connection description
"roadwarrior"
Aug 19 16:53:44 localhost pluto[3870]: could not open host cert file
'/etc/ipsec.d/vpn.key'
Aug 19 16:53:44 localhost pluto[3870]: added connection description
"roadwarrior-net"
Aug 19 16:53:44 localhost pluto[3870]: listening for IKE messages
Aug 19 16:53:44 localhost pluto[3870]: adding interface ipsec0/eth0
192.168.1.16
Aug 19 16:53:44 localhost pluto[3870]: loading secrets from
"/etc/ipsec.secrets"
Aug 19 16:53:44 localhost pluto[3870]: loaded private key file
'/etc/ipsec.d/private/vpn.key' (1751 bytes)

------Gateway Freeswan-------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.0.0/255.255.254.0
        also=roadwarrior

conn roadwarrior
        right=%any
        left=%defaultroute
        leftcert=vpn.key
        auto=add
        pfs=yes

======Windows 2000 Client==========
conn roadwarrior
        left=%any
        right=192.168.1.16
        rightca="HIDDEN"
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        left=%any
        right=192.168.1.16
        rightsubnet=192.168.0.0/255.255.254.0
        rightca="HIDDEN"
        network=auto
        auto=start
        pfs=yes
==============================
-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: Monday, 19 August 2002 2:37 PM
To: Alistair Nelson
Cc: users_at_lists.freeswan.org
Subject: Re: [Users] Newbie: Following Nate Carlsons document...

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 19 Aug 2002, Alistair Nelson wrote:

> /var/log/messages is currently logging the following on my gateway:
>
> ....."ipsec_auto: fatal error in "roadwarrior": ID "%any" cannot have
> RSA key
>
> My gateway ipsec.conf is exactly as Nate's document describes, as far
> as I can tell.

1) Are you sure you are running FreeS/WAN with the x.509 patch?

2) You haven't posted your ipsec.conf. Does it have:
 
leftrsasigkey=%cert
rightrsasigkey=%cert

under the %default connection?

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPWB19UOSC4btEQUtAQFECwP6A1777yu0V1ZJNXuWosGX5XoATiIEBIcQ
5sLZ16mmgiY9QGA32xb4L9ngZ1rahBD7ymJjQfcWkqqe12tME8uUaAfE1ifR7q91
r01jRjdYlFZokBTDRvNnd0rrcMUANeVPi/GVI6OxsKQuFONDcR/k+6b5P++xIAl4
GS88HrdW/WY=
=SaNj
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Holzhacker Paul: "[Users] freeswan singleDES Patch"
• Previous message: Maria Backlund: "SV: [Users] ipsec with FreeS/Wan on Redhat"
• In reply to: Sam Sgro: "Re: [Users] Newbie: Following Nate Carlsons document..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 13:19:45 CEST