FW: [Users] Newbie: Following Nate Carlsons document...

From: Alistair Nelson (alistair.nelson_at_eb2b.com.au)
Date: Fri Aug 23 2002 - 03:40:28 CEST

• Next message: Markus Koellner: "Re: [Users] Can we close the FreeS/WAN list to non-subscribers?"
• Previous message: Lewis Shobbrook: "[Users] Q re: bridge+iptables+freeswan"
• Maybe in reply to: Alistair Nelson: "[Users] Newbie: Following Nate Carlsons document..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bump, anyone have any idea on this?

I've installed /etc/x509cert.der to satisfy that log error however I
still can't
ping the gateway.

Thanks,

Al.

-----Original Message-----
From: Alistair Nelson [mailto:alistair.nelson_at_eb2b.com.au]
Sent: Monday, 19 August 2002 5:04 PM
To: 'Sam Sgro'
Cc: 'users_at_lists.freeswan.org'
Subject: RE: [Users] Newbie: Following Nate Carlsons document...

Thanks for your reply, that was great. I had made the change you
mentioned but had forgotten
to save it!

I do have the X.509 patch, I installed an RPM which includes it with
1.98b.

Freeswan appears to be running now, however I still can't get the client
(on the same subnet for my first stage testing) to "Negotiate IP
Security" --- as ping keeps replying.

As mentioned before, I am currently trying to test with a client
connecting to the Freeswan gateway on the same subnet.

When I try to ping the gateway from the client (using the vpn.ebootis.de
ipsec tool), it just keeps responding with "Negotiating IP Security".
Nate's document says this is normal a few times, however I am doing this
on the same subnet (so it should be quick) and I can't get rid of the
message.

Nate's document did not mention a private key requirement in
/etc/ipsec.d... however the log (logs are shown below) shows FreeS/WAN
is looking for it.

Thanks again for your help anyone.

Alistair.

------/var/log/secure when I ping the gateway from the client--------
Aug 19 16:56:47 localhost pluto[3870]: packet from 192.168.1.150:500:
ignoring Vendor ID payload Aug 19 16:56:47 localhost pluto[3870]:
"roadwarrior"[1] 192.168.1.150 #1: responding to Main Mode from unknown
peer 192.168.1.150 Aug 19 16:56:47 localhost pluto[3870]:
"roadwarrior"[1] 192.168.1.150 #1: Peer ID is ID_DER_ASN1_DN: 'C=AU,
ST=Victoria, L=Burwood, O=eB2Bcom, CN=Alistair Nelson,
E=alistair.nelson_at_eb2b.com.au' Aug 19 16:56:47 localhost pluto[3870]:
"roadwarrior"[1] 192.168.1.150 #1: multiple ipsec.secrets entries with
distinct secrets match endpoints: first secret used Aug 19 16:56:47
localhost pluto[3870]: "roadwarrior"[1] 192.168.1.150 #1: multiple
ipsec.secrets entries with distinct secrets match endpoints: first
secret used Aug 19 16:56:47 localhost pluto[3870]: "roadwarrior-net"[1]
192.168.1.150 #1: deleting connection "roadwarrior" instance with peer
192.168.1.150 Aug 19 16:56:47 localhost pluto[3870]:
"roadwarrior-net"[1] 192.168.1.150 #1: multiple ipsec.secrets entries
with distinct secrets match endpoints: first secret used Aug 19 16:56:47
localhost pluto[3870]: "roadwarrior-net"[1] 192.168.1.150 #1: sent MR3,
ISAKMP SA established

======/var/log/secure when I execute "service ipsec start"======= Aug 19
16:53:43 localhost ipsec__plutorun: Starting Pluto subsystem... Aug 19
16:53:43 localhost pluto[3870]: Starting Pluto (FreeS/WAN Version 1.98b)
Aug 19 16:53:43 localhost pluto[3870]: including X.509 patch (Version
0.9.14)
Aug 19 16:53:43 localhost pluto[3870]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 19 16:53:43 localhost pluto[3870]: loaded cacert file 'RootCA.der'
(1084 bytes)
Aug 19 16:53:43 localhost pluto[3870]: Changing to directory
'/etc/ipsec.d/crls'
Aug 19 16:53:43 localhost pluto[3870]: loaded crl file 'crl.pem' (654
bytes)
Aug 19 16:53:43 localhost pluto[3870]: could not open my default X.509
cert file '/etc/x509cert.der'
Aug 19 16:53:43 localhost pluto[3870]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Aug 19 16:53:44 localhost pluto[3870]: could not open host cert file
'/etc/ipsec.d/vpn.key'
Aug 19 16:53:44 localhost pluto[3870]: added connection description
"roadwarrior"
Aug 19 16:53:44 localhost pluto[3870]: could not open host cert file
'/etc/ipsec.d/vpn.key'
Aug 19 16:53:44 localhost pluto[3870]: added connection description
"roadwarrior-net" Aug 19 16:53:44 localhost pluto[3870]: listening for
IKE messages Aug 19 16:53:44 localhost pluto[3870]: adding interface
ipsec0/eth0 192.168.1.16 Aug 19 16:53:44 localhost pluto[3870]: loading
secrets from "/etc/ipsec.secrets"
Aug 19 16:53:44 localhost pluto[3870]: loaded private key file
'/etc/ipsec.d/private/vpn.key' (1751 bytes)

------Gateway Freeswan-------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found # in
FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.0.0/255.255.254.0
        also=roadwarrior

conn roadwarrior
        right=%any
        left=%defaultroute
        leftcert=vpn.key
        auto=add
        pfs=yes

======Windows 2000 Client==========
conn roadwarrior
        left=%any
        right=192.168.1.16
        rightca="HIDDEN"
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        left=%any
        right=192.168.1.16
        rightsubnet=192.168.0.0/255.255.254.0
        rightca="HIDDEN"
        network=auto
        auto=start
        pfs=yes
==============================
-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: Monday, 19 August 2002 2:37 PM
To: Alistair Nelson
Cc: users_at_lists.freeswan.org
Subject: Re: [Users] Newbie: Following Nate Carlsons document...

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 19 Aug 2002, Alistair Nelson wrote:

> /var/log/messages is currently logging the following on my gateway:
>
> ....."ipsec_auto: fatal error in "roadwarrior": ID "%any" cannot have
> RSA key
>
> My gateway ipsec.conf is exactly as Nate's document describes, as far
> as I can tell.

1) Are you sure you are running FreeS/WAN with the x.509 patch?

2) You haven't posted your ipsec.conf. Does it have:
 
leftrsasigkey=%cert
rightrsasigkey=%cert

under the %default connection?

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPWB19UOSC4btEQUtAQFECwP6A1777yu0V1ZJNXuWosGX5XoATiIEBIcQ
5sLZ16mmgiY9QGA32xb4L9ngZ1rahBD7ymJjQfcWkqqe12tME8uUaAfE1ifR7q91
r01jRjdYlFZokBTDRvNnd0rrcMUANeVPi/GVI6OxsKQuFONDcR/k+6b5P++xIAl4
GS88HrdW/WY=
=SaNj
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Markus Koellner: "Re: [Users] Can we close the FreeS/WAN list to non-subscribers?"
• Previous message: Lewis Shobbrook: "[Users] Q re: bridge+iptables+freeswan"
• Maybe in reply to: Alistair Nelson: "[Users] Newbie: Following Nate Carlsons document..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Aug 23 2002 - 23:19:49 CEST