Re: [Users] Help: Trying to get Win2K <==> Freeswan X.509

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Aug 26 2002 - 07:30:22 CEST

• Next message: John Sweeney: "[Users] x509 and dhcp"
• Previous message: Ken Bantoft: "Re: [Users] cummulative features patch for FreeS/WAN 1.98b"
• In reply to: Alistair Nelson: "[Users] Help: Trying to get Win2K <==> Freeswan X.509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You are FreeS/WAN configuration cannot work since your are
loading the private key instead of the host certificate:

> Aug 23 16:19:25 vpn pluto[5104]: loaded my default X.509 cert file
> '/etc/x509cert.der' (1128 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: loaded host cert file
> '/etc/ipsec.d/vpn.key' (1751 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: no passphrase available
> Aug 23 16:19:26 vpn pluto[5104]: added connection description
> "roadwarrior"
> Aug 23 16:19:26 vpn pluto[5104]: loaded host cert file
> '/etc/ipsec.d/vpn.key' (1751 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: no passphrase available
> Aug 23 16:19:26 vpn pluto[5104]: added connection description
> "roadwarrior-net"

Instead of putting the host certificate into /etc/x509cert.der
better load it via leftcert=vpnCert.pem. /etc/x509cert.der will
not be available any more in version 1.0.0 of the X.509 patch.

There seem to be several anonymous private keys in /etc/ipsec.secrets:

> Aug 23 16:21:02 vpn pluto[5104]: "roadwarrior"[1] 192.168.1.150 #1:
> multiple ipsec.secrets entries with distinct secrets match endpoints:
> first secret used

FreeS/WAN does not know how to select the correct one. If you load
your host certificate via leftcert= then it will be able to find
the matching private key.

> Aug 23 16:25:13 vpn pluto[5104]: "roadwarrior-net"[1] 192.168.1.150 #2:
> ignoring informational payload, type AUTHENTICATION_FAILED

Win2k even tells you that you sent an invalid signature. Sometimes
I wonder what the log files are good for :-(

> 8-23: 16:22:55:13c Failed to verify signature

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: John Sweeney: "[Users] x509 and dhcp"
• Previous message: Ken Bantoft: "Re: [Users] cummulative features patch for FreeS/WAN 1.98b"
• In reply to: Alistair Nelson: "[Users] Help: Trying to get Win2K <==> Freeswan X.509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 10:19:54 CEST