RE: [Users] Help: Trying to get Win2K <==> Freeswan X.509

From: Alistair Nelson (alistair.nelson_at_eb2b.com.au)
Date: Mon Aug 26 2002 - 08:03:51 CEST

• Previous message: John Sweeney: "[Users] x509 problem with SSH Sentinel"
• In reply to: Andreas Steffen: "Re: [Users] Help: Trying to get Win2K <==> Freeswan X.509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Andreas,

Thankyou kindly! You were right, I was incorrectly specifying leftcert.

Now I can ping the gateway, but nothing else... I won't bother this
mailing list
until I've investigated this further however.

Kind regards,

Alistair.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
Sent: Monday, 26 August 2002 3:30 PM
To: alistair.nelson_at_eb2b.com.au
Cc: users_at_lists.freeswan.org
Subject: Re: [Users] Help: Trying to get Win2K <==> Freeswan X.509

You are FreeS/WAN configuration cannot work since your are loading the
private key instead of the host certificate:

> Aug 23 16:19:25 vpn pluto[5104]: loaded my default X.509 cert file
> '/etc/x509cert.der' (1128 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: loaded host cert file
> '/etc/ipsec.d/vpn.key' (1751 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: no passphrase available
> Aug 23 16:19:26 vpn pluto[5104]: added connection description >
"roadwarrior"
> Aug 23 16:19:26 vpn pluto[5104]: loaded host cert file
> '/etc/ipsec.d/vpn.key' (1751 bytes)
> Aug 23 16:19:26 vpn pluto[5104]: no passphrase available
> Aug 23 16:19:26 vpn pluto[5104]: added connection description >
"roadwarrior-net"

Instead of putting the host certificate into /etc/x509cert.der better
load it via leftcert=vpnCert.pem. /etc/x509cert.der will not be
available any more in version 1.0.0 of the X.509 patch.

There seem to be several anonymous private keys in /etc/ipsec.secrets:

> Aug 23 16:21:02 vpn pluto[5104]: "roadwarrior"[1] 192.168.1.150 #1:
> multiple ipsec.secrets entries with distinct secrets match endpoints:
> first secret used

FreeS/WAN does not know how to select the correct one. If you load your
host certificate via leftcert= then it will be able to find the matching
private key.

> Aug 23 16:25:13 vpn pluto[5104]: "roadwarrior-net"[1] 192.168.1.150
#2: > ignoring informational payload, type AUTHENTICATION_FAILED

Win2k even tells you that you sent an invalid signature. Sometimes I
wonder what the log files are good for :-(

> 8-23: 16:22:55:13c Failed to verify signature

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Previous message: John Sweeney: "[Users] x509 problem with SSH Sentinel"
• In reply to: Andreas Steffen: "Re: [Users] Help: Trying to get Win2K <==> Freeswan X.509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 11:19:48 CEST