[Users] freeswan and sshsentinal

From: Michael (michael_at_insulin-pumpers.org)
Date: Thu Oct 03 2002 - 00:15:28 CEST

• Next message: FreeSwan - Users: "[Users] NetBIOS resolution from Sentinel -> FreeSWAN"
• Previous message: 2dlgtu: "[Users] How are you"
• Next in thread: Andreas Steffen: "Re: [Users] freeswan and sshsentinal"
• Reply: Andreas Steffen: "Re: [Users] freeswan and sshsentinal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm having a bit of a problem with sshsentinal

Following the guide in the SSHSentinal pdf and Nadeem Hasan's docs,
I've created the signed cert's for Sentinal. After importing and
running diagnostics (with no ip-address assigned), the connection is
established just fine.

Here's the problem. The freeswan gateway has no automatic IP
assignment daemon, IP space must be manually assigned. When I change
the VPN IP assignment to manual, I can no longer make the connection
because the peer ID changes. How do I set the configuration so that I
can pre-assign the peer ID and still connect??

ipsec.config
<snip>
conn to-net
        leftsubnet=192.168.1.0/24
        also=to-me

conn to-me
        keyingtries=2
        right=%any
        auto=add

Below are the logs from both cases.

######## no ip in vpn -- SUCCESS, no IP address
"to-me"[1] 63.77.172.62 #8: responding to Main Mode from unknown peer
63.77.172.62
"to-me"[1] 63.77.172.62 #8: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
"to-me"[1] 63.77.172.62 #8: Peer ID is ID_DER_ASN1_DN:
'CN=maus_at_grtimp.com'
"to-me"[1] 63.77.172.62 #8: sent MR3, ISAKMP SA established
"to-me"[1] 63.77.172.62 #8: retransmitting in response to duplicate
packet; already STATE_MAIN_R3
"to-net"[2] 63.77.172.62 #9: responding to Quick Mode
"to-net"[2] 63.77.172.62 #9: IPsec SA established
"to-me"[1] 63.77.172.62 #8: ignoring Delete SA payload
"to-me"[1] 63.77.172.62 #8: received and ignored informational
message
"to-me"[1] 63.77.172.62 #8: ignoring Delete SA payload
"to-me"[1] 63.77.172.62 #8: received and ignored informational
message

############ with ip address 192.168.1.111 -- FAILS

"to-net"[1] 63.77.172.62 #7: responding to Main Mode from unknown peer
63.77.172.62
"to-net"[1] 63.77.172.62 #7: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
"to-net"[1] 63.77.172.62 #7: Peer ID is ID_DER_ASN1_DN:
'CN=maus_at_grtimp.com'
"to-me"[1] 63.77.172.62 #7: deleting connection
"to-net" instance with peer 63.77.172.62
"to-me"[1] 63.77.172.62 #7: sent MR3, ISAKMP SA established
"to-me"[1] 63.77.172.62 #7: retransmitting in response to duplicate
packet; already STATE_MAIN_R3
"to-me"[1] 63.77.172.62 #7: cannot respond to IPsec SA request
because no connection is known for 192.168.1.0/24===63.77.172.2[C=US,
ST=California, L=Los Altos, O=BizSystems, OU=Office,
CN=ns2.bizsystems.net, E=sysadm_at_bizsystems.com].
..63.77.172.62[CN=maus_at_grtimp.com]===192.168.1.111/32
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: FreeSwan - Users: "[Users] NetBIOS resolution from Sentinel -> FreeSWAN"
• Previous message: 2dlgtu: "[Users] How are you"
• Next in thread: Andreas Steffen: "Re: [Users] freeswan and sshsentinal"
• Reply: Andreas Steffen: "Re: [Users] freeswan and sshsentinal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Oct 04 2002 - 05:20:19 CEST