From: Chris Stankaitis (chris.stankaitis_at_datawire.net)
Date: Wed Oct 23 2002 - 21:54:22 CEST
I am at a roadblock so to speak, and could use some advice on getting
Roadwarrior up and running... here are all the specifics..
Scope: Linux RH7.2 box for FreeSWAN with and External and Internal IP
using ssh I have verified that you can access both internal/external lan
from the box. It will need to support 50+ (assuming everyone in the
comany used it) Roadwarriors..
eth1 = external IP a.b.c.d
eth0 = internal IP 10.0.0.X
installed using Freeswan + x509 patch RPM's from freeswan.ca
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
a.b.c.d 0.0.0.0 255.255.255.224 U 40 0 0 eth1
a.b.c.d 0.0.0.0 255.255.255.224 U 40 0 0 ipsec0
10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 a.b.c.e 0.0.0.0 UG 40 0 0 eth1
[root_at_vpn etc]# ipsec look
ipsec0->eth1 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 a.b.c.e 0.0.0.0 UG 40 0 0 eth1
a.b.c.d 0.0.0.0 255.255.255.224 U 40 0 0 eth1
a.b.c.d 0.0.0.0 255.255.255.224 U 40 0 0 ipsec0
--> ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=10.0.0.0/0
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=vpn.pem
auto=add
pfs=yes
I am using the following openssl commands to generate / sign and convert
the certs, it's in a shell script so I am using $1 as a variable which I
can change to make a new cert for each user...
I also use the -nodes option... in general I have always made, and was
shown to make certs that were not encrypted or in need of decryption as
it saves the CPU load and such without the need for the extra decrypt
step... not sure if that is messing things up a lot..
openssl req -new -newkey rsa:2048 -nodes -keyout $1-req.pem -out
$1-req.pem -days 3000
openssl ca -policy policy_anything -out $1-cert.pem -infiles $1-req.pem
mv $1-cert.pem $1.pem
mv $1-req.pem $1.key
openssl pkcs12 -export -in $1.pem -inkey $1.key -certfile
demoCA/cacert.pem -out $1.p12
--> ipsec.secrets
: RSA test.key
: RSA vpn.key
vpn.key is the key for the server... test.key is one I make for the
laptop... no password in there since I didn't encrypt the cert here is
where I get confused as well... shouldn't the roadwarrior's private cert
only be on the roadwarrior?? and the server have the public for auth??
if so how do I reference that in the secrets file?? and where does the
public go...
to the win box...
I used the ipsec tools... Imported the p12 cert and root CA to the box..
made the following ipsec.conf on the laptop.
conn roadwarrior
left=%any
right=a.b.c.d
rightca="C=CA,S=Ontario,L=Toronto,O=Datawire Communication Networks
inc.,CN=CA,Email=root_at_datawire.net"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=a.b.c.d
rightsubnet=10.0.0.0/0
rightca="C=CA,S=Ontario,L=Toronto,O=Datawire Communication Networks
Inc.,CN=CA,Email=root_at_datawire.net"
network=auto
auto=start
pfs=yes
when I do a c:\ipsec.exe it seems to startup ok... I try and ping
ping -t a.b.c.d and it gives a continual "Negotiating IP Security" and
no ping returns..
I either get
Oct 23 14:43:13 vpn pluto[13226]: packet from a.b.c.d:284: initial Main
Mode message received on a.b.c.d:500 but no connection has been authorized
Oct 23 14:43:17 vpn pluto[13226]: packet from a.b.c.d:284: ignoring
Vendor ID payload
or yesterday I got this:
Oct 22 19:52:26 vpn pluto[13226]: "roadwarrior"[1] a.b.c.d #1:
responding to Main Mode from unknown peer a.b.c.d
Oct 22 19:52:27 vpn pluto[13226]: "roadwarrior"[1] a.b.c.d #1: encrypted
Informational Exchange message is invalid because it is for incomplete
ISAKMP SA
Oct 22 19:53:36 vpn pluto[13226]: "roadwarrior"[1] a.b.c.d #1: max
number of retransmissions (2) reached STATE_MAIN_R2
Oct 22 19:53:36 vpn pluto[13226]: "roadwarrior"[1] a.b.c.d: deleting
connection "roadwarrior" instance with peer a.b.c.d
Can anyone give me a hand and some advice as to where I am going wrong
adn what I can fix??
-- Chris Stankaitis _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Oct 25 2002 - 05:20:31 CEST