[Users] Freeswan+X509

From: Rishi Sumbal (rsumbal_at_wdsystems.fr)
Date: Thu Dec 12 2002 - 15:45:36 CET

• Next message: Enrique Sanchez Vela: "Re: [Users] HELLLLPP!!!!!!!!!!! super-freeswan + NAT-T and X.509"
• Previous message: Christian Reichhoff: "[Users] Re: IPSEC SA established - but no routing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

here's the deal :

two linux box (with Redhat Kernel 2.4.18-3) with freeswan-1.99 on the same private LAN, just for test (10.0.0.0/16)
One is gateway and the other is client. The gateway has another LAN behind (192.168.1.0/24) to test the VPN.

I) /etc/hosts

bobvpn 10.0.0.1
rishivpn 10.0.0.2

II) ipsec.conf on gateway :

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        leftsubnet=192.168.1.0/24
        left=bobvpn
        right=rishivpn
        rightid="C=FR, ST=IDF, L=Paris, O=WDSystems, OU=Services, CN=10.0.0.1/Email=rsumbal_at_wdsystems.fr"
        leftcert=serveur.pem
        auto=start

III) ipsec.conf on client

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        leftsubnet=192.168.1.0/24
        left=bobvpn
        leftcert=serveur.pem
        rightcert=client.pem
        right=rishivpn
        auto=start

IV) /var/log/message on gateway after launching "service ipsec start" then "ipsec auto --up roadwarrior"

Dec 12 15:15:36 loopback ipsec__plutorun: 104 "roadwarrior" #1: STATE_MAIN_I1: initiate
Dec 12 15:15:36 loopback ipsec__plutorun: 106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 12 15:15:36 loopback ipsec__plutorun: 108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 12 15:15:36 loopback ipsec__plutorun: 003 "roadwarrior" #1: Signature check (on C=FR, ST=IDF, L=Paris, O=WDSystems, OU=Services, CN=10.0.0.1, E=rsumbal_at_wdsystems.fr) failed (wrong key?); tried *0sAwEAAdt
Dec 12 15:15:36 loopback ipsec__plutorun: 217 "roadwarrior" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
Dec 12 15:15:36 loopback ipsec__plutorun: 010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
Dec 12 15:15:36 loopback ipsec__plutorun: 003 "roadwarrior" #1: Signature check (on C=FR, ST=IDF, L=Paris, O=WDSystems, OU=Services, CN=10.0.0.1, E=rsumbal_at_wdsystems.fr) failed (wrong key?); tried *0sAwEAAdt
Dec 12 15:15:36 loopback ipsec__plutorun: 217 "roadwarrior" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
Dec 12 15:15:36 loopback ipsec__plutorun: 010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
Dec 12 15:15:36 loopback ipsec__plutorun: 031 "roadwarrior" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Any help would be greatly appreciated ...

Rishi

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Enrique Sanchez Vela: "Re: [Users] HELLLLPP!!!!!!!!!!! super-freeswan + NAT-T and X.509"
• Previous message: Christian Reichhoff: "[Users] Re: IPSEC SA established - but no routing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Dec 13 2002 - 05:21:18 CET