Re: [Users] [Fwd: FreeSWAN and Windows XP]

From: Patrick Topping (ptopping_at_pobox.com)
Date: Thu Dec 26 2002 - 20:49:15 CET

Thanks Andreas. I have added the authby=rsasig and now I am getting the
following error:

> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: responding to
> Main Mode
> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: encrypted
> Informational Exchange message is invalid because it is for incomplete
> ISAKMP SA
> Dec 26 19:47:44 sapphire pluto[14065]: | handling event
> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
> Dec 26 19:48:04 sapphire pluto[14065]: | handling event
> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5

At least it is some new...:-)

-Patrick

Andreas Steffen wrote:

> The entry
>
> authby=rsasig
>
> is missing in your FreeS/WAN ipsec.conf. Therefore authby=secret is
> assumed by default, leading to the error below.
>
> Regards
>
> Andreas
>
> Patrick Topping wrote:
>
>> With attachments this time......:-)
>>
>> I have read through and done step by step what is on nate carlosn's
>> web page and I still cannot get the tunnel up. I have attached the
>> ipsec.conf files for both the FreeSWAN gateway and for my windows XP
>> client. The error that I am seeing on the gateway is as follows:
>>
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: responding to
>> Main Mode
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does not
>> allow OAKLEY_RSA_SIG authentication. Attribute
>> OAKLEY_AUTHENTICATION_METHOD
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does not
>> allow OAKLEY_RSA_SIG authentication. Attribute
>> OAKLEY_AUTHENTICATION_METHOD
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: OAKLEY_DES_CBC
>> is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: OAKLEY_DES_CBC
>> is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: no acceptable
>> Oakley Transform
>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: responding to
>> Main Mode
>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: policy does not
>> allow OAKLEY_RSA_SIG authentication. Attribute
>> OAKLEY_AUTHENTICATION_METHOD
>>
>> Thanks in advance for any help I can get.
>>
>> -Patrick
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>>
>> # More elaborate and more varied sample configurations can be found
>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>>
>>
>>
>> # basic configuration
>> config setup
>> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>> # %defaultroute is okay for most simple cases.
>> # interfaces=%defaultroute
>> interfaces="ipsec0=eth0 ipsec1=eth1"
>> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>> klipsdebug=all
>> plutodebug=all
>> # Use auto= parameters in conn descriptions to control startup
>> actions.
>> plutoload=%search
>> plutostart=%search
>> plutowait=no
>> # Close down old connection when new one using same ID shows up.
>> uniqueids=yes
>>
>> conn aerocast
>> left=68.99.179.107
>> leftnexthop=68.99.176.1
>> leftsubnet=192.168.255.0/24
>> right=64.157.41.125
>> rightnexthop=64.157.40.6
>> rightsubnet=10.10.0.0/16
>> auto=start
>> pfs=yes
>> esp=3des-sha1-96
>> keyexchange=ike
>> auth=esp
>> disablearrivalcheck=no
>> keyingtries=0
>> keylife=24h
>>
>> conn level3
>> left=68.99.179.107
>> leftnexthop=68.99.176.1
>> leftsubnet=192.168.255.0/24
>> right=64.157.41.177
>> rightnexthop=64.157.40.6
>> rightsubnet=172.16.0.0/24
>> auto=start
>> pfs=yes
>> esp=3des-sha1-96
>> keyexchange=ike
>> auth=esp
>> disablearrivalcheck=no
>> keyingtries=0
>> keylife=24h
>>
>> #conn roadwarrior-net
>> # leftsubnet=192.168.255.0/24
>> # also=roadwarrior
>>
>> #conn roadwarrior
>> # left=68.99.179.107
>> # leftcert=sapphire.pem
>> # right=%defaultroute
>> # rightcert=clk430.pem
>> # auto=add
>> # pfs=yes
>>
>> conn aeronet
>> left=192.168.255.254
>> leftsubnet=192.168.255.0/24
>> leftcert=sapphire.pem
>> right=192.168.255.250
>> rightcert=clk430.pem
>> auto=add
>> pfs=yes
>>
>>
>> ------------------------------------------------------------------------
>>
>> #conn roadwarrior
>> # left=%any
>> # right=68.99.179.107
>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>> Email=ptopping_at_pobox.com"
>> # network=auto
>> # auto=start
>> # pfs=yes
>>
>> #conn roadwarrior-net
>> # left=%any
>> # right=68.99.179.107
>> # rightsubnet=192.168.255.0/24
>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>> Email=ptopping_at_pobox.com"
>> # network=auto # auto=start
>> # pfs=yes
>>
>> conn roadwarrior-allnet
>> left=%any
>> right=192.168.255.254
>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>> Email=ptopping_at_pobox.com"
>> rightsubnet=*
>> network=auto
>> auto=start
>> pfs=yes
>
>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>
>
> .
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET