Re: [Users] [Fwd: FreeSWAN and Windows XP]

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Dec 26 2002 - 22:05:50 CET

• Next message: as_at_gh.com: "*****SPAM***** [Users] ħÊõÊÖ»ú¿¨£¬Ò»ÕÅ¿¨¶à¸öºÅ"
• Previous message: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• In reply to: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Next in thread: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Reply: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Now Windows XP has a problem. You defined

>>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>> Email=ptopping_at_pobox.com"

in the Windows ipsec.conf but Microsoft wants

   S=California

Regards

Andreas

Patrick Topping wrote:
> Thanks Andreas. I have added the authby=rsasig and now I am getting the
> following error:
>
>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: responding to
>> Main Mode
>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: encrypted
>> Informational Exchange message is invalid because it is for incomplete
>> ISAKMP SA
>> Dec 26 19:47:44 sapphire pluto[14065]: | handling event
>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>> Dec 26 19:48:04 sapphire pluto[14065]: | handling event
>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>
>
>
> At least it is some new...:-)
>
> -Patrick
>
>
>
> Andreas Steffen wrote:
>
>> The entry
>>
>> authby=rsasig
>>
>> is missing in your FreeS/WAN ipsec.conf. Therefore authby=secret is
>> assumed by default, leading to the error below.
>>
>> Regards
>>
>> Andreas
>>
>> Patrick Topping wrote:
>>
>>> With attachments this time......:-)
>>>
>>> I have read through and done step by step what is on nate carlosn's
>>> web page and I still cannot get the tunnel up. I have attached the
>>> ipsec.conf files for both the FreeSWAN gateway and for my windows XP
>>> client. The error that I am seeing on the gateway is as follows:
>>>
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: responding to
>>> Main Mode
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does not
>>> allow OAKLEY_RSA_SIG authentication. Attribute
>>> OAKLEY_AUTHENTICATION_METHOD
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does not
>>> allow OAKLEY_RSA_SIG authentication. Attribute
>>> OAKLEY_AUTHENTICATION_METHOD
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: OAKLEY_DES_CBC
>>> is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: OAKLEY_DES_CBC
>>> is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: no acceptable
>>> Oakley Transform
>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: responding to
>>> Main Mode
>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: policy does not
>>> allow OAKLEY_RSA_SIG authentication. Attribute
>>> OAKLEY_AUTHENTICATION_METHOD
>>>
>>> Thanks in advance for any help I can get.
>>>
>>> -Patrick
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>>>
>>> # More elaborate and more varied sample configurations can be found
>>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>>>
>>>
>>>
>>> # basic configuration
>>> config setup
>>> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>>> # %defaultroute is okay for most simple cases.
>>> # interfaces=%defaultroute
>>> interfaces="ipsec0=eth0 ipsec1=eth1"
>>> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>>> klipsdebug=all
>>> plutodebug=all
>>> # Use auto= parameters in conn descriptions to control startup
>>> actions.
>>> plutoload=%search
>>> plutostart=%search
>>> plutowait=no
>>> # Close down old connection when new one using same ID shows up.
>>> uniqueids=yes
>>>
>>> conn aerocast
>>> left=68.99.179.107
>>> leftnexthop=68.99.176.1
>>> leftsubnet=192.168.255.0/24
>>> right=64.157.41.125
>>> rightnexthop=64.157.40.6
>>> rightsubnet=10.10.0.0/16
>>> auto=start
>>> pfs=yes
>>> esp=3des-sha1-96
>>> keyexchange=ike
>>> auth=esp
>>> disablearrivalcheck=no
>>> keyingtries=0
>>> keylife=24h
>>>
>>> conn level3
>>> left=68.99.179.107
>>> leftnexthop=68.99.176.1
>>> leftsubnet=192.168.255.0/24
>>> right=64.157.41.177
>>> rightnexthop=64.157.40.6
>>> rightsubnet=172.16.0.0/24
>>> auto=start
>>> pfs=yes
>>> esp=3des-sha1-96
>>> keyexchange=ike
>>> auth=esp
>>> disablearrivalcheck=no
>>> keyingtries=0
>>> keylife=24h
>>>
>>> #conn roadwarrior-net
>>> # leftsubnet=192.168.255.0/24
>>> # also=roadwarrior
>>>
>>> #conn roadwarrior
>>> # left=68.99.179.107
>>> # leftcert=sapphire.pem
>>> # right=%defaultroute
>>> # rightcert=clk430.pem
>>> # auto=add
>>> # pfs=yes
>>>
>>> conn aeronet
>>> left=192.168.255.254
>>> leftsubnet=192.168.255.0/24
>>> leftcert=sapphire.pem
>>> right=192.168.255.250
>>> rightcert=clk430.pem
>>> auto=add
>>> pfs=yes
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> #conn roadwarrior
>>> # left=%any
>>> # right=68.99.179.107
>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>> Email=ptopping_at_pobox.com"
>>> # network=auto
>>> # auto=start
>>> # pfs=yes
>>>
>>> #conn roadwarrior-net
>>> # left=%any
>>> # right=68.99.179.107
>>> # rightsubnet=192.168.255.0/24
>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>> Email=ptopping_at_pobox.com"
>>> # network=auto # auto=start
>>> # pfs=yes
>>>
>>> conn roadwarrior-allnet
>>> left=%any
>>> right=192.168.255.254
>>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>> Email=ptopping_at_pobox.com"
>>> rightsubnet=*
>>> network=auto
>>> auto=start
>>> pfs=yes
>>
>>
>>
>> ======================================================================
>> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>> strongSec GmbH phone: +41 76 340 25 56
>> Alter Zürichweg 20 home: http://www.strongsec.com
>> CH-8952 Schlieren (Switzerland)
>> ==========================================[strong internet security]==
>>
>>
>> .
>>
>
>
>

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: as_at_gh.com: "*****SPAM***** [Users] ħÊõÊÖ»ú¿¨£¬Ò»ÕÅ¿¨¶à¸öºÅ"
• Previous message: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• In reply to: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Next in thread: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Reply: Patrick Topping: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET