From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Jan 13 2003 - 08:27:09 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 12 Jan 2003, Alessandro wrote:
> Hi again, this morning I've done some test with my freeswan server and
> win2000 client putting leftnexthop=%direct, now the error reported is
> different, it says:
>
> - encrypted Informational Exchange message is invalid because it is for
> incomplete ISAKMP SA
>
> ..reading the old post I power on oakley in registry windows and I saw that
> the problem now is certificate windows client! Waht can I do?...any
> suggest?...below is my barf(update) and oakley output
First off, you've got a problem with your duplication of the "leftnexthop"
variable here:
> conn roadwarrior-net
> leftsubnet=10.23.5.0/24
> leftnexthop=%direct
> also=roadwarrior
>
> conn roadwarrior
> right=%any
> left=10.23.5.243
> leftnexthop=%direct
The "also"'d roadwarrior conn already contains a "leftnexthop" assignment;
thus, the error reported here:
> Jan 12 10:33:10 proxy ipsec__plutorun: ipsec_auto: fatal error in
> "roadwarrior-net": (/etc/ipsec.conf, line 70) duplicated parameter
> "leftnexthop"
You've got a problem with rp_filter:
> gen 12 10:33:09 proxy ipsec_setup: WARNING: eth0 has route filtering turned
> on, KLIPS may not work
> gen 12 10:33:09 proxy ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter
> = `1', should be 0)
> all/rp_filter:0
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
> ipsec0/rp_filter:1
> lo/rp_filter:1
Do as the message says.
Lastly, I don't know what you are attempting to do with your
"leftsubnet=10.23.5.0/24" setting in your roadwarrior-net connection. What
point is there to protecting the subnet your roadwarriora actually lies on.
- From your barf, perhaps you aiming for that gateway to protect communications
to the 192.168.20.0/24 subnet behind it on eth1. In that case, you should be
setting the leftsubnet variable appropriately.
> 1-12: 11:16:26:6b8 IKE non è riuscito a trovare un certificato di computer
> valido
This is in italian, but I presume it means something to the effect of "we
can't find a valid certificate for this computer" - you have a certificate
problem. One common cause of this is the "rightca" setting in win2k's
ipsec.conf; you may not have the proper certificate attributes listed.
You may get this message with errors in CA/certificate expiration times:
http://marc.theaimsgroup.com/?l=openssl-users&m=96865551926104&w=2„
If you need more tips, read Nate Carlson's walkthrough:
http://www.natecarlson.com/linux/ipsec-x509.php
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPiJqT0OSC4btEQUtAQHv+gP9GHaYpxhEF9ezhke5rn2knrcsfoRxFkmx
5zHTsSdnq7SHc6ptDVchE1xz4Va78Z3ekXNbTNrMJm2RKGq1XFcuwy/oduWTkAwP
0WcCrzVMyB+GSQxZop5ceimNFIuVHizoKC025e45V/n4Uo3QrxFQtJRsUYuLMz3i
jhukXpfq2AI=
=knCq
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Jan 14 2003 - 05:21:14 CET