[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPSec WinXP interop

On Thu, Dec 25, 2003 at 04:18:39PM +0100, Valentin Vidic wrote:
> On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote:
> > My first post here - long time d-u subscriber.  I'm trying to set up a
> > VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
> > router.  I want to use X.509 certificates rather than PSKs.
> 
>   I managed to set up a VPN dial-up connection from Windows Dial-up
> Networking to Debian running superfreeswan and l2tpd - so it is
> possible to do this (although not too easy). I used l2tpd 0.69-7jdl and
> freeswan 1.99.8.
> 
> > When I try to log in, I get "Error 792: The L2TP connection attempt
> > failed because security negotiation timed out."  I don't get any
> > "verifying username..." message.
> 
>   As usual this doesn't tell much. Error messages on the Linux side are
> a lot better. Also try monitoring the traffic with tcpdump on different
> interfaces (depending on the part of connection you managed to get
> working you should either monitor eth0, ipsec0 or ppp0). Try checking
> /var/log/auth.log for IPSec messages. A successful connection looks

Aha.  That's the logfile that I was looking for - what a help.
I've snipped some relevant stuff, and put comments inline.  If you have
any ideas I'd be interested:

Dec 26 00:09:44 mailhost ipsec__plutorun: Starting Pluto subsystem...
Dec 26 00:09:44 mailhost Pluto[4416]: Starting Pluto (FreeS/WAN Version
1.96)
Dec 26 00:09:44 mailhost Pluto[4416]:   including X.509 patch (Version
0.9.9)
Dec 26 00:09:44 mailhost Pluto[4416]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 26 00:09:44 mailhost Pluto[4416]:   loaded cacert file 'cacert.pem'
(1647 bytes)
Dec 26 00:09:44 mailhost Pluto[4416]: Changing to directory
'/etc/ipsec.d/crls'
Dec 26 00:09:44 mailhost Pluto[4416]:   loaded crl file 'crl.pem' (694
bytes)
Dec 26 00:09:44 mailhost Pluto[4416]:   loaded my X.509 cert file
'/etc/x509cert.der' (700 bytes)
Dec 26 00:09:44 mailhost Pluto[4416]: | from whack: got --esp=3des
Dec 26 00:09:44 mailhost Pluto[4416]:   loaded host cert file
'/etc/ipsec.d/mailhostCert.pem' (5049 bytes)
Dec 26 00:09:44 mailhost Pluto[4416]: added connection description
"mailhost-rw"
Dec 26 00:09:44 mailhost Pluto[4416]: listening for IKE messages
Dec 26 00:09:44 mailhost Pluto[4416]: adding interface ipsec0/eth1
195.54.235.74
Dec 26 00:09:44 mailhost Pluto[4416]: loading secrets from
"/etc/ipsec.secrets"
Dec 26 00:09:44 mailhost Pluto[4416]:   loaded private key file
'/etc/ipsec.d/private/mailhostKey.pem' (1751 bytes)
Dec 26 00:09:44 mailhost Pluto[4416]:   file coded in unknown format,
discarded
Dec 26 00:09:44 mailhost Pluto[4416]: "/etc/ipsec.secrets" line 1: error
loading RSA private key file

The above two lines don't look too good.  I assume that it means that
/etc/ipsec.secrets is ok, and that there is a problem with
/etc/ipsec.d/private/mailhostKey.pem?

mailhost:~# cat /etc/ipsec.secrets
: RSA /etc/ipsec.d/private/mailhostKey.pem "xxx"

Note that the xxx is really the "export password" that I gave when I
generated the key.

Dec 26 00:10:04 mailhost Pluto[4416]: packet from 82.68.107.174:500:
ignoring Vendor ID payload
Dec 26 00:10:04 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1:
responding to Main Mode from unknown peer 82.68.107.174
Dec 26 00:10:05 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1:
Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=Some-State, L=London, O=British
WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'
Dec 26 00:10:05 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1: no
suitable connection for peer 'C=UK, ST=Some-State, L=London, O=British
WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'

I guess that the "no suitable connection" is because of the above
problem?

A
Reply to: