Re: [Users] IPSec WinXP interop

To: users@mj2.freeswan.org
Cc: debian-security@lists.debian.org
Subject: Re: [Users] IPSec WinXP interop
From: Antony Gelberg <antony@antgel.co.uk>
Date: Fri, 2 Jan 2004 00:47:58 +0000
Message-id: <[🔎] 20040102004758.GA19100@brain.pulsesol.com>
In-reply-to: <3FF2E587.10202@aedon-its.de>
References: <20031224004931.GA8747@brain.pulsesol.com> <20031225151839.GA1155@lastan> <20031226001823.GA19822@brain.pulsesol.com> <20031226005542.GA3533@lastan> <20031229025143.GA20339@brain.pulsesol.com> <20031231142328.GA9911@brain.pulsesol.com> <3FF2E587.10202@aedon-its.de>

On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote:
> may be you need this in your ipsec.conf to disable OE

Thanks to you and Andreas, that worked great.  I'm now getting this in
my /var/log/auth.log:
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'

Here's my current ipsec.conf (excluding the OE disable part):
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn mailhost-rw
        type=transport
        left=195.54.235.74
        leftcert=mailhostCert.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=1
        pfs=no

I have tried generating a new CA, certificate, and key, but no joy.  I
must be very close now, but still no cigar.  This might be useful as
well:

mailhost:/usr/local/sslca# ipsec auto --status
000 interface ipsec0/eth1 195.54.235.74
000
000 debug none
000
000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
E=administrator@britishwizo.org.uk]:17/0...%any:17/1701
000 "mailhost-rw":   CAs: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
E=administrator@britishwizo.org.uk'...'%any'
000 "mailhost-rw":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "mailhost-rw":   policy: RSASIG+ENCRYPT; interface: eth1; unrouted
000 "mailhost-rw":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "mailhost-rw":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2, 5_000-2-2, flags=-strict
000 "mailhost-rw":   IKE algorithms found:  5_192-1_128-5,
5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "mailhost-rw":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "mailhost-rw":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000

If there is any more log info that would be useful, please let me know
what to post.

A

Reply to:

Follow-Ups:
- Re: [Users] IPSec WinXP interop
  - From: Valentin Vidic <vvidic@public.srce.hr>
- Re: [Users] IPSec WinXP interop
  - From: Andreas Steffen <andreas.steffen@strongsec.net>

Prev by Date: Re: Need recomendations for https proxy that serves as a firewall proxy - THANX
Next by Date: Re: Would this create a security problem?
Previous by thread: Re: Need recomendations for https proxy that serves as a firewall proxy - THANX
Next by thread: Re: [Users] IPSec WinXP interop
Index(es):
- Date
- Thread