[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Users] IPSec WinXP interop

Strange that the subject Distinguished Name (DN) of your mailhost
certificate seems to be identical to the DN of the CA.

Could you enable debugging by setting

   klipsdebug=none
   plutodebug=all

in ipsec.conf and then after you tried to start up the connection
generate a barf:

   ipsec barf > barf.txt

end mail it to me. Also the output of

   ipsec auto --listall

could be helpful.

Regards

Andreas

Antony Gelberg wrote:

On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote:


may be you need this in your ipsec.conf to disable OE



Thanks to you and Andreas, that worked great.  I'm now getting this in
my /var/log/auth.log:
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, E=administrator@britishwizo.org.uk'

Here's my current ipsec.conf (excluding the OE disable part):
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn mailhost-rw
        type=transport
        left=195.54.235.74
        leftcert=mailhostCert.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=1
        pfs=no

I have tried generating a new CA, certificate, and key, but no joy.  I
must be very close now, but still no cigar.  This might be useful as
well:

mailhost:/usr/local/sslca# ipsec auto --status
000 interface ipsec0/eth1 195.54.235.74
000
000 debug none
000
000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
E=administrator@britishwizo.org.uk]:17/0...%any:17/1701
000 "mailhost-rw":   CAs: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
E=administrator@britishwizo.org.uk'...'%any'
000 "mailhost-rw":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "mailhost-rw":   policy: RSASIG+ENCRYPT; interface: eth1; unrouted
000 "mailhost-rw":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "mailhost-rw":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2, 5_000-2-2, flags=-strict
000 "mailhost-rw":   IKE algorithms found:  5_192-1_128-5,
5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "mailhost-rw":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "mailhost-rw":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000

If there is any more log info that would be useful, please let me know
what to post.

A
_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr



--
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
Reply to: