Hi ,
I have trouble configuring the windows 2000 client to talk to the freeswan
IPsec
server via a ipfilter firewall.
I have no problems with the above setup excluding the ipfilter - ipnat
rules.
I am using ipfilter version 3.4.30 on Solaris 9 and freeswan ipsec v 1.98b
on linux 7.2 kernel 2.4.20.
The client is windows 2000.and uses PSK for authentication.
This is a part of the log file;the error i get is "no suitable connection
for peer '192.168.2.238' "
May 19 15:19:44 vpnserver ipsec__plutorun: Starting Pluto subsystem...
May 19 15:19:44 vpnserver pluto[9440]: Starting Pluto (FreeS/WAN Version
1.98b)
May 19 15:19:44 vpnserver pluto[9440]: including X.509 patch (Version
0.9.14)
May 19 15:19:44 vpnserver pluto[9440]: Changing to directory
'/etc/ipsec.d/cacerts'
May 19 15:19:44 vpnserver pluto[9440]: loaded cacert file 'cacert.pem'
(1578 bytes)
May 19 15:19:44 vpnserver pluto[9440]: Changing to directory
'/etc/ipsec.d/crls'
May 19 15:19:44 vpnserver pluto[9440]: loaded crl file 'crl.pem' (674
bytes)
May 19 15:19:44 vpnserver pluto[9440]: could not open my default X.509
cert file '/etc/x509cert.der'
May 19 15:19:44 vpnserver pluto[9440]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
May 19 15:19:44 vpnserver pluto[9440]: added connection description
"solarisPSK"
May 19 15:19:44 vpnserver pluto[9440]: added connection description
"win2kPKS"
May 19 15:19:44 vpnserver pluto[9440]: added connection description
"solarisPSK2"
May 19 15:19:44 vpnserver pluto[9440]: listening for IKE messages
May 19 15:19:44 vpnserver pluto[9440]: adding interface ipsec0/eth0
172.18.0.34
May 19 15:19:44 vpnserver pluto[9440]: loading secrets from
"/etc/ipsec.secrets"
May 19 15:19:51 vpnserver pluto[9440]: packet from 172.18.0.254:500:
ignoring Vendor ID payload
May 19 15:19:51 vpnserver pluto[9440]: "solarisPSK" #1: responding to Main
Mode
May 19 15:19:51 vpnserver pluto[9440]: "solarisPSK" #1: Peer ID is
ID_IPV4_ADDR: '192.168.2.238'
May 19 15:19:51 vpnserver pluto[9440]: "solarisPSK" #1: no suitable
connection for peer '192.168.2.238'
<the last two messages keep repeating when i ping>
This is my current setup:
**********************
| vpn subnet
client----------- IPFilter Firewall ---------
Freeswan VPN server--------------|192.168.1.x series
<via dhcp> int.if ext.if
int if ext if |
192.168.2.238 192.168.2.254 172.18.0.254 172.18.0.34 192.168.1.34
***********************
I have clients which get IP allocated from the dhcp server in the
192.168.2.x series.
The ipf.conf rules are pass all traffic for the client.
Ipnat.conf rules specific to ipsec are:
map hme0 192.168.2.0/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp
rdr hme0 0.0.0.0/32 port 0 -> 192.168.2.238 port 0 esp
In the Linux freewan server ,the configuration is as follows:
The ipsec.conf looks like this ,where 172.18.0.1 is the gateway for the
172.18.0.x series machines:
conn solarisPSK
auto=add
authby=secret
keyexchange=ike
keylife=1h
left=172.18.0.254
leftsubnet=192.168.2.0/24
leftnexthop=172.18.0.1
right=172.18.0.34
rightsubnet=192.168.1.0/24
rightnexthop=172.18.0.1
pfs=no
keyingtries=0
conn clientPSK
auto=add
authby=secret
keyexchange=ike
keylife=1h
left=192.168.2.238
leftnexthop=172.18.0.254
right=172.18.0.34
rightsubnet=192.168.1.0/24
rightnexthop=172.18.0.1
pfs=no
keyingtries=0
the ipsec.secrets have the following entries:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
172.18.0.34 172.18.0.254: PSK "xyzxyz"
172.18.0.34 192.168.2.238: PSK "xyzxyz"
Please let me know what have i done wrong in the configuration?
Regards,
sathvanth
