Here is the ipsec.conf for the left box set up as CA:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
pfs=yes
keyingtries=1
compress=yes
disablearrivalcheck=no
left=2.2.2.2
leftcert=local.machine.crt
leftrsasigkey=%cert
leftsubnet=192.168.0.0/24
leftnexthop=2.2.2.1
conn right.side-vpn
authby=rsasig
auto=start
right=3.3.3.3
rightcert=remote.machine.crt
rightrsasigkey=%cert
rightsubnet=192.168.1.0/24
rightnexthop=3.3.3.1
and for the right box:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
pfs=yes
keyingtries=1
compress=yes
disablearrivalcheck=no
left=3.3.3.3
leftcert=local.machine.crt
leftrsasigkey=%cert
leftsubnet=192.168.1.0/24
leftnexthop=3.3.3.1
conn right.side-vpn
authby=rsasig
auto=start
right=2.2.2.2
rightcert=remote.machine.crt
rightrsasigkey=%cert
rightsubnet=192.168.0.0/24
rightnexthop=2.2.2.1
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jason
Whitman
Sent: Friday, October 15, 2004 11:53 PM
To: [EMAIL PROTECTED]
Subject: [Security Firewall] More VPN battles
This VPN setup has turned into a battle. I have followed the directions
(online docs) for setting up a MNF to MNF VPN. I have set up both firewalls
with the fw wan port 500 tcp+udp as directed in a message on the mailing
list. My logs for the left side are as follows:
Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec.
d/local.machine.crt' (1326 bytes)
Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec.
d/remote.machine.crt' (1326 bytes)
Oct 15 23:04:13 pluto[11479]: added connection description "right.fw-vpn"
Oct 15 23:04:13 pluto[11479]: listening for IKE messages
Oct 15 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1
Oct 15 23:04:13 pluto[11479]: loading secrets from
"/etc/freeswan/ipsec.secrets"
Oct 15 23:04:13 pluto[11479]: loaded private key file
'/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes)
Oct 15 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode
Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E='
Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA established
Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec SA
established
Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA payload:
replace IPSEC State #2 in 10 seconds
Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA payload:
deleting ISAKMP State #1
Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error report on
eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main Mode
Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E='
Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP SA
established
Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: responding to Quick Mode
Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: IPsec SA established
My logs for the right side connection are as follows:
Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem...
Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version 1.98b)
Oct 15 23:04:25 pluto[24938]: including X.509 patch (Version 0.9.15)
Oct 15 23:04:25 pluto[24938]: Changing to directory '/etc/freeswan/ipsec.\
d/cacerts'
Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 bytes)
Oct 15 23:04:25 pluto[24938]: Changing to directory '/etc/freeswan/ipsec.\
d/crls'
Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 bytes)
Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert file '/etc/f\
reeswan/x509cert.der' (1325 bytes)
Oct 15 23:04:26 pluto[24938]: loaded host cert file '/etc/freeswan/ipse\
c.d/local.machine.crt' (1325 bytes)
Oct 15 23:04:26 pluto[24938]: loaded host cert file '/etc/freeswan/ipse\
c.d/remote.machine.crt' (1325 bytes)
Oct 15 23:04:26 pluto[24938]: added connection description "left.fw-vpn"
Oct 15 23:04:26 pluto[24938]: listening for IKE messages
Oct 15 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2
Oct 15 23:04:26 pluto[24938]: loading secrets from
"/etc/freeswan/ipsec.secrets"
Oct 15 23:04:26 pluto[24938]: loaded private key file
'/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes)
Oct 15 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode
Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is ID_DER_ASN1_DN:
'C=US, ST=, L=, O=, OU=, CN=, E='
Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA established
Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA
established
Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: ignoring Delete SA payload:
IPSEC SA not found (maybe expired)
I cannot ping hosts on either network. I am stumped on this one. Any ideas
would be appreciated.
Jason
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
