Hi, there is a problem with the certificates:
first you associate 3.3.3.3 with remote.machine.crt, then on the right side you associate it with local.machine.crt. This cannot be right. >"Jason Whitman" <[EMAIL PROTECTED]> writes: > Here is the ipsec.conf for the left box set up as CA: > > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > conn %default > pfs=yes > keyingtries=1 > compress=yes > disablearrivalcheck=no > left=2.2.2.2 > leftcert=local.machine.crt > leftrsasigkey=%cert > leftsubnet=192.168.0.0/24 > leftnexthop=2.2.2.1 > > conn right.side-vpn > authby=rsasig > auto=start > right=3.3.3.3 > rightcert=remote.machine.crt > rightrsasigkey=%cert > rightsubnet=192.168.1.0/24 > rightnexthop=3.3.3.1 > > and for the right box: > > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > conn %default > pfs=yes > keyingtries=1 > compress=yes > disablearrivalcheck=no > left=3.3.3.3 > leftcert=local.machine.crt > leftrsasigkey=%cert > leftsubnet=192.168.1.0/24 > leftnexthop=3.3.3.1 > > conn right.side-vpn > authby=rsasig > auto=start > right=2.2.2.2 > rightcert=remote.machine.crt > rightrsasigkey=%cert > rightsubnet=192.168.0.0/24 > rightnexthop=2.2.2.1 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jason > Whitman > Sent: Friday, October 15, 2004 11:53 PM > To: [EMAIL PROTECTED] > Subject: [Security Firewall] More VPN battles > > > This VPN setup has turned into a battle. I have followed the directions > (online docs) for setting up a MNF to MNF VPN. I have set up both firewalls > with the fw wan port 500 tcp+udp as directed in a message on the mailing > list. My logs for the left side are as follows: > > Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec. > d/local.machine.crt' (1326 bytes) > Oct 15 23:04:13 pluto[11479]: loaded host cert file '/etc/freeswan/ipsec. > d/remote.machine.crt' (1326 bytes) > Oct 15 23:04:13 pluto[11479]: added connection description "right.fw-vpn" > Oct 15 23:04:13 pluto[11479]: listening for IKE messages > Oct 15 23:04:13 pluto[11479]: adding interface ipsec0/eth1 1.1.1.1 > Oct 15 23:04:13 pluto[11479]: loading secrets from > "/etc/freeswan/ipsec.secrets" > Oct 15 23:04:13 pluto[11479]: loaded private key file > '/etc/freeswan/ipsec.d/private/local.machine.key' (1675 bytes) > Oct 15 23:04:13 pluto[11479]: "right.fw" #1: initiating Main Mode > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #1: ISAKMP SA established > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: initiating > Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > Oct 15 23:04:14 pluto[11479]: "right.fw-vpn" #2: sent QI2, IPsec SA > established > Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA payload: > replace IPSEC State #2 in 10 seconds > Oct 15 23:04:23 pluto[11479]: "right.fw-vpn" #1: received Delete SA payload: > deleting ISAKMP State #1 > Oct 15 23:04:23 pluto[11479]: ERROR: asynchronous network error report on > eth1 for message to 2.2.2.2 port 500, complainant 2.2.2.2: Connection > refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] > Oct 15 23:04:26 pluto[11479]: "right.fw-vpn" #3: responding to Main Mode > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #3: sent MR3, ISAKMP SA > established > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: responding to Quick Mode > Oct 15 23:04:27 pluto[11479]: "right.fw-vpn" #4: IPsec SA established > > My logs for the right side connection are as follows: > > Oct 15 23:04:25 ipsec__plutorun: Starting Pluto subsystem... > Oct 15 23:04:25 pluto[24938]: Starting Pluto (FreeS/WAN Version 1.98b) > Oct 15 23:04:25 pluto[24938]: including X.509 patch (Version 0.9.15) > Oct 15 23:04:25 pluto[24938]: Changing to directory '/etc/freeswan/ipsec.\ > d/cacerts' > Oct 15 23:04:25 pluto[24938]: loaded cacert file 'ca.crt' (1325 bytes) > Oct 15 23:04:25 pluto[24938]: Changing to directory '/etc/freeswan/ipsec.\ > d/crls' > Oct 15 23:04:25 pluto[24938]: loaded crl file 'crl.crt' (697 bytes) > Oct 15 23:04:25 pluto[24938]: loaded my default X.509 cert file '/etc/f\ > reeswan/x509cert.der' (1325 bytes) > Oct 15 23:04:26 pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > c.d/local.machine.crt' (1325 bytes) > Oct 15 23:04:26 pluto[24938]: loaded host cert file '/etc/freeswan/ipse\ > c.d/remote.machine.crt' (1325 bytes) > Oct 15 23:04:26 pluto[24938]: added connection description "left.fw-vpn" > Oct 15 23:04:26 pluto[24938]: listening for IKE messages > Oct 15 23:04:26 pluto[24938]: adding interface ipsec0/eth1 2.2.2.2 > Oct 15 23:04:26 pluto[24938]: loading secrets from > "/etc/freeswan/ipsec.secrets" > Oct 15 23:04:26 pluto[24938]: loaded private key file > '/etc/freeswan/ipsec.d/private/local.machine.key' (1674 bytes) > Oct 15 23:04:26 pluto[24938]: "left.fw-vpn" #1: initiating Main Mode > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: Peer ID is ID_DER_ASN1_DN: > 'C=US, ST=, L=, O=, OU=, CN=, E=' > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #1: ISAKMP SA established > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: initiating Quick Mode > RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS > Oct 15 23:04:27 pluto[24938]: "left.fw-vpn" #2: sent QI2, IPsec SA > established > Oct 15 23:04:43 pluto[24938]: "left.fw-vpn" #1: ignoring Delete SA payload: > IPSEC SA not found (maybe expired) > > I cannot ping hosts on either network. I am stumped on this one. Any ideas > would be appreciated. > > Jason > > > > > ____________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Join the Club : http://www.mandrakeclub.com > ____________________________________________________ -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
