Hi
I'm trying to set up a roadwarrior scenario with X.509 certificates,
signed from a self-signed CA.
The VPN-gateway is running 2.01, the client is running 1.99, both with
the X.509-patch.
Everything looks fine during startup, but if I connect to the gateway, I
get his IP as ID instead of his certificate (setting leftid/rightid on
client and gateway didn't help). Both Freeswan's don't show any errors
during startup, they both find their local certificates/keys, the
ca-key and the crl. Both are directly connected to the internet, no
NAT.
FreeS/WAN config on gateway:
version 2.0
config setup
interfaces=%defaultroute
uniqueids=yes
strictcrlpolicy=yes
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
right=%any
left=%defaultroute
leftcert=mycert.pem
#leftsubnet=0.0.0.0/0
type=tunnel
auto=add
And now the incoming connection from the "roadwarrior":
pluto[30138]: "roadwarrior"[1] $IP #1: responding to Main Mode from
unknown peer $REMOTE_IP
pluto[30138]: "roadwarrior"[1] $IP #1: Peer ID is ID_DER_ASN1_DN: 'C=DE,
etc'
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1:
deleting connection "roadwarrior" instance with peer 217.9.51.61
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1: sent
MR3, ISAKMP SA established
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1:
Informational Exchange message for an established ISAKMP SA must be
encrypted
And the client:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn ipsec
left=$GATEWAY_IP
right=%defaultroute
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
leftcert=myhost.pem
rightcert=roadwarriorcert.pem
auto=add
pfs=yes
And now the connection (ipsec auto --up ipsec):
pluto[14363]: "ipsec" #1: initiating Main Mode
pluto[14363]: "ipsec" #1: Peer ID is ID_IPV4_ADDR: '217.9.34.16'
Aug 2 12:45:20 piggeldi pluto[14363]: "ipsec" #1: we require peer to
have ID 'C=DE etc.', but peer declares '$REMOTE_IP'
pluto[14363]: "ipsec" #1: sending notification INVALID_ID_INFORMATION to
217.9.34.16:500
pluto[14363]: "ipsec": terminating SAs using this connection
pluto[14363]: "ipsec" #1: deleting state (STATE_MAIN_I3)
Any idea what's going wrong here? How can I force the gateway to send
it's X.509 identity?
And there's one interesting thing: If I connect to the gateway from the
private LAN behind it, I don't have any problems.
--
Fridtjof Busse
/* James M doesn't say fuck enough. */
2.4.3 linux/net/core/netfilter.c
