I suspect that the gateway cannot load its certificate mycert.pem. This might be due to the changed default certificate patch, which is
/etc/ipsec.d/certs
for freeswan-2.0x and was
/etc/ipsec.d
for freeswan-1.xx. There should be an error message in the log during Pluto startup.
Regards
Andreas
Fridtjof Busse wrote:
Hi
I'm trying to set up a roadwarrior scenario with X.509 certificates, signed from a self-signed CA.
The VPN-gateway is running 2.01, the client is running 1.99, both with the X.509-patch.
Everything looks fine during startup, but if I connect to the gateway, I get his IP as ID instead of his certificate (setting leftid/rightid on client and gateway didn't help). Both Freeswan's don't show any errors during startup, they both find their local certificates/keys, the ca-key and the crl. Both are directly connected to the internet, no NAT.
FreeS/WAN config on gateway:
version 2.0
config setup interfaces=%defaultroute uniqueids=yes strictcrlpolicy=yes
conn %default keyingtries=1 disablearrivalcheck=no authby=rsasig keyexchange=ike ikelifetime=240m keylife=60m pfs=yes compress=no leftrsasigkey=%cert rightrsasigkey=%cert
conn roadwarrior right=%any left=%defaultroute leftcert=mycert.pem #leftsubnet=0.0.0.0/0 type=tunnel auto=add
And now the incoming connection from the "roadwarrior":
pluto[30138]: "roadwarrior"[1] $IP #1: responding to Main Mode from unknown peer $REMOTE_IP
pluto[30138]: "roadwarrior"[1] $IP #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, etc'
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1: deleting connection "roadwarrior" instance with peer 217.9.51.61
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1: sent MR3, ISAKMP SA established
pluto[30138]: "packetdefault"[1] 0.0.0.0/0=== ...$REMOTE_IP===? #1: Informational Exchange message for an established ISAKMP SA must be encrypted
And the client: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
conn ipsec left=$GATEWAY_IP right=%defaultroute authby=rsasig rightrsasigkey=%cert leftrsasigkey=%cert leftcert=myhost.pem rightcert=roadwarriorcert.pem auto=add pfs=yes
And now the connection (ipsec auto --up ipsec):
pluto[14363]: "ipsec" #1: initiating Main Mode
pluto[14363]: "ipsec" #1: Peer ID is ID_IPV4_ADDR: '217.9.34.16'
Aug 2 12:45:20 piggeldi pluto[14363]: "ipsec" #1: we require peer to have ID 'C=DE etc.', but peer declares '$REMOTE_IP'
pluto[14363]: "ipsec" #1: sending notification INVALID_ID_INFORMATION to 217.9.34.16:500
pluto[14363]: "ipsec": terminating SAs using this connection
pluto[14363]: "ipsec" #1: deleting state (STATE_MAIN_I3)
Any idea what's going wrong here? How can I force the gateway to send it's X.509 identity?
And there's one interesting thing: If I connect to the gateway from the private LAN behind it, I don't have any problems.
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Zürichweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
