Re: [Users] Problem w/ Win2K Client --> Freeswan 2.01+x509 patch+l2tpd+pppd

[Andreas Steffen]

You must use the gateway certificate. Put it into
the directory /etc/ipsec.d/certs and define
  leftcert=gatewayCert.pem

There seems to be some additional error in your
connection definition. What does
  ipsec auto --status

show?

Regards

Andreas

Philip Tong wrote:
Thank you for the response Andreas, for the 'leftcert' entry, should I
be putting the CA's pem or the Gateway's pem? The pem files were
generated using help file from Nate Carlson's homepage.
I have since changed the /etc/ipsec.conf to the following:-

/etc/ipsec.conf
~~~~~~~~~~~~~~~
version 2.0
                                                                                                              
config setup
       interfaces="ipsec0=eth1"
       klipsdebug=none
       plutodebug=dns
       uniqueids=yes
       fragicmp=yes
       overridemtu=1430
                                                                                                              
conn %default
     keyingtries=0
     compress=yes
     authby=rsasig
     pfs=yes
     disablearrivalcheck=yes
                                                                                                              
conn road
     left=202.10.10.54
     leftsubnet=10.0.0.0/8
     leftid="CN=gw.yltrd"
     leftrsasigkey=%cert
     leftcert=/etc/ipsec.d/cacerts/cacert.pem
     leftprotoport=17/1701
     right=%any
     rightsubnet=192.168.1.0/24
     rightrsasigkey=%cert
     rightprotoport=17/1701
     auto=add

/var/log/secure
~~~~~~~~~~~~~~~
Aug  4 16:21:57 gw ipsec__plutorun: Starting Pluto subsystem...
Aug  4 16:21:57 gw pluto[3181]: Starting Pluto (FreeS/WAN Version 2.01
X.509-1.4.2 PLUTO_USES_KEYRR)
Aug  4 16:21:57 gw pluto[3181]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug  4 16:21:57 gw pluto[3181]:   loaded cacert file 'cacert.pem' (1367
bytes)
Aug  4 16:21:57 gw pluto[3181]: Changing to directory
'/etc/ipsec.d/crls'
Aug  4 16:21:57 gw pluto[3181]:   loaded crl file 'crl.pem' (601 bytes)
Aug  4 16:21:57 gw pluto[3181]:   loaded host cert file
'/etc/ipsec.d/cacerts/cacert.pem' (1367 bytes)
Aug  4 16:21:57 gw pluto[3181]: added connection description "road"
Aug  4 16:21:57 gw pluto[3181]: listening for IKE messages
Aug  4 16:21:57 gw pluto[3181]: adding interface ipsec0/eth1
202.10.10.54
Aug  4 16:21:57 gw pluto[3181]: loading secrets from
"/etc/ipsec.secrets"
Aug  4 16:21:57 gw pluto[3181]:   loaded private key file
'/etc/ipsec.d/private/gw.yltrd.key' (1743 bytes)
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug  4 16:22:57 gw pluto[3181]: packet from 61.6.104.76:500: received
Vendor ID Payload; ASCII hash: \020K
Aug  4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: responding to
Main Mode from unknown peer 61.6.104.76
Aug  4 16:22:57 gw pluto[3181]: "road"[1] 61.6.104.76 #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:22:59 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:23:00 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug  4 16:23:02 gw pluto[3181]: "road"[1] 61.6.104.76 #1: sending
notification INVALID_ID_INFORMATION to 61.6.104.76:500
Aug  4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76 #1: max number of
retransmissions (2) reached STATE_MAIN_R2
Aug  4 16:24:08 gw pluto[3181]: "road"[1] 61.6.104.76: deleting
connection "road" instance with peer 61.6.104.76
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug  4 16:24:55 gw pluto[3181]: packet from 61.6.103.101:500: received
Vendor ID Payload; ASCII hash: \020K
Aug  4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: responding to
Main Mode from unknown peer 61.6.103.101
Aug  4 16:24:55 gw pluto[3181]: "road"[2] 61.6.103.101 #2: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Aug  4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:24:58 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:24:58 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:00 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:00 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:04 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:04 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'Aug  4 16:25:12 gw pluto[3181]:
"road"[2] 61.6.103.101 #2: no suitable connection for peer
'CN=ussenterprise.pract'
Aug  4 16:25:12 gw pluto[3181]: "road"[2] 61.6.103.101 #2: sending
notification INVALID_ID_INFORMATION to 61.6.103.101:500
Aug  4 16:25:20 gw pluto[3181]: "road"[2] 61.6.103.101 #2: encrypted
Informational Exchange message is invalid because it is for incomplete
ISAKMP SA
Aug  4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101 #2: max number of
retransmissions (2) reached STATE_MAIN_R2
Aug  4 16:26:06 gw pluto[3181]: "road"[2] 61.6.103.101: deleting
connection "road" instance with peer 61.6.103.101






On Mon, 2003-08-04 at 14:10, Andreas Steffen wrote:

At a first glance I detect three errors in your ipsec.conf:

1) leftcert=freeswanCert.pem is missing
    The X.509 patch for freeswan-2.0x does not support
    the default cert /etc/x509cert.der anymore.
2) do not use rightid=%any, because this restricts the ID to an
   IP address. right=%any without an rightid parameter will define
   a general roadwarrior connection with arbitrary ID type.
3) you cannot initiate a roadwarrior connection with auto=start.
   Use auto=add instead. The W2k peer must be the initiator.
Regards

Andreas

Philip Tong wrote:

I can't seem to get connected to the Freeswan gateway from a Windows
2000 Professional mobile user. The user connects via a local ISP on a
dial up line which dynamically assigns an IP everytime the user
connects.
Any help or pointers would be greatly appreciated. Below are information
pertaining to my configuration.


Diagram
~~~~~~~
__________________
/                  \
| Internal network |
| 10.0.0.0/8       |
\__________________/
        |
        |
        | eth0 : 10.0.0.1/8
+----------------+
| Linux box      |
| Freeswan+x509  |
+----------------+
        | eth1 : 202.10.10.54
        |
        |
        | 202.10.10.53
+-----------------+
| ADSL Router     |
| Lucent Cellpipe |
+-----------------+
        |
        |
    ____|____
   /         \
   |Internet |
   \_________/
        |
        |
        |
+----------------+
| Win2K using    |
| dial-up        |
| w/dynamic IP   |
+----------------+




/etc/l2tpd/l2ptd.conf
~~~~~~~~~~~~~~~~~~~~~
[global]
port=1701
[lns default]
ip range = 10.0.0.2-10.2.255.255
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = gw.yltrd
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes




/etc/ppp/options
~~~~~~~~~~~~~~~~
ipcp-accept-local
ipcp-accept-remote
ms-dns  10.10.10.1
ms-wins 10.10.10.1
auth
crtscts
idle 1800
nodefaultroute
debug
lock
proxyarp
connect-delay 15000
mtu 1430
mru 1430






--
=======================================================================
Andreas Steffen                   e-mail: [EMAIL PROTECTED]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===