Hosting Provided By

[Users] roadwarrior configuration using freeswan 1.99 and pgpnet 7.0.3 (with X.509)

From: toni <tonign(at)pie.xtec.es>
Date: Mon Feb 24 2003 - 03:59:27 EST

hi,

i'm trying to setup a freeswan gateway to allow roadwarrior users connect to the corparate LAN, this clients will run windows 2000 and XP mainly, and they will use pgpnet (it's possible pgpnet doesn't understand freeswan?) to keep certificates (X.509) and manage the connection

if you could help me, please take a look, if pgpnet will not ever work, what alternatives i could use?

my scheme is a LAN with public IP's (two C class subnets: 213.xxx.162.0 and 193.xxx.88.0), one of this IP's (193.xxx.88.63, the freeswan gateway) is publicly accessible from anywhere in internet

the problem is that logs on the freeswan gateway finish each attempt of connecting (without making the connection) with:

[... from /var/log/secure ]

Feb 24 08:15:44 i2cat pluto[3342]: | ***parse ISAKMP Notification Payload:
Feb 24 08:15:44 i2cat pluto[3342]: |    next payload type: ISAKMP_NEXT_NONE
Feb 24 08:15:44 i2cat pluto[3342]: |    length: 12
Feb 24 08:15:44 i2cat pluto[3342]: |    DOI: ISAKMP_DOI_IPSEC
Feb 24 08:15:44 i2cat pluto[3342]: |    protocol ID: 1
Feb 24 08:15:44 i2cat pluto[3342]: |    SPI size: 0
Feb 24 08:15:44 i2cat pluto[3342]: |    Notify Message Type:

UNSUPPORTED_EXCHANGE_TYPE
Feb 24 08:15:44 i2cat pluto[3342]: "road-xtecwarrior"[1] 213.xxx.162.44
#1: ignoring informational payload, type UNSUPPORTED_EXCHANGE_TYPE
Feb 24 08:15:44 i2cat pluto[3342]: | info: Feb 24 08:15:44 i2cat pluto[3342]: "road-xtecwarrior"[1] 213.xxx.162.44
#1: received and ignored informational message
Feb 24 08:15:44 i2cat pluto[3342]: | next event EVENT_SHUNT_SCAN in 5 seconds

i've been waiting for a long, before asking,

first i've read and followed strictly these two guides:

Do you need help?

http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/quickstart.html

A Guide to Installing a VPN based on FreeS/WAN by Tim Carr (Oct 2002)

but now i'm really confused, freeswan seems to be well configured, this i my freeswan configuration:

$ cat /etc/ipsec.conf
config setup

        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        authby=rsasig
        disablearrivalcheck=no
        keyingtries=0

conn road-xtecwarrior
        right=%any
        rightcert=/etc/ipsec.d/client-cert.pem
        rightrsasigkey=%dnsondemand
        rightnexthop=213.xxx.162.1
        left=193.145.88.63
        leftid="ST=BCN, O=XTEC, CN=Certificat Freeswan"
        leftcert=/etc/ipsec.d/freeswan-cert.pem
        leftrsasigkey=%dnsondemand
        leftsubnet=193.xxx.88.64/31
        leftnexthop=213.xxx.162.1
        auto=add
        pfs=yes

$ ipsec auto --status

000 interface ipsec0/eth0 193.xxx.88.63
000
000 "road-xtecwarrior"[1]: 193.xxx.88.64/31===193.xxx.88.63[ST=BCN, O=XTEC, CN=Certificat
Freeswan]---213.xxx.162.1...213.xxx.162.1---213.xxx.162.44[ST=BCN, O=XTEC, CN=Certificat Client]
000 "road-xtecwarrior"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "road-xtecwarrior"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted
000 "road-xtecwarrior"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "road-xtecwarrior": 193.xxx.88.64/31===193.xxx.88.63[ST=BCN, O=XTEC, CN=Certificat Freeswan]---213.xxx.162.1...213.xxx.162.1---%any[ST=BCN, O=XTEC, CN=Certificat Client]
000 "road-xtecwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "road-xtecwarrior": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted
000 "road-xtecwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #1: "road-xtecwarrior"[1] 213.xxx.162.44 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 13s
000

thanks in advance

--
toni 
-- XTEC - xarxa telematica educativa de catalunya - education telematic 
network of catalonia


_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Received on Mon Feb 24 06:28:28 2003

This message: [ Message body ]
Next message: Andreas Steffen: "Re: [Users] roadwarrior configuration using freeswan 1.99 and pgpnet 7.0.3 (with X.509)"
Previous message: Meggle Antoine: "[Users] (no subject)"
Next in thread: Andreas Steffen: "Re: [Users] roadwarrior configuration using freeswan 1.99 and pgpnet 7.0.3 (with X.509)"
Reply: Andreas Steffen: "Re: [Users] roadwarrior configuration using freeswan 1.99 and pgpnet 7.0.3 (with X.509)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:00:22 EDT

Do you need more help?