|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re[2]: [Users] Please help - Win2k roadwarrior -> Freeswan gateway problems
Date: Thu Mar 27 2003 - 08:36:14 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Friday, March 21, 2003, 2:43:12 PM, you wrote:
Hello again,
Well I have re-issued my certificates as 1024 bit certs and imported the new certificates as per marcus mueller/nate carlson's instructions and got a message stating import successful. Now when I ping i still get a never ending stream of 'negotiating IP security' but the error in oakley.log is:
IKE failed to find valid machine certificate
however the len parameter you pointed
out below now reads something like 216 or 84 or 184 etc (i.e. much smaller
than 1860!) which is probably more sensible. If you have any idea what
the problem is - obviously I have searched the list and can't see a
reply to this problem.
thanks
stuart
AS> I think that your problem is IP packet fragmentation because AS> Win2k sends its ID, certificate and signature in message AS> MI3 but FreeS/WAN never seems to receive it. oakley.log shows AS> the message to be extremely large: AS> 3-21: 10:53:17:4c8 Sending: SA = 0x002382C8 to 217.154.55.26 AS> 3-21: 10:53:17:4c8 ISAKMP Header: (V1.0), len = 1860 AS> ^^^^ AS> 3-21: 10:53:17:4c8 I-COOKIE 12ac578c7cf18097 AS> 3-21: 10:53:17:4c8 R-COOKIE 725467a5262378ee AS> 3-21: 10:53:17:4c8 exchange: Oakley Main Mode AS> 3-21: 10:53:17:4c8 flags: 1 ( encrypted ) AS> 3-21: 10:53:17:4c8 next payload: ID AS> 3-21: 10:53:17:4c8 message ID: 00000000 AS> 3-21: 10:53:18:1d4 Posting acquire: op=813C89A8 src=217.154.55.27.0 dst=217.154.55.26.0 proto = 0, AS> SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=217.154.55.26 Inbound AS> TunnelEndpt=217.154.55.27 AS> 3-21: 10:53:18:1d4 Acquire thread waiting AS> 3-21: 10:53:18:4c8 find(ipsec): 02db7461-8aa7-403e-ada8f6fe16f0a185 AS> 3-21: 10:53:18:4c8 Outstanding SA: 2382c8 AS> 3-21: 10:53:18:4c8 outstanding_kernel_req returned 1 AS> 3-21: 10:53:18:4c8 Main mode in progress. Acquire queued AS> 3-21: 10:53:18:4c8 Queued Acquire Context 813c89a8 on SA 2382c8 AS> 3-21: 10:53:18:4c8 Handling Retransmit: sa 2382c8 handle b09b0 context 238b28 arg 238b28 AS> 3-21: 10:53:18:4c8 retransmit: sa = 002382C8 centry 00000000 , count = 0 AS> 3-21: 10:53:18:4c8 AS> 3-21: 10:53:18:4c8 Sending: SA = 0x002382C8 to 217.154.55.26 AS> 3-21: 10:53:18:4c8 ISAKMP Header: (V1.0), len = 1860 AS> 3-21: 10:53:18:4c8 I-COOKIE 12ac578c7cf18097 AS> 3-21: 10:53:18:4c8 R-COOKIE 725467a5262378ee AS> 3-21: 10:53:18:4c8 exchange: Oakley Main Mode AS> 3-21: 10:53:18:4c8 flags: 1 ( encrypted ) AS> 3-21: 10:53:18:4c8 next payload: ID AS> 3-21: 10:53:18:4c8 message ID: 00000000AS> 3-21: 10:53:20:4c8 Handling Retransmit: sa 2382c8 handle b09b0 context 238b28 arg 238b28 AS> 3-21: 10:53:20:4c8 retransmit: sa = 002382C8 centry 00000000 , count = 1
AS> Several more futile retransmissions follow.
AS> Workarounds:
AS> - Make the Win2k certificate smaller (1024 RSA key, short AS> Distinguished Names, discard most v3 extensions
AS> or
AS> - Force the kernel to defragment IP packets before applying AS> firewall rules which by default discard IP fragments.
AS> Regards
AS> Andreas
AS> 3-2stuart wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
stuart@camart.co.uk
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUAPoL+Uuuh6DeDjCODAQHGaQP+MAEIOzX9/xO9oRIZDtZp5D/omAwKBva0
zrfsYkf2GJIwJLuC+pYP+g4Mi5yIrPMa++iM6nfbZNibijnowkeEeHSiy6sAn5z+
g09Dy4duBZeb+28VCOQ6LtQA/9cTbtsiCgeV1c9j7BNESxBevA9LNjU+K7s9iFo1
Pm2tVVxgvF0=
=iOEk
-----END PGP SIGNATURE-----
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users Received on Thu Mar 27 21:04:31 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:11 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |