Hosting Provided By

Re: [Users] IPSec

From: Sukhbinder Singh <sukhbinders(at)hotmail.com>
Date: Mon Sep 22 2003 - 02:00:05 EDT

today i re-created a few certificates for my linux freeswan server and the xp pro machine, and when i ran the ipsec auto --listcerts command which you asked me to i got as below :-

[root@localhost sslca]# ipsec auto --listcerts
000
000 List of User/Host Certificates:
000
000 Sep 22 13:21:26 2003, count: 2

000        subject: 'C=my, ST=selangor, L=KL, O=firestar, CN=servercert'

000 issuer: 'C=my, ST=sel, L=kl, O=firestar, CN=firestar' 000 pubkey: 2048 RSA Key AwEAAa//k 000 validity: not before Sep 22 10:24:43 2003 ok 000 not after Sep 19 10:24:43 2013 ok 000 Sep 22 13:21:26 2003, count: 2 000 subject: 'C=my, ST=sel, L=kl, O=firestar, CN=firestar' 000 issuer: 'C=my, ST=sel, L=kl, O=firestar, CN=firestar' 000 pubkey: 2048 RSA Key AwEAAchuH 000 validity: not before Sep 19 14:05:50 2003 ok 000 not after Sep 16 14:05:50 2013 ok
[root@localhost sslca]#

so this is a good sign i think, because this tells me that there is 2 certificates one for the linux freeswan server and another one for the windows xp client machine. but I still can't establish a connection. I get a message saying "Authentication Failed" and when I check the error log in the windows machine it says "failed to verify signature" and the linux freeswan log in /var/log/secure says as below :-

Sep 22 13:48:29 localhost pluto[7125]: packet from 192.168.0.2:500: ignoring Vendor ID payload
Sep 22 13:48:29 localhost pluto[7125]: "roadwarrior"[1] 192.168.0.2 #1: responding to Main Mode from unknown peer 192.168.0.2 Sep 22 13:48:30 localhost pluto[7125]: "roadwarrior"[1] 192.168.0.2 #1: Peer ID is ID_DER_ASN1_DN: 'C=my, ST=sel, L=kl, O=firestar, CN=firestar' Sep 22 13:48:30 localhost pluto[7125]: "roadwarrior"[1] 192.168.0.2 #1: sent MR3, ISAKMP SA established
Sep 22 13:48:30 localhost pluto[7125]: "roadwarrior"[1] 192.168.0.2 #1: ignoring informational payload, type AUTHENTICATION_FAILED Sep 22 13:48:30 localhost pluto[7125]: "roadwarrior"[1] 192.168.0.2 #1: received and ignored informational message
[root@localhost cacerts]#

Please help me, I don't know why the authentication is failing. I can see a Security Association (SA). but after that in authentication part the Authetication Failed. Can this be because the private key for either of my certificate is not in the /etc/ipsec.secrets. Any help will be helpful. Please respond to me as soon as possible. because i did not edit anything in my ipsec.secrets file. I did not add any private keys in it. But there is something it. Below is what i get from my ipsec.secrets:-

[root@localhost cacerts]# more /etc/ipsec.secrets
: RSA {

        # RSA 2192 bits   localhost.localdomain   Fri Sep 19 13:03:31 2003
        # for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQOYqmhlbsp7YETLUwS1Iohf5f0NTwmqpmEEzU5dtUSYXx5GJVEoY/PCETHdx+wSc aXdgUdXW/enLnh1x06/PBHShAm2HvI7zsOBSUMIuJP3QilED1N6uSb/4TmxpqBYCQbjbseySgf3HmiAypya 3yLqNvtxU7YERINe0q81Ft/lT6FKChd2BuWjcuiiw5VG9TAY+8yNbEKgLO3HJltNVldifcDvU2PvbHsyHZg 2w2jTVtiF7AC017C/Vs11BM90znBn3lMrNSk82AZ/cXZxFPJrx/P8Jp1DayDRzOHzgaHV4SwGOuub4kGtgP ZoQ/FiSOdX0A5qZ91gR1ISiYQ76eZDRpV3dduOCkdmDZiYuXOJYiPp

Do you need help?

#IN KEY 0x4200 4 1
AQOYqmhlbsp7YETLUwS1Iohf5f0NTwmqpmEEzU5dtUSYXx5GJVEoY/PC ETHdx+wScaXdgUdXW/enLnh1x06/PBHShAm2HvI7zsOBSUMIuJP3QilED1N6uSb/4TmxpqBYCQbjbseySgf 3HmiAypya3yLqNvtxU7YERINe0q81Ft/lT6FKChd2BuWjcuiiw5VG9TAY+8yNbEKgLO3HJltNVldifcDvU2 PvbHsyHZg2w2jTVtiF7AC017C/Vs11BM90znBn3lMrNSk82AZ/cXZxFPJrx/P8Jp1DayDRzOHzgaHV4SwGO uub4kGtgPZoQ/FiSOdX0A5qZ91gR1ISiYQ76eZDRpV3dduOCkdmDZiYuXOJYiPp

        # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
        Modulus:

0x98aa68656eca7b6044cb5304b522885fe5fd0d4f09aaa66104cd4e5db544985f 1e4625512863f3c21131ddc7ec1271a5dd8147575bf7a72e7875c74ebf3c11d28409b61ef23bcec3814 94308b893f74229440f537ab926ffe139b1a6a0580906e36ec7b24a07f71e6880ca9c9adf22ea36fb71 53b60444835ed2af3516dfe54fa14a0a177606e5a372e8a2c39546f53018fbcc8d6c42a02cedc7265b4 d5657627dc0ef5363ef6c7b321d9836c368d356d885ec00b4d7b0bf56cd7504cf74ce7067de532b3529 3cd8067f71767114f26bc7f3fc269d436b20d1cce1f381a1d5e12c063aeb9be241ad80f66843f16248e 757d00e6a67dd6047521289843be9e64346957775db8e0a47660d9898b973896223e9

        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent:

0x1971bc10e7cc69e560cc8dd61e306c0ffbaa2ce2819c71102b778d0f 9e3619652fb65b8d86bb534b02dda4f6a75868464f958be3e4a94687bebe4be27534ada316019e5a7db 4a275eae18b2c1ec353e05c36028de9c9867ffadef2f11ab956d67b3d214861abfe85116acc6f6f2530 7c5e7f3d8df3ab60c08fcdc7de2e7aa637f03701ae93abd0f092e4ccc2e5eb67ca1b7b92d0eb8613f96 88ee21d4b12753d1814f47a396744f8e8d1b1ea23b185d180311139f08f26bfbe07cc39294a591b924d f31863035cd45f344dd387c7d3f118719653a89bcc1b47f84392ac33f5d6ba265b7463e783e1a0f0c5b 339d438a379d4d08a1263ca43b47e6e41fd436d857c6b975ddf578cbaedd050b1b5fe072d9561

Prime1:
0xcf5dce37429547fa2fa44a4125d25e57c7fc2942aa148e6ffd559dd3ff18ac75f 9265b654274c47d60cd43f178212fb03eb7b7be71218732f19c7aea1d92e4f7c2586e33e28e39a04ea1 61fcaa76ba02a8a808602d096e407cce62b42ab775fc41d3ee09fc7304a7b99ba91478c9de6a3863b15 f861dc7538850436ad6329156b388d8b78c3729ef93

Prime2:
0xbc7863fa7ff12b79e6b75da5f855f622a5dd82483d83657d45ded83784b5f9473 a465e87fd3ba959feb7612004a711325ff3f619459643c719041df8f77cf8d38346130e836c8b94fbd4 ceacf22bc31f52a47b183d096a8ea347ce904a72edbf0ff2228c6c820dd5198f84e50dd8d2ace39046e ccf375b08879aff34aa8b547c782b95bdf32726b413

Exponent1:
0x8a3e897a2c63855175183180c3e1943a8552c62c7163099ffe3913e2aa1072 f950c43cee2c4dd85395de2d4ba56b752029cfcfd44b6baf774bbda746be61edfa81904977ec5ed1158 9c0ebfdc6f9d1571b1ab0401e064980533441cd71cfa3fd8137f406a84cadc52667c60da5dbe99c2597 cb950413da37b035824739770b8f225b3b250824c69fb7

Exponent2:
0x7da597fc554b7251447a3e6ea58ea417193e56dad3acee5383e9e57a587950 da26d9945aa8d270e6a9cf9615586f60cc3ff7f9662e642d2f6602bea5fa53508d022eb75f02485d0df d3889c8a1728214e1c2fcbad35b9c5f1785346031a1f3d4b54c17084856b3e3665fadee093b371ded0a d9f334cf9205afbcaa231c5ce2fda57263d3f76f6f22b7

Coefficient:
0x48b2a58eb1b5656159c7a63951f1723218839c0cf29fa1d268f78f93ab67 2bf9f9300d7bdc6a83116b812d82fde70bce37f8383fd785b8e4e73381b1e096671b87dc03402a62d5b 8ec4dbd40e1082c57066c2c73b30d41229a514f23f25c515e95b12bc28e1f3faa4ee52a857d27c25b83 8108e88124f32cc154f6e4018fd2be6f69e5b947dc7cee2b

}
# do not change the indenting of that "}"
[root@localhost cacerts]#

any help will be helpful.

Do you need more help?

Thanks,

Sukhbinder Singh,
(sukhbinders@hotmail.com)

Anreas Steffen <andreas.steffen@strongsec.net>

>To: Sukhbinder Singh 
>CC: users@mj2.freeswan.org
>Subject: Re: [Users] IPSec
>Date: Thu, 18 Sep 2003 08:26:53 +0200
>MIME-Version: 1.0
>Received: from mail.strongsec.net ([80.218.56.160]) by mc7-f13.hotmail.com 
>with Microsoft SMTPSVC(5.0.2195.5600); Wed, 17 Sep 2003 23:26:58 -0700
>Received: from strongsec.net (tandoori.strongsec.com [160.85.106.4])by 
>mail.strongsec.net (Postfix) with ESMTPid 960CC27C11; Thu, 18 Sep 2003 
>07:29:58 +0200 (CEST)
>X-Message-Info: JGTYoYF78jF7Cc7xDo0uVgIPnnok2PiZ
>Message-ID: <3F69502D.80805@strongsec.net>
>Organization: strongSec GmbH
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) 
>Gecko/20030624
>X-Accept-Language: en-us, en
>References: 
>In-Reply-To: 
>Return-Path: andreas.steffen@strongsec.net
>X-OriginalArrivalTime: 18 Sep 2003 06:26:59.0343 (UTC) 
>FILETIME=[DD60D1F0:01C37DAD]
>
>It could be that FreeS/WAN's certificate does not much its private key.
>Does
>
>    ipsec auto --listcerts
>
>show FreeS/WAN's cert with the comment
>
>    ..., has private key         ?
>
>Regards
>
>Andreas
>
>Sukhbinder Singh wrote:
>>dear dr.steffan,
>>
>>     i checked on their other side, which is a xp configured as a road 
>>warrior and  the log file says "Failed to Verify Signature". so, i am 
>>suspecting the error could be because the certicate for the client machine 
>>is not located at the proper place on my linux box for the xp road warrior 
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
>>to properly verify the identity of the signature. can you please provide 
>>me with some input on this. any help will be grealty appreciated.
>>
>>thanks,
>>
>>sukhbinder singh,
>>(sukhbinders@hotmail.com)
>>
>>
>>>From: Andreas Steffen <andreas.steffen@strongsec.net>
>>>To: Sukhbinder Singh <sukhbinders@hotmail.com>
>>>CC: users@mj2.freeswan.org
>>>Subject: Re: [Users] IPSec
>>>Date: Wed, 17 Sep 2003 23:59:33 +0200
>>>MIME-Version: 1.0
>>>Received: from mail.strongsec.net ([80.218.56.160]) by mc5-f4.hotmail.com 
>>>with Microsoft SMTPSVC(5.0.2195.5600); Wed, 17 Sep 2003 14:59:38 -0700
>>>Received: from strongsec.net (tandoori.strongsec.com [160.85.106.4])by 
>>>mail.strongsec.net (Postfix) with ESMTPid 4595427C11; Wed, 17 Sep 2003 
>>>23:02:41 +0200 (CEST)
>>>X-Message-Info: JGTYoYF78jGb5LFQvHlNL5+QiHZbEvGY
>>>Message-ID: <3F68D945.7050201@strongsec.net>
>>>Organization: strongSec GmbH
>>>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) 
>>>Gecko/20030624
>>>X-Accept-Language: en-us, en
>>>References: <BAY2-F14281TbdkSmLA000129dc@hotmail.com>
>>>In-Reply-To: <BAY2-F14281TbdkSmLA000129dc@hotmail.com>
>>>Return-Path: andreas.steffen@strongsec.net
>>>X-OriginalArrivalTime: 17 Sep 2003 21:59:40.0062 (UTC) 
>>>FILETIME=[FE2723E0:01C37D66]
>>>
>>>The error message is coming from the peer. This means that you must
>>>have a look at the log on the other side.
>>>
>>>Regards
>>>
>>>Andreas
>>>
>>>Sukhbinder Singh wrote:
>>>
>>>>dear sir,
>>>>
>>>>    i am receiving some errors while i am trying to negotiate a tunnel. 
>>>>i am getting a message like below :-
>>>>
>>>>"Sep 17 16:22:11 localhost pluto[5145]: "roadwarrior"[2] 192.168.0.2 #1: 
>>>>ignoring informational payload, type AUTHENTICATION_FAILED
>>>>Sep 17 16:22:11 localhost pluto[5145]: "roadwarrior"[2] 192.168.0.2 #1: 
>>>>received and ignored informational message
>>>>[root@localhost root]# "
>>>>
>>>>the authetication seems to fail. how can i correct this errors. i 
>>>>generated all the certs from the same CA and they should autheticate but 
>>>>i am receiving this message.
>>>>
>>>>any help will be appreciated.
>>>>
>>>>send me a reply at my email address :- sukhbinders@hotmail.com
>>>>
>>>>thanks,
>>>>
>>>>sukhbinder singh,
>>>>(sukhbinders@hotmail.com)
>
>=======================================================================
>Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
>strongSec GmbH                    home:   http://www.strongsec.com
>Alter Zürichweg 20                phone:  +41 1 730 80 64
>CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>==========================================[strong internet security]===
><< smime.p7s >>

_________________________________________________________________

Get McAfee virus scanning and cleaning of incoming attachments. Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Mon Sep 22 02:08:23 2003

This message: [ Message body ]
Next message: Armin Theis: "[Users] How to activate in registry"
Previous message: Andreas Steffen: "Re: [Users] oakley.log file is empty"
Maybe in reply to: Jimmy Yap: "[Users] IPSec"
Next in thread: Sam Sgro: "Re: [Users] IPSec"
Reply: Sam Sgro: "Re: [Users] IPSec"
Reply: Andreas Steffen: "Re: [Users] IPSec"
Reply: Sukhbinder Singh: "Re: [Users] IPSec"
Reply: Sukhbinder Singh: "Re: [Users] IPSec"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:33 EDT