[Users] How to configure multiple connexions for a roadwarrior ?

        Hello,

  I'm using Freeswan 2.01 (Debian package) with X.509 certificates extension.

I already used it with success with a simple roadwarrior configuration like this :

rw X.X.X.X - internet - gateway <public IP> - private network <192.168.136.X>

The roadwarrior initiates the connexion and can access the private network behind the FreeS/Wan gateway.

Now, the roadwarrior must also have access to the gateway itself : with one connexion, it doesn't work because the gateway receive packets from 'normal' eth0 interface and tries to send it back to ipsec0 ... So, following the FreeS/Wan documentation, I've configured 2 connexions, one for rw host <-> network, another for rw host <-> gateway host, like this :

[ the Opportunistic Encryption is disabled ]

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

conn rw_fred

        also=rw_certx509_commun

        #

        leftsubnet=192.168.136.192/28

        #

        rightid=""
        leftupdown=/usr/local/bin/updown
        auto=add

conn rw_fred_gw
        also=rw_certx509_commun

        #

        rightid=""
        leftupdown=/usr/local/bin/updown
        auto=add

# définitions communes aux connexions avec un certificat X.509 : conn rw_certx509_commun

        left=
        leftnexthop=%defaultroute
        leftrsasigkey=%cert
        leftcert=cert-freeswan.pem

        #

        right=%any
        rightrsasigkey=%cert

When I start FreeSwan on the gateway, all connexions are added and seems fine, but if the roadwarrior tries to connect, he fails, with following messages :

104 "rw_fred" #1: STATE_MAIN_I1: initiate

 010 "rw_fred" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
 106 "rw_fred" #1: STATE_MAIN_I2: sent MI2, expecting MR2
 010 "rw_fred" #1: STATE_MAIN_I2: retransmission; will wait 20s for response
 108 "rw_fred" #1: STATE_MAIN_I3: sent MI3, expecting MR3
 010 "rw_fred" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
 003 "rw_fred" #1: discarding duplicate packet; already STATE_MAIN_I3
 010 "rw_fred" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
 031 "rw_fred" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
 000 "rw_fred" #1: starting keying attempt 2 of an unlimited number, but releasing whack

And on the gateway, I see :

pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: responding to Main Mode from unknown peer 62.147.74.98
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #160: responding to Main Mode from unknown peer 62.147.74.98
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: discarding duplicate packet; already STATE_MAIN_R2
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: Peer ID is ID_DER_ASN1_DN: 'C=FR, ... [ the complete DN]'
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: issuer crl not found
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: issuer crl not found
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
pluto[5601]: "rw_fred_gw"[1] 62.147.74.98 #159: no suitable connection for peer 'C=FR, ...[ the complete DN]'

I don't think the missing CRLs blocks the connexion, it seems it's because the roadwarrior tries to activate rw_fred (i.e. host to subnet connexion) whereas on the gateway it is the rw_fred_gw (host to host connexion) which tries to handle it. In fact, it sometimes works depending which connexion (rw_fred / rw_fred_gw) is loaded first when FreeS/Wan reads its ipsec.conf file !!

I wonder how to configure FreeS/Wan to handle these 2 connexions without mismatch ? having 2 different secrets (i.e. 2 different certificates) ????

I would appreciate any hint.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

        With regards,

                Frédéric Boiteux.

-- 
Frédéric Boiteux  -  Calistel
430, rue Aristide Berges  38330  Montbonnot
Téléphone: 04 76 52 61 16   / Télécopie: 04 76 52 37 27
Clé GPG: 1024D/AC50E3E3 : 6D7E 1EB6 78FB 050E 768D  91C9 8574 39A5 AC50 E3E3
_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr