freeswan problem between w2k and linux

01-18-2004, 06:27 AM

hi,

i´m trying to set up a roadwarrior ipsec-tunnel between w2k and my debian 3.0 stable (kernel 2.4.24);
i set up my machines with this document: http://www.freeswan.ca/docs/WindowsI...%20Interop.pdf,
but i get following output when i try to ping from my w2k-box to the box behind my vpn-server:

Jan 18 03:07:27 vpn ipsec__plutorun: Starting Pluto subsystem...
Jan 18 03:07:27 vpn Pluto[7767]: Starting Pluto (FreeS/WAN Version 1.96)
Jan 18 03:07:27 vpn Pluto[7767]: including X.509 patch (Version 0.9.9)
Jan 18 03:07:27 vpn Pluto[7767]: Changing to directory '/etc/ipsec.d/cacerts'
Jan 18 03:07:27 vpn Pluto[7767]: loaded cacert file 'cacert.pem' (1314 bytes)
Jan 18 03:07:27 vpn Pluto[7767]: Changing to directory '/etc/ipsec.d/crls'
Jan 18 03:07:27 vpn Pluto[7767]: loaded crl file 'crl.pem' (528 bytes)
Jan 18 03:07:27 vpn Pluto[7767]: loaded my X.509 cert file '/etc/x509cert.der' (930 bytes)
Jan 18 03:07:27 vpn Pluto[7767]: | from whack: got --esp=3des
Jan 18 03:07:27 vpn Pluto[7767]: loaded host cert file '/etc/ipsec.d/freeswan-cert.pem' (3692 bytes)
Jan 18 03:07:27 vpn Pluto[7767]: loaded host cert file '/etc/ipsec.d/w2k-cert.pem' (3699 bytes)
Jan 18 03:07:27 vpn Pluto[7767]: added connection description "w2ktofreeswan"
Jan 18 03:07:27 vpn Pluto[7767]: listening for IKE messages
Jan 18 03:07:27 vpn Pluto[7767]: adding interface ipsec0/eth0 192.168.200.114
Jan 18 03:07:27 vpn Pluto[7767]: loading secrets from "/etc/ipsec.secrets"
Jan 18 03:07:27 vpn Pluto[7767]: loaded private key file '/etc/ipsec.d/private/freeswan-priv.pem' (1679 bytes)
Jan 18 03:07:30 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:07:30 vpn last message repeated 2 times
Jan 18 03:07:30 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:07:31 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:07:31 vpn last message repeated 2 times
Jan 18 03:07:31 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:07:33 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:07:33 vpn last message repeated 2 times
Jan 18 03:07:33 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:07:37 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:07:37 vpn last message repeated 2 times
Jan 18 03:07:37 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:07:45 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:07:45 vpn last message repeated 2 times
Jan 18 03:07:45 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:08:01 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
Jan 18 03:08:01 vpn last message repeated 2 times
Jan 18 03:08:01 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message received on 192.168.200.114:500 but no connection has been authorized
Jan 18 03:08:33 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Delete SA payload
Jan 18 03:08:33 vpn Pluto[7767]: packet from 192.168.200.105:500: received and ignored informational message

here my config-files:

# /etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

conn w2ktofreeswan
auto=add
authby=rsasig
left=192.169.200.114
leftsubnet=10.1.1.0/24
leftcert=freeswan-cert.pem
right=%any
rightcert=w2k-cert.pem
pfs=yes
keyingtries=0

-----

# /etc/ipsec.secrets

192.168.200.114 0.0.0.0 : RSA freeswan-priv.pem "password"

-----

w2k-box has ip 192.168.200.105/26;
vpn-server has eth0:192.168.200.114/26 and eth1:10.1.1.1/24
host_behind has eth0:10.1.1.2/24

i don´t know what´s wrong in my config;
the keys are created and i think on the right place:
/etc/ipsec.d/cacerts/cacert.pem
/etc/ipsec.d/crls/crl.pem
/etc/ipsec.d/private/freeswan-priv.pem
/etc/ipsec.d/private/w2k-priv.pem
/etc/ipsec.d/freeswan-cert.pem
/etc/ipsec.d/w2k-cert.pem
/etc/x509cert.der

the configuration of the w2k-box is made as described in the manual above;

thx,
alex

01-18-2004, 12:39 PM

First, I'm not sure what your problem is. I've set up Freeswan<->WinXP
between my linux box and laptop without any hassles and the log below
doesn't say much except that your problem might have something to do with a
bad ISAKMP negotiation. (I'm no expert but I believe this is where the two
end-points authenticate each other and decide on encryption protocols.)

Secondly, why are you doing this? In my case I was securing a Wireless LAN
connection to my laptop. If you are doing anything similar, think again.
The windows implementation of IPSEC (at least the XP implementation anyway)
immediately severs the connection if it receives a packet with the
incorrect sequence number in the IPSEC header. This can happen if a packet
gets dropped which I find happens every 10 minutes to 2 hours - depending
on distance to access point and the amount of bandwidth I'm using.

Thirdly, have you looked at Nate Millers(?)'s tutorial on
Windows<->Freeswan? It was very useful when I set mine up.

Alexander Joelly wrote:

> hi,
>
> i´m trying to set up a roadwarrior ipsec-tunnel between w2k and my debian
> 3.0 stable (kernel 2.4.24); i set up my machines with this document:
> http://www.freeswan.ca/docs/WindowsI...%20Interop.pdf, but i get
> following output when i try to ping from my w2k-box to the box behind my
> vpn-server:
>
> Jan 18 03:07:27 vpn ipsec__plutorun: Starting Pluto subsystem...
> Jan 18 03:07:27 vpn Pluto[7767]: Starting Pluto (FreeS/WAN Version 1.96)
> Jan 18 03:07:27 vpn Pluto[7767]: including X.509 patch (Version 0.9.9)
> Jan 18 03:07:27 vpn Pluto[7767]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Jan 18 03:07:27 vpn Pluto[7767]: loaded cacert file 'cacert.pem' (1314
> bytes) Jan 18 03:07:27 vpn Pluto[7767]: Changing to directory
> '/etc/ipsec.d/crls'
> Jan 18 03:07:27 vpn Pluto[7767]: loaded crl file 'crl.pem' (528 bytes)
> Jan 18 03:07:27 vpn Pluto[7767]: loaded my X.509 cert file
> '/etc/x509cert.der' (930 bytes) Jan 18 03:07:27 vpn Pluto[7767]: | from
> whack: got --esp=3des
> Jan 18 03:07:27 vpn Pluto[7767]: loaded host cert file
> '/etc/ipsec.d/freeswan-cert.pem' (3692 bytes)
> Jan 18 03:07:27 vpn Pluto[7767]: loaded host cert file
> '/etc/ipsec.d/w2k-cert.pem' (3699 bytes) Jan 18 03:07:27 vpn Pluto[7767]:
> added connection description "w2ktofreeswan" Jan 18 03:07:27 vpn
> Pluto[7767]: listening for IKE messages Jan 18 03:07:27 vpn Pluto[7767]:
> adding interface ipsec0/eth0 192.168.200.114 Jan 18 03:07:27 vpn
> Pluto[7767]: loading secrets from "/etc/ipsec.secrets"
> Jan 18 03:07:27 vpn Pluto[7767]: loaded private key file
> '/etc/ipsec.d/private/freeswan-priv.pem' (1679 bytes) Jan 18 03:07:30 vpn
> Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID payload
> Jan 18 03:07:30 vpn last message repeated 2 times Jan 18 03:07:30 vpn
> Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode message
> received on 192.168.200.114:500 but no connection has been authorized Jan
> 18 03:07:31 vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring
> Vendor ID payload Jan 18 03:07:31 vpn last message repeated 2 times Jan 18
> 03:07:31 vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main
> Mode message received on 192.168.200.114:500 but no connection has been
> authorized Jan 18 03:07:33 vpn Pluto[7767]: packet from
> 192.168.200.105:500: ignoring Vendor ID payload Jan 18 03:07:33 vpn last
> message repeated 2 times Jan 18 03:07:33 vpn Pluto[7767]: packet from
> 192.168.200.105:500: initial Main Mode message received on
> 192.168.200.114:500 but no connection has been authorized Jan 18 03:07:37
> vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID
> payload Jan 18 03:07:37 vpn last message repeated 2 times Jan 18 03:07:37
> vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode
> message received on 192.168.200.114:500 but no connection has been
> authorized Jan 18 03:07:45 vpn Pluto[7767]: packet from
> 192.168.200.105:500: ignoring Vendor ID payload Jan 18 03:07:45 vpn last
> message repeated 2 times Jan 18 03:07:45 vpn Pluto[7767]: packet from
> 192.168.200.105:500: initial Main Mode message received on
> 192.168.200.114:500 but no connection has been authorized Jan 18 03:08:01
> vpn Pluto[7767]: packet from 192.168.200.105:500: ignoring Vendor ID
> payload Jan 18 03:08:01 vpn last message repeated 2 times Jan 18 03:08:01
> vpn Pluto[7767]: packet from 192.168.200.105:500: initial Main Mode
> message received on 192.168.200.114:500 but no connection has been
> authorized Jan 18 03:08:33 vpn Pluto[7767]: packet from
> 192.168.200.105:500: ignoring Delete SA payload Jan 18 03:08:33 vpn
> Pluto[7767]: packet from 192.168.200.105:500: received and ignored
> informational message
>
>
> here my config-files:
>
> # /etc/ipsec.conf
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
>
> conn w2ktofreeswan
> auto=add
> authby=rsasig
> left=192.169.200.114
> leftsubnet=10.1.1.0/24
> leftcert=freeswan-cert.pem
> right=%any
> rightcert=w2k-cert.pem
> pfs=yes
> keyingtries=0
>
> -----
>
>
>
> # /etc/ipsec.secrets
>
> 192.168.200.114 0.0.0.0 : RSA freeswan-priv.pem "password"
>
> -----
>
> w2k-box has ip 192.168.200.105/26;
> vpn-server has eth0:192.168.200.114/26 and eth1:10.1.1.1/24
> host_behind has eth0:10.1.1.2/24
>
> i don´t know what´s wrong in my config;
> the keys are created and i think on the right place:
> /etc/ipsec.d/cacerts/cacert.pem
> /etc/ipsec.d/crls/crl.pem
> /etc/ipsec.d/private/freeswan-priv.pem
> /etc/ipsec.d/private/w2k-priv.pem
> /etc/ipsec.d/freeswan-cert.pem
> /etc/ipsec.d/w2k-cert.pem
> /etc/x509cert.der
>
> the configuration of the w2k-box is made as described in the manual above;
>
>
>
> thx,
> alex

01-19-2004, 05:25 PM

> conn w2ktofreeswan
> auto=add
> authby=rsasig
> left=192.169.200.114
^?

01-22-2004, 09:36 PM

Bill wrote:
>> conn w2ktofreeswan
>> auto=add
>> authby=rsasig
>> left=192.169.200.114
>
> ^?
>
sorry, is only a typing error in this mail;
i´ve solved the problem using new certificates, but i dont know how to setup my windows 2000 client to use the connection with dynamic ip - with static ip it runs now perfectly;

thx,
alex

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
With Linux almost anything goes, but can this be done (FreeSwan VPN using RED IF with IP of ORANGE IF)?	John Smith	Linux Networking	1	09-16-2004 05:03 PM
Problem with Linux - Freeswan	Lior M	Linux Networking	0	07-26-2004 07:11 PM
IPSec (i.e. Freeswan 2.x), Linux kernel 2.6 no longer masquerading (NAT'ing) connections	John T. Ellis	Linux Networking	1	05-25-2004 06:56 AM
Freeswan IKE configuration problem	Giuliano	Linux Networking	0	05-15-2004 06:27 PM
Help with old freeswan and old linux on old hardware.	Josiah Fizer	Linux Networking	0	12-15-2003 08:48 PM