Freeswan X509 zase znova

Petr Vejsada daemon na nospam.exe
Úterý Květen 27 16:09:09 CEST 2003 

Preji pekny den,

nekam jsem pokrocil se svym morenim se s ipsec x windows. Rozchodil jsem 
kompletne ipsec linux<->linux s certifikaty tak jak si predstavuji, nicmene 
windows (road-warrior) -> linux porad ne a ne. Mam plnou hlavu vseho a porad 
to nechce chodit.

Super-freeswan-1.99.7

ipsec.conf:
config setup
                interfaces="ipsec0=eth0"
                klipsdebug=none
                plutodebug=none
                plutoload=%search
                plutostart=%search
                uniqueids=no
                strictcrlpolicy=yes
                plutowait=no

conn %default
                keyingtries=2
                authby=rsasig
                auto=ignore

conn notebooky-int
                left=212.24.142.174
                leftnexthop=212.24.142.173
                leftsubnet=192.168.0.0/16
                leftcert=mycerts/linux.pem
                leftrsasigkey=%cert
                right=%any
                rightca=%same
                rightrsasigkey=%cert
                pfs=yes
                auto=add
conn notebooky-pub
                left=212.24.142.174
                leftnexthop=212.24.142.173
                leftsubnet=212.24.147.224/28
                leftcert=mycerts/linux.pem
                leftrsasigkey=%cert
                right=%any
                rightca=%same
                rightrsasigkey=%cert
                pfs=yes
                auto=add


Pokud se pripojuji z linuxu, vsechno je OK:

May 27 15:50:16 linux pluto[22586]: "notebooky-int"[1] 62.177.75.199 #1: 
responding to Main Mode from unknown peer 62.177.75.1
99
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[1] 62.177.75.199 #1: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Ceska
republika, L=Praha, O=Svoboda a.s., OU=ipsec, CN=nbook-pedro'
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #1: 
deleting connection "notebooky-int" instance with pee
r 62.177.75.199
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #1: sent 
MR3, ISAKMP SA established
May 27 15:50:21 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #2: 
responding to Quick Mode
May 27 15:50:21 linux pluto[22586]: "notebooky-pub"[1] 62.177.75.199 #3: 
responding to Quick Mode
May 27 15:50:21 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #2: IPsec 
SA established
May 27 15:50:22 linux pluto[22586]: "notebooky-pub"[1] 62.177.75.199 #3: IPsec 
SA established

Pokud z windows, je to KO:

May 27 16:01:47 linux pluto[23075]: packet from 62.177.75.39:500: ignoring 
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
May 27 16:01:47 linux pluto[23075]: "notebooky-int"[1] 62.177.75.39 #1: 
responding to Main Mode from unknown peer 62.177.75.39
May 27 16:01:50 linux pluto[23075]: "notebooky-int"[1] 62.177.75.39 #1: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Ceska republika, L=Praha, O=Svoboda 
a.s., OU=ipsec, CN=nbook-vorlk'
May 27 16:01:50 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: 
deleting connection "notebooky-int" instance with peer 62.177.75.39
May 27 16:01:51 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: sent 
MR3, ISAKMP SA established
May 27 16:01:52 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: cannot 
respond to IPsec SA request because no connection is known for 
212.24.142.174[C=CZ, ST=Ceska republika, L=Praha, O=Svoboda a.s., OU=ipsec, 
CN=linux]:17/0...62.177.75.39[C=CZ, ST=Ceska republika, L=Praha, O=Svoboda 
a.s., OU=ipsec, CN=nbook-vorlk]:17/1701
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: 
sending encrypted notification INVALID_ID_INFORMATION to 62.177.75.39:500


Zacina to vlastne temi divnymi duplicitnimi pakety (proc ? Ze by M$ "pro 
jistotu" vse posilal nekolikrat?), ale hlavne "cannot respond to IPsec SA, no 
connection is known). To znamena presne co ? Ze pluto nevi, ktere pripojeni 
ma pouzit ? Zda se, ze to vi, jinak by nepsal notebooky-int, coz je spravne. 
A Invalid_ID uz vubec nechapu.

Na tech windows je naklikano pouziti ipsec gatewaye 212.24.142.174, coz je OK, 
jinak bych asi nic v logu nevidel a vzdalenou sit 192.168.0.0/16, coz je take 
spravne a odpovida definici v conn notebooku-int. Windows dle ocekavani 
nereknou vubec nic, jen "Klikejte dale, zmente nastaveni a zkuste znovu 
(TM)".

A jeste dotaz trochu mimo - lze definovat vice leftsubnets v jedne connection 
? IMHO ne, neco jako leftsubnet=192.168.0.0/16,212.24.147.224/28 ?

Opravdu dekuji za kazdou pomoc.


-- 
Petr /daemon(zavinac)svoboda(tecka)cz/

Další informace o konferenci Linux