Freeswan X509 zase znova
Petr Vejsada
daemon na nospam.exe
Úterý Květen 27 16:09:09 CEST 2003
Preji pekny den,
nekam jsem pokrocil se svym morenim se s ipsec x windows. Rozchodil jsem
kompletne ipsec linux<->linux s certifikaty tak jak si predstavuji, nicmene
windows (road-warrior) -> linux porad ne a ne. Mam plnou hlavu vseho a porad
to nechce chodit.
Super-freeswan-1.99.7
ipsec.conf:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no
strictcrlpolicy=yes
plutowait=no
conn %default
keyingtries=2
authby=rsasig
auto=ignore
conn notebooky-int
left=212.24.142.174
leftnexthop=212.24.142.173
leftsubnet=192.168.0.0/16
leftcert=mycerts/linux.pem
leftrsasigkey=%cert
right=%any
rightca=%same
rightrsasigkey=%cert
pfs=yes
auto=add
conn notebooky-pub
left=212.24.142.174
leftnexthop=212.24.142.173
leftsubnet=212.24.147.224/28
leftcert=mycerts/linux.pem
leftrsasigkey=%cert
right=%any
rightca=%same
rightrsasigkey=%cert
pfs=yes
auto=add
Pokud se pripojuji z linuxu, vsechno je OK:
May 27 15:50:16 linux pluto[22586]: "notebooky-int"[1] 62.177.75.199 #1:
responding to Main Mode from unknown peer 62.177.75.1
99
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[1] 62.177.75.199 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Ceska
republika, L=Praha, O=Svoboda a.s., OU=ipsec, CN=nbook-pedro'
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #1:
deleting connection "notebooky-int" instance with pee
r 62.177.75.199
May 27 15:50:19 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #1: sent
MR3, ISAKMP SA established
May 27 15:50:21 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #2:
responding to Quick Mode
May 27 15:50:21 linux pluto[22586]: "notebooky-pub"[1] 62.177.75.199 #3:
responding to Quick Mode
May 27 15:50:21 linux pluto[22586]: "notebooky-int"[2] 62.177.75.199 #2: IPsec
SA established
May 27 15:50:22 linux pluto[22586]: "notebooky-pub"[1] 62.177.75.199 #3: IPsec
SA established
Pokud z windows, je to KO:
May 27 16:01:47 linux pluto[23075]: packet from 62.177.75.39:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
May 27 16:01:47 linux pluto[23075]: "notebooky-int"[1] 62.177.75.39 #1:
responding to Main Mode from unknown peer 62.177.75.39
May 27 16:01:50 linux pluto[23075]: "notebooky-int"[1] 62.177.75.39 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Ceska republika, L=Praha, O=Svoboda
a.s., OU=ipsec, CN=nbook-vorlk'
May 27 16:01:50 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1:
deleting connection "notebooky-int" instance with peer 62.177.75.39
May 27 16:01:51 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: sent
MR3, ISAKMP SA established
May 27 16:01:52 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1: cannot
respond to IPsec SA request because no connection is known for
212.24.142.174[C=CZ, ST=Ceska republika, L=Praha, O=Svoboda a.s., OU=ipsec,
CN=linux]:17/0...62.177.75.39[C=CZ, ST=Ceska republika, L=Praha, O=Svoboda
a.s., OU=ipsec, CN=nbook-vorlk]:17/1701
May 27 16:01:54 linux pluto[23075]: "notebooky-int"[2] 62.177.75.39 #1:
sending encrypted notification INVALID_ID_INFORMATION to 62.177.75.39:500
Zacina to vlastne temi divnymi duplicitnimi pakety (proc ? Ze by M$ "pro
jistotu" vse posilal nekolikrat?), ale hlavne "cannot respond to IPsec SA, no
connection is known). To znamena presne co ? Ze pluto nevi, ktere pripojeni
ma pouzit ? Zda se, ze to vi, jinak by nepsal notebooky-int, coz je spravne.
A Invalid_ID uz vubec nechapu.
Na tech windows je naklikano pouziti ipsec gatewaye 212.24.142.174, coz je OK,
jinak bych asi nic v logu nevidel a vzdalenou sit 192.168.0.0/16, coz je take
spravne a odpovida definici v conn notebooku-int. Windows dle ocekavani
nereknou vubec nic, jen "Klikejte dale, zmente nastaveni a zkuste znovu
(TM)".
A jeste dotaz trochu mimo - lze definovat vice leftsubnets v jedne connection
? IMHO ne, neco jako leftsubnet=192.168.0.0/16,212.24.147.224/28 ?
Opravdu dekuji za kazdou pomoc.
--
Petr /daemon(zavinac)svoboda(tecka)cz/
Další informace o konferenci Linux