Hello, during this week I have set up a FreeSWAN gateway and tested the configuration succesfully with another gateway and a Win2k client. After this I copied the certificate and the configuration I used with Win2K to a XP box (ipsecmd installed, no SP2, ipsec-tool from vpn.ebootis.de). ipsec -debug looked good and a ping to an apache behind the FreeSWAN gateway told me "ip security negotiated". But in /var/log/messages I find the following line: "encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA" I saw this message before, when I used the wrong ca in the Win2k ipsec.conf. But this time the ca must be right, because I was able to connect to the apache with the Win2k -client over the vpn (tcpdump and the browser prooved that) Does anyone of you know whether it's necessary to make any change to the config files when the client is an XP box ? I haven't found a note on that in the documentation. Thanks for any hint. Bye, Stefan -- ***************************************** in-put GbR - Das Linux-Systemhaus Stefan-Michael Günther Moltkestraße 49 D-76133 Karlsruhe Tel./Fax : +49 (0)721 / 83044 - 98/93 http://www.in-put.de *****************************************
Hi, it's always a good idea to solve your own problems. Here's the small list of things I made wrong and which obviously made the difference between win2k and win xp as a FreeSWAN-Client: 1. The time of validity for the client certificate should be between the validity of the certificate of the CA. 2. Don't use strange characters like '&' in the DN. 3. The DN of the CA must be different from the DN of the gateway. Hope this prevents someone to waste hours like I did. Bye, Stefan -- ***************************************** in-put GbR - Das Linux-Systemhaus Stefan-Michael Günther Moltkestraße 49 D-76133 Karlsruhe Tel./Fax : +49 (0)721 / 83044 - 98/93 http://www.in-put.de *****************************************
Hello, my comments / questions are inside : I have the same problems with SuSE 9.1 / Freeswan 2.04 and Win XP Prof Clients (SP1) Stefan-Michael. Günther (in-put GbR) schrieb:
Hi,
it's always a good idea to solve your own problems.
Here's the small list of things I made wrong and which obviously made the difference between win2k and win xp as a FreeSWAN-Client:
1. The time of validity for the client certificate should be between the validity of the certificate of the CA.
this is obvious :-) , otherwise it wouldn't be a valid certificate !
2. Don't use strange characters like '&' in the DN.
can anybody confirm this ? My DN contains a '&', who thought this might be a problem ?
3. The DN of the CA must be different from the DN of the gateway.
OK, I learned this before, too.
Hope this prevents someone to waste hours like I did.
I wasted them already ... but I think I got a clue now.
Bye,
Stefan
participants (2)
-
Philipp Rusch
-
Stefan-Michael. Günther (in-put GbR)