Hallo, briefkasten@ibait schrieb:
Hallo Liste!
Ich versuche ein VPN zwischen einem Gateway mit SuSE8.1, FreeS/WAN 1.98b und meinem WinXP-Laptop aufzubauen. Bei der Installation habe ich mich an das HowTo von Danny Heyn gehalten. http://www.shinewelt.de/linux/freeswan.php
Mir hat bisher immer die Anleitung von Marcus unter http://vpn.ebootis.de/ geholfen.
Leider kommt keine VPN-Verbindung zu stande. Habe ich in meiner Konfiguration etwas falsch gemacht oder habe ich noch irgendwo einen Denkfehler?
Ja, es sieht so aus, als ob die beiden ipsec.conf Einträge nicht identisch sind: "Informational Exchange is for an unknown (expired?) SA" Ist mir jetzt aber doch viel zu mühsam Deine Konfigs durchzuarbeiten, um den Fehler zu suchen. Mach das doch bitte selbst.
Kann jemand mit den Fehlermeldungen etwas anfangen?
Ja. "policy does not allow OAKLEY_PRESHARED_KEY": Du kannst nicht auf dem einen Rechner Zertifikate nutzen und dem anderen sagen, dass er die Verbindung mit einem preshared secret aufbauen soll.
(Logdateien, Bildschirmausdrucke am Ende) Googeln hat mich bis jetzt leider nicht schlauer gemacht....
Vielen Dank im voraus
grz
Ralf
Ich hoffe, dass ich Dir helfen konnte. Gruss, Marc
"Versuchsaufbau"
zu Testzwecken versuche ich mich über das Gateway in unser Internes Netz einzuwählen statt dem Internet ist zwischen dem Gateway und dem XP-Rechner nur ein X-over-Kabel für eth0/ipsec0 kommt (wenn alles mal funktioniert) eine "no-ip" Adresse hin
Theo (Gateway) Roadwarrior --------- --------- eth1 | |eth0/ipsec0 | | Firmennetz------------------- ---------X----------- | 192.168.100.0 192.168.100.2| |..50.2 ..50.77| | --------- --------- SuSE 8.1 WinXP prof. FreeS/WAN 1.98b
ipsec wird per Hand gestartet mit
ipsec setup start
(ließ sich leider nicht mit in den Kernel einkompilieren)
danach Meldungen in /var/log/messages
Jun 24 08:29:26 THEO ipsec_setup: Starting FreeS/WAN IPsec 1.98b... Jun 24 08:29:27 THEO ipsec_setup: Using /lib/modules/2.4.19-4GB/kernel/net/ipv4/ipsec.o Jun 24 08:29:27 THEO kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.98b Jun 24 08:29:28 THEO ipsec_setup: KLIPS debug `none' Jun 24 08:29:29 THEO ipsec_setup: KLIPS ipsec0 on eth0 192.168.50.2/255.255.255.0 broadcast
192.168.50.255 Jun 24 08:29:29 THEO ipsec__plutorun: Starting Pluto subsystem... Jun 24 08:29:29 THEO ipsec_setup: ...FreeS/WAN IPsec started Jun 24 08:29:29 THEO ipsec_setup: ^M^[[128C^[[10D^[[1;32mdone^[[m^O Jun 24 08:29:29 THEO pluto[1140]: Starting Pluto (FreeS/WAN Version 1.98b) Jun 24 08:29:29 THEO pluto[1140]: including X.509 patch (Version 0.9.14) Jun 24 08:29:29 THEO pluto[1140]: Changing to directory '/etc/ipsec.d/cacerts' Jun 24 08:29:29 THEO pluto[1140]: loaded cacert file 'cacert.pem' (1411 bytes) Jun 24 08:29:29 THEO pluto[1140]: loaded cacert file 'RootCA.der' (1099 bytes) Jun 24 08:29:29 THEO pluto[1140]: Changing to directory '/etc/ipsec.d/crls' Jun 24 08:29:29 THEO pluto[1140]: loaded crl file 'crl.pem' (662 bytes) Jun 24 08:29:29 THEO pluto[1140]: loaded my default X.509 cert file '/etc/x509cert.der' (1142
bytes) Jun 24 08:29:30 THEO pluto[1140]: loaded host cert file '/etc/ipsec.d/gatecert.pem' (4851
bytes) Jun 24 08:29:30 THEO pluto[1140]: loaded host cert file '/etc/ipsec.d/roadwarriorcert.pem'
(4850 bytes) Jun 24 08:29:30 THEO pluto[1140]: added connection description "roadwarrior" Jun 24 08:29:30 THEO pluto[1140]: listening for IKE messages Jun 24 08:29:30 THEO pluto[1140]: adding interface ipsec0/eth0 192.168.50.2 Jun 24 08:29:30 THEO pluto[1140]: loading secrets from "/etc/ipsec.secrets" Jun 24 08:29:30 THEO pluto[1140]: loaded private key file '/etc/ipsec.d/private/gatekey.key'
(1742 bytes) Jun 24 08:29:36 THEO /etc/hotplug/net.agent[1057]: No HW description found ... exiting Jun 24 08:29:36 THEO /etc/hotplug/net.agent[1074]: No HW description found ... exiting Jun 24 08:29:36 THEO /etc/hotplug/net.agent[1091]: No HW description found ... exiting Jun 24 08:29:36 THEO /etc/hotplug/net.agent[1041]: No HW description found ... exiting Jun 24 08:30:18 THEO syslogd 1.4.1: restart.
auf XP-Rechner wird der Tunnel gestartet mit ipsec
Meldung
IPSec Version 2.20 (c) 2001-2003 Marcus Mueller Getting running Config ... Microsoft's Windows XP identified Setting up IPSec ...
Deactivating old policy... Removing old policy...
Connection roadwarrior: MyTunnel : 192.168.50.77 MyNet : 192.168.50.77/255.255.255.255 PartnerTunnel: 192.168.50.2 PartnerNet : 192.168.100.0/255.255.255.0 CA (ID) : C=DE, ST=DD, L=BUERO, OU=WIN_CA, CN=ralf,... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy...
danach Ping an 192.168.100.4
IP-Sicherheit wird verhandelt. IP-Sicherheit....
das sollte für die ersten zwei, drei Ping-Pakete OK sein, aber er verhandelt weiter...
Ausgabe in /var/log/messages
Jun 24 08:30:47 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:30:47 THEO pluto[1140]: "roadwarrior" #1: responding to Main Mode Jun 24 08:30:47 THEO pluto[1140]: "roadwarrior" #1: encrypted Informational Exchange message is
invalid because it is for incomplete ISAKMP SA Jun 24 08:31:57 THEO pluto[1140]: "roadwarrior" #1: max number of retransmissions (2) reached
STATE_MAIN_R2 Jun 24 08:32:17 THEO pluto[1140]: packet from 192.168.50.77:500: Informational Exchange is for an
unknown (expired?) SA Jun 24 08:34:16 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:34:16 THEO pluto[1140]: "roadwarrior" #2: responding to Main Mode Jun 24 08:34:16 THEO pluto[1140]: "roadwarrior" #2: encrypted Informational Exchange message is
invalid because it is for incomplete ISAKMP SA Jun 24 08:35:26 THEO pluto[1140]: "roadwarrior" #2: max number of retransmissions (2) reached
STATE_MAIN_R2 Jun 24 08:36:02 THEO pluto[1140]: packet from 192.168.50.77:500: Informational Exchange is for an
unknown (expired?) SA Jun 24 08:39:16 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:39:16 THEO pluto[1140]: "roadwarrior" #3: responding to Main Mode Jun 24 08:39:16 THEO pluto[1140]: "roadwarrior" #3: encrypted Informational Exchange message is
invalid because it is for incomplete
versucht man mit WinXP Bordmitteln eine VPN-Netzwerkverbindung zu erstellen bekommt man in /var/log/messages
Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: responding to Main Mode Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:29 THEO pluto[1140]: "roadwarrior" #4: no acceptable Oakley Transform Jun 24 08:44:30 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: responding to Main Mode Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:30 THEO pluto[1140]: "roadwarrior" #5: no acceptable Oakley Transform Jun 24 08:44:32 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: responding to Main Mode Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:32 THEO pluto[1140]: "roadwarrior" #6: no acceptable Oakley Transform Jun 24 08:44:36 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: responding to Main Mode Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:36 THEO pluto[1140]: "roadwarrior" #7: no acceptable Oakley Transform Jun 24 08:44:44 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Vendor ID payload Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: responding to Main Mode Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: policy does not allow OAKLEY_PRESHARED_KEY
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM Jun 24 08:44:44 THEO pluto[1140]: "roadwarrior" #8: no acceptable Oakley Transform Jun 24 08:44:45 THEO pluto[1140]: packet from 192.168.50.77:500: ignoring Delete SA payload Jun 24 08:44:45 THEO pluto[1140]: packet from 192.168.50.77:500: received and ignored
informational message
meine ipsec.conf auf Theo
config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
conn %default keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert
conn roadwarrior right=192.168.50.77 rightsubnet=192.168.0.0/16 rightnexthop= rightcert=roadwarriorcert.pem rightid="C=DE, ST=DD, L=BUERO, O=IBAIT, OU=WIN_CA, CN=ralf, E=test@ibait.de" left=192.168.50.2 leftnexthop=192.168.50.1 leftsubnet=192.168.100.0/255.255.255.0 leftid="C=DE, ST=DD, L=BUERO, O=IBAIT, OU=GATE_CA, CN=ralf, E=test@ibait.de" leftcert=gatecert.pem auto=add
#conn maxx # right=0.0.0.0 # rightsubnet= # rightnexthop= # rightcert=maxxcert.pem # rightid="C=DE, ST=SA, L=MEI, O=musicnet.org, OU=MAXX_CA, CN=ralf, E=max@muster.com" # left=192.168.50.2 # leftnexthop=192.168.50.1 # leftsubnet=192.168.100.0/255.255.255.0 # leftid="C=DE, ST=DD, L=BUERO, O=IBAIT, OU=GATE_CA, CN=ralf, E=test@ibait.de" # leftcert=gatecert.pem # auto=add
ipsec.secrets auf Theo
: RSA /etc/ipsec.d/private/gatekey.key "geheim"
meine ipsec.conf auf Roadwarrior
conn roadwarrior left=192.168.50.77 right=192.168.50.2 rightsubnet=192.168.100.0/255.255.255.0 rightca="C=DE, ST=DD, L=BUERO, O=IBAIT, OU=WIN_CA, CN=ralf, Email=test@ibait.de" network=lan auto=start pfs=yes
-- FH Furtwangen: http://www.computernetworking.de Linux- und Netzwerkberatung: http://www.teamberatung.org Marc Mc Guinness: http://www.mcguinness.de PGP Public Key Block: http://mcguinness.psychology4u.de/public.txt