hilfe zu ipsec vpn zwischen win2k und linux freeswan

[loiola]

hallo,

ich habe versucht zwischen einem windows 2000 rechner und einem linux rechner (debian 3, kernel 2.4.22) eine lokale ipsec-verbindung aufzubauen was mir aber bis jetzt nicht gelungen ist.

auf der linux seite habe ich die debian pakte freeswan/unstable (version 2.01) und freeswan-modules/unstable (2.01) verwendet

auf der win2k seite die ipsec-tools von marcus mueller (beschrieben in c't 10/03, http://vpn.ebootis.de/).

ich habe schon einiges gegooglet und auch schon versucht, weiss aber jetzt mitlerweile nicht wo ich ansaetzen soll.

wenn ich ein ping von dem win2k rechner auf den linux rechner mache um eine vpn verbindung zu initieren, schreibt er beim win2k rechner immer nur "IP-Sicherheit wird verhandelt" und auf der linux seite kommt der fehler in auth.log "no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000" siehe ganz unten im barf

ich poste mal teile eines ipsec-barf (falls ich was wichtiges herausgeschnitten habe, kann ich es nachposten). vielleicht kann mir jemand sagen wo moeglicherweise das problem liegt (sind die zertifikate falsch, ist irgendwas nicht korrekt installiert, sind die verbindungskonfigurationen falsch)...

bin fuer jeden hinweis dankbar

mfg

-------------------- barf (nicht komplett)
voyager
Sun Sep 7 16:45:56 CEST 2003
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.01
See `ipsec --copyright' for copyright information.
X.509-1.4.2 distributed by Andreas Steffen <andreas.steffen@strongsec.com>
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22 (root@voyager) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 SMP Fri Sep 5 18:52:36 CEST 2003
+ _________________________ ipsec_verify
+ ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) ipsec showhostkey: no pubkey line found -- key information old?
[FAILED]
Checking that pluto is running [OK]
DNS checks.
Looking for TXT in forward map: voyager [MISSING]
Does the machine have at least one non-private address [OK]
+ _________________________ proc/net/ipsec_eroute
+ sort -n +3 /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.0.0.2
000
000 debug none
000
000 "p2p": 10.0.0.2[C=AT, L=Vienna, O=Chris, OU=Gateway, CN=Gateway]...10.0.0.1
000 "p2p": CAs: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=Chris'...'%any'
000 "p2p": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "p2p": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted
000 "p2p": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "p2p": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "p2p": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "p2p": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "p2p": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:07:95:05:F4:A1
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:347 errors:0 dropped:0 overruns:0 frame:0
TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:178620 (174.4 KiB) TX bytes:46521 (45.4 KiB)
Interrupt:11 Base address:0xd000

ipsec0 Link encap:Ethernet HWaddr 00:07:95:05:F4:A1
inet addr:10.0.0.2 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
voyager
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.0.2 127.0.0.1
+ _________________________ uptime
+ uptime
16:45:57 up 8 min, 1 user, load average: 0.06, 0.14, 0.08
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
version 2
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
# plutoload=%search
# plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
auto=add
left=%defaultroute
leftcert=GatewayCert.pem

conn p2p
right=10.0.0.1

# disable OE
conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
# -- not filled in because ipsec.secrets existed at build time --
}
# do not change the indenting of that "[sums to 7d9d...]"
: RSA GatewayKey.pem "[sums to b7a7...]"


+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-dir
+ ls -l /usr/lib/ipsec
total 1156
-rwxr-xr-x 1 root root 15001 Jul 21 20:46 _confread
-rwxr-xr-x 1 root root 4024 Jul 21 20:46 _copyright
-rwxr-xr-x 1 root root 2380 Jul 21 20:46 _include
-rwxr-xr-x 1 root root 1476 Jul 21 20:46 _keycensor
-rwxr-xr-x 1 root root 8248 Jul 21 20:46 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jul 21 20:46 _plutoload
-rwxr-xr-x 1 root root 5208 Jul 21 20:46 _plutorun
-rwxr-xr-x 1 root root 9494 Jul 21 20:46 _realsetup
-rwxr-xr-x 1 root root 1976 Jul 21 20:46 _secretcensor
-rwxr-xr-x 1 root root 7551 Jul 21 20:46 _startklips
-rwxr-xr-x 1 root root 5015 Jul 21 20:46 _updown
-rwxr-xr-x 1 root root 7572 Jul 21 20:46 _updown_x509
-rwxr-xr-x 1 root root 14556 Jul 21 20:46 auto
-rwxr-xr-x 1 root root 8466 Jul 21 20:46 barf
-rwxr-xr-x 1 root root 816 Jul 21 20:46 calcgoo
-rwxr-xr-x 1 root root 75 Jul 21 20:46 distro.txt
-rwxr-xr-x 1 root root 64920 Jul 21 20:46 eroute
-rwxr-xr-x 1 root root 15776 Jul 21 20:46 ikeping
-rwxr-xr-x 1 root root 1942 Jul 21 20:46 ipsec_pr.template
-rwxr-xr-x 1 root root 45208 Jul 21 20:46 klipsdebug
-rwxr-xr-x 1 root root 2450 Jul 21 20:46 look
-rwxr-xr-x 1 root root 7128 Jul 21 20:46 mailkey
-rwxr-xr-x 1 root root 16190 Jul 21 20:46 manual
-rwxr-xr-x 1 root root 2010 Jul 21 20:46 mkx509cert
-rwxr-xr-x 1 root root 1874 Jul 21 20:46 newhostkey
-rwxr-xr-x 1 root root 39436 Jul 21 20:46 pf_key
-rwxr-xr-x 1 root root 548184 Jul 21 20:46 pluto
-rwxr-xr-x 1 root root 5880 Jul 21 20:46 ranbits
-rwxr-xr-x 1 root root 15960 Jul 21 20:46 rsasigkey
-rwxr-xr-x 1 root root 17322 Jul 21 20:46 send-pr
lrwxrwxrwx 1 root root 17 Sep 5 11:53 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jul 21 20:46 showdefaults
-rwxr-xr-x 1 root root 4311 Jul 21 20:46 showhostkey
-rwxr-xr-x 1 root root 97688 Jul 21 20:46 spi
-rwxr-xr-x 1 root root 56248 Jul 21 20:46 spigrp
-rwxr-xr-x 1 root root 8620 Jul 21 20:46 tncfg
-rwxr-xr-x 1 root root 8438 Jul 21 20:46 verify
-rwxr-xr-x 1 root root 36088 Jul 21 20:46 whack
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 1516 23 0 0 0 0 0 0 1516 23 0 0 0 0 0 0
eth0: 178620 347 0 0 0 0 0 0 46521 260 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 0000000A 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0000000A 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 0100000A 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux voyager 2.4.22 #1 SMP Fri Sep 5 18:52:36 CEST 2003 i686 GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.01
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/list
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
iptable_mangle 2164 0 (autoclean) (unused)
iptable_nat 16792 0 (autoclean) (unused)
ip_conntrack 19176 1 (autoclean) [iptable_nat]
iptable_filter 1704 0 (autoclean) (unused)
ip_tables 11672 5 [iptable_mangle iptable_nat iptable_filter]
ipsec 268000 2
parport_pc 14116 1 (autoclean)
lp 7044 0 (autoclean)
parport 23040 1 (autoclean) [parport_pc lp]
ide-scsi 9136 0
i810_audio 24456 0
ac97_codec 12108 0 [i810_audio]
soundcore 3492 2 [i810_audio]
keybdev 1728 0 (unused)
usbkbd 2940 0 (unused)
input 3232 0 [keybdev usbkbd]
usb-ohci 18600 0 (unused)
usbcore 58528 0 [usbkbd usb-ohci]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 527302656 203546624 323756032 0 9277440 122859520
Swap: 526376960 0 526376960
MemTotal: 514944 kB
MemFree: 316168 kB
MemShared: 0 kB
Buffers: 9060 kB
Cached: 119980 kB
SwapCached: 0 kB
Active: 57168 kB
Inactive: 125036 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 514944 kB
LowFree: 316168 kB
SwapTotal: 514040 kB
SwapFree: 514040 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Sep 7 16:45 /proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Sep 7 16:45 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Sep 7 16:45 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Sep 7 16:45 /proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Sep 7 16:45 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Sep 7 16:45 /proc/net/ipsec_version -> ipsec/version
+ _________________________ klog
+ sed -n '166161,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Sep 7 16:41:53 voyager ipsec_setup: Starting FreeS/WAN IPsec 2.01...
Sep 7 16:41:53 voyager ipsec_setup: Using /lib/modules/2.4.22/kernel/net/ipsec/ipsec.o
Sep 7 16:41:53 voyager kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 2.01
Sep 7 16:41:53 voyager kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=15)
Sep 7 16:41:53 voyager kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
Sep 7 16:41:53 voyager ipsec_setup: KLIPS debug `none'
Sep 7 16:41:53 voyager ipsec_setup: KLIPS ipsec0 on eth0 10.0.0.2/255.255.255.0 broadcast 10.0.0.255
Sep 7 16:41:53 voyager ipsec_setup: ...FreeS/WAN IPsec started
Sep 7 16:41:54 voyager ipsec__plutorun: 003 "/etc/ipsec.secrets" line 10: Modulus keyword not found where expected in RSA key
+ _________________________ plog
+ sed -n '3072,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Sep 7 16:41:53 voyager ipsec__plutorun: Starting Pluto subsystem...
Sep 7 16:41:53 voyager pluto[823]: Starting Pluto (FreeS/WAN Version 2.01 X.509-1.4.2 PLUTO_USES_KEYRR)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Sep 7 16:41:53 voyager pluto[823]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 7 16:41:53 voyager pluto[823]: loaded cacert file 'cacert.pem' (1176 bytes)
Sep 7 16:41:53 voyager pluto[823]: Changing to directory '/etc/ipsec.d/crls'
Sep 7 16:41:53 voyager pluto[823]: loaded crl file 'crl.pem' (601 bytes)
Sep 7 16:41:54 voyager pluto[823]: | from whack: got --esp=3des
Sep 7 16:41:54 voyager pluto[823]: | from whack: got --ike=3des
Sep 7 16:41:54 voyager pluto[823]: loaded host cert file '/etc/ipsec.d/certs/GatewayCert.pem' (997 bytes)
Sep 7 16:41:54 voyager pluto[823]: added connection description "p2p"
Sep 7 16:41:54 voyager pluto[823]: listening for IKE messages
Sep 7 16:41:54 voyager pluto[823]: adding interface ipsec0/eth0 10.0.0.2
Sep 7 16:41:54 voyager pluto[823]: loading secrets from "/etc/ipsec.secrets"
Sep 7 16:41:54 voyager pluto[823]: "/etc/ipsec.secrets" line 10: Modulus keyword not found where expected in RSA key
Sep 7 16:41:54 voyager pluto[823]: loaded private key file '/etc/ipsec.d/private/GatewayKey.pem' (963 bytes)
Sep 7 16:43:02 voyager pluto[823]: packet from 10.0.0.1:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Sep 7 16:43:02 voyager pluto[823]: "p2p" #1: responding to Main Mode
Sep 7 16:43:03 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:03 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:04 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:04 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:06 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:06 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:10 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:10 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:18 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:18 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:34 voyager pluto[823]: "p2p" #1: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:43:34 voyager pluto[823]: "p2p" #1: no suitable connection for peer 'C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000'
Sep 7 16:44:06 voyager pluto[823]: "p2p" #1: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
Sep 7 16:44:12 voyager pluto[823]: "p2p" #1: max number of retransmissions (2) reached STATE_MAIN_R2
+ _________________________ date
+ date
Sun Sep 7 16:45:57 CEST 2003

[loiola]

falls es jemanden interessiert der ein aehnliches problem hat. der fehler war das man auf der linux seite fuer die verbindung zum win2k die "rightid" option angeben muss. moeglich das es noch andere loesungen gibt, aber mit dieser option funktioniert es.

ipsec.conf sieht also jetzt folgendermassen aus (der teil der die verbindung zum windows client spezifiziert)

conn win2k_2_linux
right=%any
rightid="C=AT, L=Vienna, O=Chris, OU=Chris, CN=win2000"