Shorewall users - Oct 2003 - linux-xp x509 ipsec connection

hi,

I can''t get a freeswan 2.02 ipsec x509 connection at work
can somebody help me?

*************************************************************************************
global situation
*************************************************************************************

the linux gateway (chivas) is a single machine 192.168.1.250 with a local net
192.168.1.0/24,
a dyn IP via a DSL connection and a dns dynip at xxxxxx.dnsalias.org

There is also a shorewall firewall on the system 

the xp roadwarrior machine has a dial-up dyn IP via modem

All the x509 cerificates are generated on the linux side and
a p12 export to the xp system was successfull

*************************************************************************************
shorewall on the linux side
*************************************************************************************
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces

net ppp0 - dhcp,noping
loc eth0 - filterping
vpn ipsec0 - 
#
_____________________________________________________________________________________

# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
loc  net  ACCEPT
fw  net  ACCEPT
net  all  DROP  info
vpn loc ACCEPT -
loc vpn ACCEPT -
all  all  REJECT  info

_____________________________________________________________________________________
# Shorewall 1.4 - /etc/shorewall/tunnels
#
#
ipsec   net     0.0.0.0/0 

_____________________________________________________________________________________
# Shorewall 1.3 /etc/shorewall/zones
#
net    Net      Internet
loc    Local    Local networks
vpn    VPN     Remote subnet

_____________________________________________________________________________________
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules

ACCEPT  fw   net  tcp 53
ACCEPT  fw   net  udp 53
ACCEPT  loc   fw  tcp 22
ACCEPT  loc   fw  tcp www
ACCEPT  loc  fw  udp  10000,20000    
ACCEPT  loc  fw  tcp  10000,20000    
ACCEPT loc $FW tcp 110 -
ACCEPT loc $FW tcp 25 -
ACCEPT $FW loc tcp - 110
ACCEPT all all udp - 500
ACCEPT loc $FW tcp 53 -
ACCEPT loc $FW udp 53 -
ACCEPT loc $FW icmp - -
ACCEPT $FW loc icmp - -
ACCEPT $FW loc udp 137:139 -
ACCEPT $FW loc tcp 137,139,445 -
ACCEPT $FW loc udp 1024: 137
ACCEPT loc $FW udp 137:139 -
ACCEPT loc $FW tcp 137,139,445 -
ACCEPT loc $FW udp 1024: 137
ACCEPT net vpn all - -
ACCEPT vpn net all - -

*************************************************************************************
ipsec on the linux side
*************************************************************************************
my ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification

# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file


# More elaborate and more varied sample configurations can be found
# in doc/examples.


# basic configuration

config setup
 interfaces="ipsec0=ppp0"
 klipsdebug=none
        plutodebug=none
 
conn %default 
 authby=rsasig
 leftrsasigkey=%cert
 rightrsasigkey=%cert


conn roadwarrior
 compress=no
 left=xxxxxx.dnsalias.org
 lefsubnet=192.168.1.0/24
 leftcert=chivas.hectordenis.net.pem
 pfs=yes
 right=%any
 auto=add

*************************************************************************************
ipsec on the XP side
*************************************************************************************

my ipsec.conf:

conn Chivas
 right=xxxxxx.dnsalias.org
 rightsubnet=192.168.1.0/24
 rightca="C=BE, ST=Hainaut, L=Braine-le-Comte, O=N Consulting, CN=chivas,
E=noel.nachtegael@skynet.be"
 left=%any
 network=auto
 authmode=MD5
 auto=start
 pfs=yes

_____________________________________________________________________________________

C:\IPSEC>ipsec -delete
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft''s Windows XP identified
Removing old policies...
Error converting policy: 0x2

C:\IPSEC>ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft''s Windows XP identified
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection Chivas:
        MyTunnel     : 194.78.26.163
        MyNet        : 194.78.26.163/255.255.255.255
        PartnerTunnel: xxxxxx.dnsalias.org
        PartnerNet   : 192.168.1.0/255.255.255.0
        CA (ID)      : C=BE, ST=Hainaut, L=Braine-le-Comte, O=N Consultin...
        PFS          : y
        Auto         : start
        Auth.Mode    : MD5
        Rekeying     : 3600S/50000K
        Activating policy...

C:\IPSEC>ping 192.168.1.250 -t

Envoi d''une requ?te ''ping'' sur 192.168.1.250 avec 32
octets de donn?es :

N?gociation de la s?curit? IP.
N?gociation de la s?curit? IP.
........
N?gociation de la s?curit? IP.
N?gociation de la s?curit? IP.

Statistiques Ping pour 192.168.1.250:
    Paquets : envoy?s = 24, re?us = 0, perdus = 24 (perte 100%),

C:\IPSEC>

*************************************************************************************
result on the linux side
*************************************************************************************

[root@chivas root]# cat /var/log/secure
Oct 26 16:40:03 chivas pluto[25037]: shutting down
Oct 26 16:40:03 chivas pluto[25037]: forgetting secrets
Oct 26 16:40:03 chivas pluto[25037]: shutting down interface ipsec0/ppp0
80.200.17.182
Oct 26 16:40:06 chivas ipsec__plutorun: Starting Pluto subsystem...
Oct 26 16:40:06 chivas pluto[25438]: Starting Pluto (FreeS/WAN Version 2.02
X.509-1.4.6 PLUTO_USES_KEYRR)
Oct 26 16:40:06 chivas pluto[25438]: Changing to directory
''/etc/ipsec.d/cacerts''
Oct 26 16:40:06 chivas pluto[25438]:   loaded cacert file
''cacert.pem'' (1619 bytes)
Oct 26 16:40:06 chivas pluto[25438]: Changing to directory
''/etc/ipsec.d/crls''
Oct 26 16:40:06 chivas pluto[25438]:   loaded crl file
''crl.pem'' (686 bytes)
Oct 26 16:40:07 chivas pluto[25438]: listening for IKE messages
Oct 26 16:40:07 chivas pluto[25438]: adding interface ipsec0/ppp0 80.200.17.182
Oct 26 16:40:07 chivas pluto[25438]: loading secrets from
"/etc/ipsec.secrets"
Oct 26 16:40:07 chivas pluto[25438]:   loaded private key file
''/etc/ipsec.d/private/chivas.hectordenis.net.key'' (1751 bytes)
Oct 26 16:41:29 chivas pluto[25438]: packet from 194.78.26.163:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 26 16:41:29 chivas pluto[25438]: packet from 194.78.26.163:500: initial Main
Mode message received on 80.200.17.182:500 but no connection has been authorized
Oct 26 16:41:30 chivas pluto[25438]: packet from 194.78.26.163:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 26 16:41:30 chivas pluto[25438]: packet from 194.78.26.163:500: initial Main
Mode message received on 80.200.17.182:500 but no connection has been authorized
Oct 26 16:41:32 chivas pluto[25438]: packet from 194.78.26.163:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 26 16:41:32 chivas pluto[25438]: packet from 194.78.26.163:500: initial Main
Mode message received on 80.200.17.182:500 but no connection has been authorized
Oct 26 16:41:37 chivas pluto[25438]: packet from 194.78.26.163:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 26 16:41:37 chivas pluto[25438]: packet from 194.78.26.163:500: initial Main
Mode message received on 80.200.17.182:500 but no connection has been authorized
Oct 26 16:41:45 chivas pluto[25438]: packet from 194.78.26.163:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 26 16:41:45 chivas pluto[25438]: packet from 194.78.26.163:500: initial Main
Mode message received on 80.200.17.182:500 but no connection has been authorized

On Sun, 2003-10-26 at 09:00, No?l Nachtegael wrote:
> hi,
> 
> I can''t get a freeswan 2.02 ipsec x509 connection at work
> can somebody help me?
> 
My recommendation is to isolate the problem to either FreesWan or
Shorewall by doing a "shorewall clear" then trying to establish the
tunnel. If it works in that case, then you probably have a Shorewall
configuration problem. If it doesn''t work, then you have a
FreesWan/IPSEC configuration problem. 

Once you have the tunnel working then start Shorewall. If the tunnel
stops working then you also have a Shorewall configuration problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 2003-10-26 at 09:00, No?l Nachtegael wrote:
> hi,
> 
> I can''t get a freeswan 2.02 ipsec x509 connection at work
> can somebody help me?
> 
> 
>
_____________________________________________________________________________________
> # Shorewall 1.4 - /etc/shorewall/tunnels
> #
> #
> ipsec   net     0.0.0.0/0 
> 
You might try:

ipsec	net	0.0.0.0/0	vpn
				---

Usually that change won''t correct an initial failure to create a tunnel
but it is sometimes required if the tunnel fails due to rekeying
failures after being up for a while.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE-----

On Sunday 26 October 2003 12:00, No?l Nachtegael wrote:
> conn roadwarrior
>  compress=no
>  left=xxxxxx.dnsalias.org
Given that this refers to you, I have no idea why you''re using dynDNS.
The
preferred way to refer to your own IP address is to use:

	interfaces=%defaultroute

... which will dynamically assign an ipsecN interface to the physical 
interface used for your default gateway - I''d expect it to use ippp0 in
your
case. Then, you can refer to your side in your connections via:

	left=%defaultroute

... which will automatically use the IP address assigned to that interface. No 
need to use a dynDNS record. Why is this important? Because of this message:

Oct 26 16:41:45 chivas pluto[25438]: packet from 194.78.26.163:500: initial 
Main Mode message received on 80.200.17.182:500 but no connection has been 
authorized

I''ll bet that 80.200.17.182 is your new IP address, but the connection
(as
described by ipsec auto --status) uses the older one, derived from the 
resolution of your dynDNS record when the connection was
"auto=add"''ed. Since
the connection you''ve defined refers to the old address, the incoming 
connection attempt gets ignored (because it''s incoming on the *new*
address).

That name resolution only occurs once, btw - at the time the connection is 
added - so even if your dynDNS record gets updated 20 seconds after FreeS/WAN 
starts, Pluto will still persist in using the old IP address when matching 
connections. 

- -- 
Sam Sgro
sam@freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBP5wcwEOSC4btEQUtAQFU5QQA0IvpQKnNsJx3acbiigRC90/ZfPgDTRuQ
kWPzKo/lmpkNgo+RF1va8NlstDGZqcC4VXysm6ys/NttHBmpK8/5rK13/0FB/uIJ
eDVppwBYgRY2q9U93QQZhN0MyEVo5+eO1g9cpV32MWcbyeQ79uzW/rDhg7N/iKLS
DpQ+FGnlGNU=gzT0
-----END PGP SIGNATURE-----

I managed to get a similar setup running but with Fresswan 2.01.

I have a Linux gateway attached to a cable modem with freeswan
masquerading a subnet behind it and then a Windows XP roadwarrior
connecting via dailup.  

Here is my howto if it helps you:

http://cmisip.home.insightbb.com/freeswan.htm


On Sun, 2003-10-26 at 12:00, No?l Nachtegael wrote:
> hi,
> 
> I can''t get a freeswan 2.02 ipsec x509 connection at work
> can somebody help me?
> 
>
*************************************************************************************
> global situation
>
*************************************************************************************
> 
> the linux gateway (chivas) is a single machine 192.168.1.250 with a local
net 192.168.1.0/24,
> a dyn IP via a DSL connection and a dns dynip at xxxxxx.dnsalias.org
> 
> There is also a shorewall firewall on the system 
> 
> the xp roadwarrior machine has a dial-up dyn IP via modem
> 
> All the x509 cerificates are generated on the linux side and
> a p12 export to the xp system was successfull
> 
>
*************************************************************************************
> shorewall on the linux side
>
*************************************************************************************
> # Shorewall 1.3 -- Interfaces File
> #
> # /etc/shorewall/interfaces
> 
> net ppp0 - dhcp,noping
> loc eth0 - filterping
> vpn ipsec0 - 
> #
>
_____________________________________________________________________________________
> 
> # Shorewall 1.3 -- Policy File
> #
> # /etc/shorewall/policy
> loc  net  ACCEPT
> fw  net  ACCEPT
> net  all  DROP  info
> vpn loc ACCEPT -
> loc vpn ACCEPT -
> all  all  REJECT  info
> 
>
_____________________________________________________________________________________
> # Shorewall 1.4 - /etc/shorewall/tunnels
> #
> #
> ipsec   net     0.0.0.0/0 
> 
>
_____________________________________________________________________________________
> # Shorewall 1.3 /etc/shorewall/zones
> #
> net    Net      Internet
> loc    Local    Local networks
> vpn    VPN     Remote subnet
> 
>
_____________________________________________________________________________________
> # Shorewall version 1.3 - Rules File
> #
> # /etc/shorewall/rules
> 
> ACCEPT  fw   net  tcp 53
> ACCEPT  fw   net  udp 53
> ACCEPT  loc   fw  tcp 22
> ACCEPT  loc   fw  tcp www
> ACCEPT  loc  fw  udp  10000,20000    
> ACCEPT  loc  fw  tcp  10000,20000    
> ACCEPT loc $FW tcp 110 -
> ACCEPT loc $FW tcp 25 -
> ACCEPT $FW loc tcp - 110
> ACCEPT all all udp - 500
> ACCEPT loc $FW tcp 53 -
> ACCEPT loc $FW udp 53 -
> ACCEPT loc $FW icmp - -
> ACCEPT $FW loc icmp - -
> ACCEPT $FW loc udp 137:139 -
> ACCEPT $FW loc tcp 137,139,445 -
> ACCEPT $FW loc udp 1024: 137
> ACCEPT loc $FW udp 137:139 -
> ACCEPT loc $FW tcp 137,139,445 -
> ACCEPT loc $FW udp 1024: 137
> ACCEPT net vpn all - -
> ACCEPT vpn net all - -
> 
>
*************************************************************************************
> ipsec on the linux side
>
*************************************************************************************
> my ipsec.conf:
> 
> version 2.0 # conforms to second version of ipsec.conf specification
> 
> # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
> 
> 
> # More elaborate and more varied sample configurations can be found
> # in doc/examples.
> 
> 
> # basic configuration
> 
> config setup
>  interfaces="ipsec0=ppp0"
>  klipsdebug=none
>         plutodebug=none
>  
> conn %default 
>  authby=rsasig
>  leftrsasigkey=%cert
>  rightrsasigkey=%cert
> 
> 
> conn roadwarrior
>  compress=no
>  left=xxxxxx.dnsalias.org
>  lefsubnet=192.168.1.0/24
>  leftcert=chivas.hectordenis.net.pem
>  pfs=yes
>  right=%any
>  auto=add
> 
>
*************************************************************************************
> ipsec on the XP side
>
*************************************************************************************
> 
> my ipsec.conf:
> 
> conn Chivas
>  right=xxxxxx.dnsalias.org
>  rightsubnet=192.168.1.0/24
>  rightca="C=BE, ST=Hainaut, L=Braine-le-Comte, O=N Consulting,
CN=chivas, E=noel.nachtegael@skynet.be"
>  left=%any
>  network=auto
>  authmode=MD5
>  auto=start
>  pfs=yes
> 
>
_____________________________________________________________________________________
> 
> C:\IPSEC>ipsec -delete
> IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
> Getting running Config ...
> Microsoft''s Windows XP identified
> Removing old policies...
> Error converting policy: 0x2
> 
> C:\IPSEC>ipsec
> IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
> Getting running Config ...
> Microsoft''s Windows XP identified
> Setting up IPSec ...
> 
>         Deactivating old policy...
>         Removing old policy...
> 
> Connection Chivas:
>         MyTunnel     : 194.78.26.163
>         MyNet        : 194.78.26.163/255.255.255.255
>         PartnerTunnel: xxxxxx.dnsalias.org
>         PartnerNet   : 192.168.1.0/255.255.255.0
>         CA (ID)      : C=BE, ST=Hainaut, L=Braine-le-Comte, O=N
Consultin...
>         PFS          : y
>         Auto         : start
>         Auth.Mode    : MD5
>         Rekeying     : 3600S/50000K
>         Activating policy...
> 
> C:\IPSEC>ping 192.168.1.250 -t
> 
> Envoi d''une requ?te ''ping'' sur 192.168.1.250
avec 32 octets de donn?es :
> 
> N?gociation de la s?curit? IP.
> N?gociation de la s?curit? IP.
> ........
> N?gociation de la s?curit? IP.
> N?gociation de la s?curit? IP.
> 
> Statistiques Ping pour 192.168.1.250:
>     Paquets : envoy?s = 24, re?us = 0, perdus = 24 (perte 100%),
> 
> C:\IPSEC>
> 
>
*************************************************************************************
> result on the linux side
>
*************************************************************************************
> 
> [root@chivas root]# cat /var/log/secure
> Oct 26 16:40:03 chivas pluto[25037]: shutting down
> Oct 26 16:40:03 chivas pluto[25037]: forgetting secrets
> Oct 26 16:40:03 chivas pluto[25037]: shutting down interface ipsec0/ppp0
80.200.17.182
> Oct 26 16:40:06 chivas ipsec__plutorun: Starting Pluto subsystem...
> Oct 26 16:40:06 chivas pluto[25438]: Starting Pluto (FreeS/WAN Version 2.02
X.509-1.4.6 PLUTO_USES_KEYRR)
> Oct 26 16:40:06 chivas pluto[25438]: Changing to directory
''/etc/ipsec.d/cacerts''
> Oct 26 16:40:06 chivas pluto[25438]:   loaded cacert file
''cacert.pem'' (1619 bytes)
> Oct 26 16:40:06 chivas pluto[25438]: Changing to directory
''/etc/ipsec.d/crls''
> Oct 26 16:40:06 chivas pluto[25438]:   loaded crl file
''crl.pem'' (686 bytes)
> Oct 26 16:40:07 chivas pluto[25438]: listening for IKE messages
> Oct 26 16:40:07 chivas pluto[25438]: adding interface ipsec0/ppp0
80.200.17.182
> Oct 26 16:40:07 chivas pluto[25438]: loading secrets from
"/etc/ipsec.secrets"
> Oct 26 16:40:07 chivas pluto[25438]:   loaded private key file
''/etc/ipsec.d/private/chivas.hectordenis.net.key'' (1751 bytes)
> Oct 26 16:41:29 chivas pluto[25438]: packet from 194.78.26.163:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Oct 26 16:41:29 chivas pluto[25438]: packet from 194.78.26.163:500: initial
Main Mode message received on 80.200.17.182:500 but no connection has been
authorized
> Oct 26 16:41:30 chivas pluto[25438]: packet from 194.78.26.163:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Oct 26 16:41:30 chivas pluto[25438]: packet from 194.78.26.163:500: initial
Main Mode message received on 80.200.17.182:500 but no connection has been
authorized
> Oct 26 16:41:32 chivas pluto[25438]: packet from 194.78.26.163:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Oct 26 16:41:32 chivas pluto[25438]: packet from 194.78.26.163:500: initial
Main Mode message received on 80.200.17.182:500 but no connection has been
authorized
> Oct 26 16:41:37 chivas pluto[25438]: packet from 194.78.26.163:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Oct 26 16:41:37 chivas pluto[25438]: packet from 194.78.26.163:500: initial
Main Mode message received on 80.200.17.182:500 but no connection has been
authorized
> Oct 26 16:41:45 chivas pluto[25438]: packet from 194.78.26.163:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Oct 26 16:41:45 chivas pluto[25438]: packet from 194.78.26.163:500: initial
Main Mode message received on 80.200.17.182:500 but no connection has been
authorized
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>