Ciao a tutti.
Sto cercando di instaurare una VPN tra una macchina Linux Debian (Kernel 2.4.25) con FreeS/WAN 2.05 e un Client Windows 2000 Sp4.
Per fare tutto il lavoro seguito questa guida (pdf, doc ).
Per farla breve, dopo aver opportunamente applicato a FreeS/WAN la patch X.509 e Windows con IPSEC Policy Configuration Tool e la patch High Encryption Pack (128-bit), ho proceduto con la crezione dei certificati sul server Linux e li ho esportati in Win2k. Ho poi configurato opportunamente ipsec.conf e creato le regole di negoziazione sul Client Windows.
Abbiamo effettuato una prova sulla rete locale collegando Server e Client direttamente e tutto è andato bene.
Purtroppo l' utilizzo finale si discosta notevolmente da quello di prova. Infatti il Client per connettersi usa un modem ADSL dove non si capisce bene quale sia il Gateway.
Il risultato della fallita connessione è contenuto nel log qui sotto:
Mar 11 17:01:13 localhost ipsec__plutorun: Starting Pluto subsystem...
Mar 11 17:01:13 localhost pluto[1105]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
Mar 11 17:01:13 localhost pluto[1105]: Using KLIPS IPsec interface code
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 11 17:01:13 localhost pluto[1105]: loaded CA cert file 'cacert.pem' (1403 bytes)
Mar 11 17:01:13 localhost pluto[1105]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/crls'
Mar 11 17:01:13 localhost pluto[1105]: loaded crl file 'crl.pem' (617 bytes)
Mar 11 17:01:13 localhost pluto[1105]: loaded host cert file '/etc/ipsec.d/certs/freeswan-cert.pem' (4657 bytes)
Mar 11 17:01:13 localhost pluto[1105]: loaded host cert file '/etc/ipsec.d/certs/client-cert.pem' (4634 bytes)
Mar 11 17:01:13 localhost pluto[1105]: added connection description "freeswan2windows"
Mar 11 17:01:13 localhost pluto[1105]: listening for IKE messages
Mar 11 17:01:13 localhost pluto[1105]: adding interface ipsec0/eth1 xxx.xxx.xxx.xxx
Mar 11 17:01:13 localhost pluto[1105]: loading secrets from "/etc/ipsec.secrets"
Mar 11 17:01:13 localhost pluto[1105]: loaded private key file '/etc/ipsec.d/private/freeswan-priv.pem' (2736 bytes)
Mar 11 17:02:09 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Mar 11 17:02:09 localhost pluto[1105]: "freeswan2windows" #1: responding to Main Mode
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: malformed payload in packet
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: sending encrypted notification PAYLOAD_MALFORMED to yyy.yyy.yyy.yyy:500
Mar 11 17:03:19 localhost pluto[1105]: "freeswan2windows" #1: max number of retransmissions (2) reached STATE_MAIN_R2
Mar 11 17:03:51 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: Informational Exchange is for an unknown (expired?) SA
Mar 11 17:18:34 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: responding to Main Mode
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: next payload type of ISAKMP Hash Payload has an unknown value: 151
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: malformed payload in packet
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: sending encrypted notification PAYLOAD_MALFORMED to yyy.yyy.yyy.yyy:500
Mar 11 17:19:44 localhost pluto[1105]: "freeswan2windows" #2: max number of retransmissions (2) reached STATE_MAIN_R2
Mar 11 17:20:12 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: Informational Exchange is for an unknown (expired?) SA
Mar 11 17:39:41 localhost pluto[1105]: shutting down
Mar 11 17:39:41 localhost pluto[1105]: forgetting secrets
Mar 11 17:39:41 localhost pluto[1105]: "freeswan2windows": deleting connection
Mar 11 17:39:41 localhost pluto[1105]: shutting down interface ipsec0/eth1 xxx.xxx.xxx.xxx
Thanx... :)
Sto cercando di instaurare una VPN tra una macchina Linux Debian (Kernel 2.4.25) con FreeS/WAN 2.05 e un Client Windows 2000 Sp4.
Per fare tutto il lavoro seguito questa guida (pdf, doc ).
Per farla breve, dopo aver opportunamente applicato a FreeS/WAN la patch X.509 e Windows con IPSEC Policy Configuration Tool e la patch High Encryption Pack (128-bit), ho proceduto con la crezione dei certificati sul server Linux e li ho esportati in Win2k. Ho poi configurato opportunamente ipsec.conf e creato le regole di negoziazione sul Client Windows.
Abbiamo effettuato una prova sulla rete locale collegando Server e Client direttamente e tutto è andato bene.
Purtroppo l' utilizzo finale si discosta notevolmente da quello di prova. Infatti il Client per connettersi usa un modem ADSL dove non si capisce bene quale sia il Gateway.
Il risultato della fallita connessione è contenuto nel log qui sotto:
Mar 11 17:01:13 localhost ipsec__plutorun: Starting Pluto subsystem...
Mar 11 17:01:13 localhost pluto[1105]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
Mar 11 17:01:13 localhost pluto[1105]: Using KLIPS IPsec interface code
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 11 17:01:13 localhost pluto[1105]: loaded CA cert file 'cacert.pem' (1403 bytes)
Mar 11 17:01:13 localhost pluto[1105]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 11 17:01:13 localhost pluto[1105]: Changing to directory '/etc/ipsec.d/crls'
Mar 11 17:01:13 localhost pluto[1105]: loaded crl file 'crl.pem' (617 bytes)
Mar 11 17:01:13 localhost pluto[1105]: loaded host cert file '/etc/ipsec.d/certs/freeswan-cert.pem' (4657 bytes)
Mar 11 17:01:13 localhost pluto[1105]: loaded host cert file '/etc/ipsec.d/certs/client-cert.pem' (4634 bytes)
Mar 11 17:01:13 localhost pluto[1105]: added connection description "freeswan2windows"
Mar 11 17:01:13 localhost pluto[1105]: listening for IKE messages
Mar 11 17:01:13 localhost pluto[1105]: adding interface ipsec0/eth1 xxx.xxx.xxx.xxx
Mar 11 17:01:13 localhost pluto[1105]: loading secrets from "/etc/ipsec.secrets"
Mar 11 17:01:13 localhost pluto[1105]: loaded private key file '/etc/ipsec.d/private/freeswan-priv.pem' (2736 bytes)
Mar 11 17:02:09 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Mar 11 17:02:09 localhost pluto[1105]: "freeswan2windows" #1: responding to Main Mode
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: malformed payload in packet
Mar 11 17:02:10 localhost pluto[1105]: "freeswan2windows" #1: sending encrypted notification PAYLOAD_MALFORMED to yyy.yyy.yyy.yyy:500
Mar 11 17:03:19 localhost pluto[1105]: "freeswan2windows" #1: max number of retransmissions (2) reached STATE_MAIN_R2
Mar 11 17:03:51 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: Informational Exchange is for an unknown (expired?) SA
Mar 11 17:18:34 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: responding to Main Mode
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: next payload type of ISAKMP Hash Payload has an unknown value: 151
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: malformed payload in packet
Mar 11 17:18:34 localhost pluto[1105]: "freeswan2windows" #2: sending encrypted notification PAYLOAD_MALFORMED to yyy.yyy.yyy.yyy:500
Mar 11 17:19:44 localhost pluto[1105]: "freeswan2windows" #2: max number of retransmissions (2) reached STATE_MAIN_R2
Mar 11 17:20:12 localhost pluto[1105]: packet from yyy.yyy.yyy.yyy:500: Informational Exchange is for an unknown (expired?) SA
Mar 11 17:39:41 localhost pluto[1105]: shutting down
Mar 11 17:39:41 localhost pluto[1105]: forgetting secrets
Mar 11 17:39:41 localhost pluto[1105]: "freeswan2windows": deleting connection
Mar 11 17:39:41 localhost pluto[1105]: shutting down interface ipsec0/eth1 xxx.xxx.xxx.xxx
Thanx... :)
