On Thu, Dec 25, 2003 at 04:18:39PM +0100, Valentin Vidic wrote: > On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote: > > My first post here - long time d-u subscriber. I'm trying to set up a > > VPN where WinXP roadwarriors can access a LAN that sits behind a Linux > > router. I want to use X.509 certificates rather than PSKs. > > I managed to set up a VPN dial-up connection from Windows Dial-up > Networking to Debian running superfreeswan and l2tpd - so it is > possible to do this (although not too easy). I used l2tpd 0.69-7jdl and > freeswan 1.99.8. > > > When I try to log in, I get "Error 792: The L2TP connection attempt > > failed because security negotiation timed out." I don't get any > > "verifying username..." message. > > As usual this doesn't tell much. Error messages on the Linux side are > a lot better. Also try monitoring the traffic with tcpdump on different > interfaces (depending on the part of connection you managed to get > working you should either monitor eth0, ipsec0 or ppp0). Try checking > /var/log/auth.log for IPSec messages. A successful connection looks
Aha. That's the logfile that I was looking for - what a help. I've snipped some relevant stuff, and put comments inline. If you have any ideas I'd be interested: Dec 26 00:09:44 mailhost ipsec__plutorun: Starting Pluto subsystem... Dec 26 00:09:44 mailhost Pluto[4416]: Starting Pluto (FreeS/WAN Version 1.96) Dec 26 00:09:44 mailhost Pluto[4416]: including X.509 patch (Version 0.9.9) Dec 26 00:09:44 mailhost Pluto[4416]: Changing to directory '/etc/ipsec.d/cacerts' Dec 26 00:09:44 mailhost Pluto[4416]: loaded cacert file 'cacert.pem' (1647 bytes) Dec 26 00:09:44 mailhost Pluto[4416]: Changing to directory '/etc/ipsec.d/crls' Dec 26 00:09:44 mailhost Pluto[4416]: loaded crl file 'crl.pem' (694 bytes) Dec 26 00:09:44 mailhost Pluto[4416]: loaded my X.509 cert file '/etc/x509cert.der' (700 bytes) Dec 26 00:09:44 mailhost Pluto[4416]: | from whack: got --esp=3des Dec 26 00:09:44 mailhost Pluto[4416]: loaded host cert file '/etc/ipsec.d/mailhostCert.pem' (5049 bytes) Dec 26 00:09:44 mailhost Pluto[4416]: added connection description "mailhost-rw" Dec 26 00:09:44 mailhost Pluto[4416]: listening for IKE messages Dec 26 00:09:44 mailhost Pluto[4416]: adding interface ipsec0/eth1 195.54.235.74 Dec 26 00:09:44 mailhost Pluto[4416]: loading secrets from "/etc/ipsec.secrets" Dec 26 00:09:44 mailhost Pluto[4416]: loaded private key file '/etc/ipsec.d/private/mailhostKey.pem' (1751 bytes) Dec 26 00:09:44 mailhost Pluto[4416]: file coded in unknown format, discarded Dec 26 00:09:44 mailhost Pluto[4416]: "/etc/ipsec.secrets" line 1: error loading RSA private key file The above two lines don't look too good. I assume that it means that /etc/ipsec.secrets is ok, and that there is a problem with /etc/ipsec.d/private/mailhostKey.pem? mailhost:~# cat /etc/ipsec.secrets : RSA /etc/ipsec.d/private/mailhostKey.pem "xxx" Note that the xxx is really the "export password" that I gave when I generated the key. Dec 26 00:10:04 mailhost Pluto[4416]: packet from 82.68.107.174:500: ignoring Vendor ID payload Dec 26 00:10:04 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1: responding to Main Mode from unknown peer 82.68.107.174 Dec 26 00:10:05 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1: Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=Some-State, L=London, O=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' Dec 26 00:10:05 mailhost Pluto[4416]: "mailhost-rw" 82.68.107.174 #1: no suitable connection for peer 'C=UK, ST=Some-State, L=London, O=British WIZO, CN=British WIZO, [EMAIL PROTECTED]' I guess that the "no suitable connection" is because of the above problem? A
