Re: [Users] IPSec WinXP interop

Thu, 01 Jan 2004 18:47:35 -0600 

On Wed, Dec 31, 2003 at 04:04:39PM +0100, Reinhold Plew wrote:
> may be you need this in your ipsec.conf to disable OE

Thanks to you and Andreas, that worked great.  I'm now getting this in
my /var/log/auth.log:
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
Peer ID is ID_DER_ASN1_DN: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'
Jan  2 00:30:35 mailhost pluto[7154]: "mailhost-rw"[2] 82.68.107.174 #2:
no suitable connection for peer 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO, [EMAIL PROTECTED]'

Here's my current ipsec.conf (excluding the OE disable part):
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn mailhost-rw
        type=transport
        left=195.54.235.74
        leftcert=mailhostCert.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=1
        pfs=no

I have tried generating a new CA, certificate, and key, but no joy.  I
must be very close now, but still no cigar.  This might be useful as
well:

mailhost:/usr/local/sslca# ipsec auto --status
000 interface ipsec0/eth1 195.54.235.74
000
000 debug none
000
000 "mailhost-rw": 195.54.235.74[C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
[EMAIL PROTECTED]:17/0...%any:17/1701
000 "mailhost-rw":   CAs: 'C=UK, ST=UK, L=London, O=British WIZO,
OU=British WIZO, CN=British WIZO,
[EMAIL PROTECTED]'...'%any'
000 "mailhost-rw":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "mailhost-rw":   policy: RSASIG+ENCRYPT; interface: eth1; unrouted
000 "mailhost-rw":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "mailhost-rw":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2, 5_000-2-2, flags=-strict
000 "mailhost-rw":   IKE algorithms found:  5_192-1_128-5,
5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "mailhost-rw":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "mailhost-rw":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000

If there is any more log info that would be useful, please let me know
what to post.

A

Reply via email to