[strongSwan] IPSec connection between Windows XP and Debian

Andreas Steffen andreas.steffen at strongswan.org
Tue Sep 7 13:22:24 CEST 2010


Czesc Rafal,

both sides try to send the first IKE packet. Using Wireshark
or tcpdump, do you see any IKE packets (UDP port 500) leaving
or entering the hosts?

Regards

Andreas

On 07.09.2010 00:03, Rafał Jeleśniański wrote:
>   Hello,
> I try establish IPSec connection with StrongSwan (4.4.1) between this 
> two machines.
> Testing environment:
> Virtualbox 3.2.8
> 1st Machine (172.16.100.11) - Debian Testing (kernel: 2.6.32-5-686)
> 2nd Machine (172.16.100.7) - Windows XP Pro SP3
> Type of connection: bridged
> I use this example: 
> http://www.strongswan.org/uml/testresults43/ikev1/host2host-cert/
> -----------------------
> Steps, that i do on Debian:
> 1. apt-get update
> 2. apt-get install build-essential
> 3. apt-get install libgmp3-dev
> 4. apt-get install libssl-dev
> 5. wget http://download.strongswan.org...
> 6. tar ... ; cd strongswan...
> 7. ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl
> 8. make
> 9. make install
> 10. Making a CA with this tutorial:
> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
> 11. i generate separate keys and certs for both machines
> 12. i convert caKey to pem format (openssl x509 -inform der -in 
> caCert.der -out caCert.pem)
> 13. i convert cert for Windows machine:
> openssl pkcs12 -export -inkey /etc/ipsec.d/winxp1pcKey.pem -in 
> /etc/ipsec.d/winxp1pcCert.pem -name "winxp1pc" -certfile 
> /etc/ipsec.d/cacerts/caCert.pem -caname "Rafal CA" -out winxp1pcCert.p12
> 14. I edit appropriate files and make changes (i based on moon files - 
> ipsec.conf, ipsec.secrets, strongswan.conf)
> 15. ipsec restart
> Steps, that i do on Windows
> 1. Import certs from pkcs12 file. RootCA cert i move to appropriate folder
> 2. I create new ip security policy
> almost like in this tutor: http://www.freebsddiary.org/ipsec-wireless-xp.php
> 3. Source adress - My IP Address; Destination adress - 172.16.100.11; 
> Tunnel end-point: 172.16.100.11;
> 4. Authentication Method: cerificate, that i imported
> ...
> 5. Assign my new ip security policy
> I try to establish connection but dosen't work
> When i execute ipsec up host-host on debian i recive messages:
> 002 "host-host" #2: initiating Main Mode
> 104 "host-host" #2 STATE_MAIN_I1: initiate
> 010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "host-host" #2 max number of retransmissions (2) reached 
> STATE_MAIN_I1. No response (or no acceptable response) to our first IKE 
> message.
> 
> On Windows Machine when i try to ping 172.16.100.11 i only recive messages:
> negotiating IP security
> 
> I don't have experiance in configuring strongswan.
> If somebody can explain how (Step by step) configure host to host ipsec 
> connection between linux with strongswan and windows xp i be very thankful.
> 
> If you need any extra information - just tell me ;)
> 
> P.S. Sorry for my horrible english ;)
> Regards
> Rafal from POLAND.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list