[strongSwan] IPSec connection between Windows XP and Debian

Rafał Jeleśniański rafal.jelesnianski at wp.pl
Tue Sep 7 19:02:18 CEST 2010


  Hello Adreas,
I captured packets on both machines.
Details from Wireshark (Windows XP Machine):
http://nerio.pccentre.pl/inne/packets.zip
Details from Tcpdump (Debian):
http://img696.imageshack.us/img696/4490/tcpdumpdebian.png
Thanks and regards,
Rafał from POLAND

W dniu 2010-09-07 13:22, Andreas Steffen pisze:
> Czesc Rafal,
>
> both sides try to send the first IKE packet. Using Wireshark
> or tcpdump, do you see any IKE packets (UDP port 500) leaving
> or entering the hosts?
>
> Regards
>
> Andreas
>
> On 07.09.2010 00:03, Rafał Jeleśniański wrote:
>>    Hello,
>> I try establish IPSec connection with StrongSwan (4.4.1) between this
>> two machines.
>> Testing environment:
>> Virtualbox 3.2.8
>> 1st Machine (172.16.100.11) - Debian Testing (kernel: 2.6.32-5-686)
>> 2nd Machine (172.16.100.7) - Windows XP Pro SP3
>> Type of connection: bridged
>> I use this example:
>> http://www.strongswan.org/uml/testresults43/ikev1/host2host-cert/
>> -----------------------
>> Steps, that i do on Debian:
>> 1. apt-get update
>> 2. apt-get install build-essential
>> 3. apt-get install libgmp3-dev
>> 4. apt-get install libssl-dev
>> 5. wget http://download.strongswan.org...
>> 6. tar ... ; cd strongswan...
>> 7. ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl
>> 8. make
>> 9. make install
>> 10. Making a CA with this tutorial:
>> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>> 11. i generate separate keys and certs for both machines
>> 12. i convert caKey to pem format (openssl x509 -inform der -in
>> caCert.der -out caCert.pem)
>> 13. i convert cert for Windows machine:
>> openssl pkcs12 -export -inkey /etc/ipsec.d/winxp1pcKey.pem -in
>> /etc/ipsec.d/winxp1pcCert.pem -name "winxp1pc" -certfile
>> /etc/ipsec.d/cacerts/caCert.pem -caname "Rafal CA" -out winxp1pcCert.p12
>> 14. I edit appropriate files and make changes (i based on moon files -
>> ipsec.conf, ipsec.secrets, strongswan.conf)
>> 15. ipsec restart
>> Steps, that i do on Windows
>> 1. Import certs from pkcs12 file. RootCA cert i move to appropriate folder
>> 2. I create new ip security policy
>> almost like in this tutor: http://www.freebsddiary.org/ipsec-wireless-xp.php
>> 3. Source adress - My IP Address; Destination adress - 172.16.100.11;
>> Tunnel end-point: 172.16.100.11;
>> 4. Authentication Method: cerificate, that i imported
>> ...
>> 5. Assign my new ip security policy
>> I try to establish connection but dosen't work
>> When i execute ipsec up host-host on debian i recive messages:
>> 002 "host-host" #2: initiating Main Mode
>> 104 "host-host" #2 STATE_MAIN_I1: initiate
>> 010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 20s for response
>> 010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 40s for response
>> 031 "host-host" #2 max number of retransmissions (2) reached
>> STATE_MAIN_I1. No response (or no acceptable response) to our first IKE
>> message.
>>
>> On Windows Machine when i try to ping 172.16.100.11 i only recive messages:
>> negotiating IP security
>>
>> I don't have experiance in configuring strongswan.
>> If somebody can explain how (Step by step) configure host to host ipsec
>> connection between linux with strongswan and windows xp i be very thankful.
>>
>> If you need any extra information - just tell me ;)
>>
>> P.S. Sorry for my horrible english ;)
>> Regards
>> Rafal from POLAND.
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>





More information about the Users mailing list