[strongSwan] Error 13801 in windows

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 8 15:42:53 CEST 2011 

Could you run tcpdump or wireshark on the strongSwan host and
check if any ESP packets are arriving from the Windows client.
You should also be able to the inbound decrypted ICMP requests.
In the outbound direction only ESP packets are visible but
they are probably missing.

Regards

Andreas

On 06/08/2011 02:15 PM, Kamil Jońca wrote:
> Andreas Steffen
> <andreas.steffen at strongswan.org> writes:
> 
>> Czesc Kamil,
>>
>> strongSwan uses ',' and '/' as reserved characters to separate
>> Relative Distinguished Names in an X.509 Distinguished Name.
>> Therefore CN=host/bambus at KJONCA will be incorrectly encoded.
>> Could you generate another certificate not containing a '/'
>> character?
> 
> I have generated, and Win says that is connected but I cannot ping
> "other peer"
> 
> 
> --8<---------------cut here---------------start------------->8---
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] looking for peer configs matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca]
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] selected peer config 'bambus'
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   using certificate "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   using trusted ca certificate "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] checking certificate status of "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] certificate status is not available
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   reached self-signed root ca with a path length of 0
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca' with RSA signature successful
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer supports MOBIKE
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca' (myself) with RSA signature successful
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] IKE_SA bambus[16] established between 192.168.200.200[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca]
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] scheduling reauthentication in 9941s
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] maximum IKE_SA lifetime 10481s
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] sending end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca"
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer requested virtual IP %any6
> 2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] reassigning offline lease to 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca'
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] assigning virtual IP 192.168.200.211 to peer 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca'
> 2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] CHILD_SA bambus{3} established with SPIs c1dbbfcc_i ca8b9d08_o and TS 192.168.200.0/24 === 192.168.200.211/32
> 2011-06-08T13:55:47+02:00 alfa charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
> 2011-06-08T13:55:47+02:00 alfa charon: 15[NET] sending packet: from 192.168.200.200[4500] to 80.50.55.206[4500]
> 2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
> 2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
> 2011-06-08T13:55:48+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
> --8<---------------cut here---------------end--------------->8---
> KJ
> 
> 
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list