Who is logged in? How can I delete a tunnel?

You can see which road warriors are logged in and syntax for removing their conenction with the following simple shell script.


Why do I get 'error in X.509 certificate' in /var/log/messages?

If you get something in your messages log that looks something like: Dec 7 18:20:46 ipcop pluto[3084]: Changing to directory '/etc/ipsec.d/cacerts' Dec 7 18:20:46 ipcop pluto[3084]: loaded cacert file 'cakey.pem' (1679 bytes) Dec 7 18:20:46 ipcop pluto[3084]: error in X.509 certificate Dec 7 18:20:46 ipcop pluto[3084]: loaded cacert file 'cacert.pem' You can safely ignore it. Openswan tries to load all files found in /etc/ipsec.d/cacerts as X.509 certificates but the file 'cakey.pem' is not a certificate so therefore it (correctly) fails.

I get in my logfile the warning 'crl update is overdue' ?

When you generate you host certificates ipcop will do the following for you (in vpnmain.cgi)

system('/usr/bin/openssl', 'ca', '-gencrl','-out', "${swroot}/crls/cacrl.pem");

This creates an empty Certificate Revocation List (CRL). IPCop does not specify the -crldays parameter so openswan will expect this file to be update in 30 days (the default). To see the current status of all certificates type:

ipsec auto --listall

It doesn't work, how do I switch on more logging?

You can do a number of things:

- Increase OpenSWAN logging on IPCop

- Increase Firewall logging

- Increase L2TPD debugging

- Switch on logging on Windows

- Use trace tools

- IPSec commands

Increase OpenSWAN logging on IPCOP

Edit the /var/ipcop/ipsec.conf file Change:





Win2k client uses 100% cpu when using X509 Certificates

If you want your Windows 2k clients to connect to another IPSec Machine using X509 certificates and find that upon starting the IPSec Policy Agent service that the cpu jumps to 100% and the windows machine becomes unusable you have probably hit this bug. The solution is to deinstall 3rd party VPN clients or apply a hotfix.

My Win2k/XP Client hangs when connecting with X509

Have you started the 'Ipsec Policy Agent'? This handles passing the X509 certificates to the IPSec connection. Before you start the above if not already started check that you don't have any 3rd party VPN clients installed. (See Next Question)

Do I have to authorise via ppp's chap/pap secrets?

No you can get ppp to talk to a Radius server. A Radius server can uses local passwords, samba, ldap and many others. Instructions on getting IPCop to use this are in the Wiki.

What's this 17/1701 rubbish?

This basically tells ipsec via the ipsec.conf file that the connection uses protocol 17 (aka UDP) and port 1701 (L2TP) Older version of windows strangely uses 17/0, this was probably a bug as they all now use 17/1701. Therefore if you are getting problems building the ipsec tunnel before it even connects to the L2TPD daemon check you have the lines:



in your ipsec.conf file.

I connect to my ISP using PPP will this solution work?

No. The problem being this solution removes the ip-up/ip-down scripts used by IPCop to rebuild the RED interface with the ISP PPP connection. This is a lot of code and I can't test any of it. Feel free to investigate. It is probably possible to run the ip-up/ip-down for ISP PPP related stuff and drop out of these scripts before they do anything if the PPP connection is a L2TP roadwarriior connection

How about a Addon and/or GUI ?

I'm currently not developing either but other people are. Once someone releases something I'll let you know. You can try out the Beta Addon for Addon Server, but this still does not have a GUI.

Syndicate content