My CA cert and crl are in place as is the cert for the remote host and
my client host. This error is on the client host. I am able
to connect with my windows clients l2tp ipsec connection and should
just be ablet to get an ipsec only connection using openswan
correct? I was following the guide at
<a href="http://www.natecarlson.com/linux/ipsec-x509.php#clientopenswan">http://www.natecarlson.com/linux/ipsec-x509.php#clientopenswan</a><br>
>From what I've seen of this error message this seems like a certificate error.<br>
<br>
ERROR MSG:<br>
[root@creepingdeath]# ipsec auto --up roadwarrior<br>
104 "roadwarrior" #1: STATE_MAIN_I1: initiate<br>
003 "roadwarrior" #1: ignoring unknown Vendor ID payload [4f457a7d4646466667725f65]<br>
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109<br>
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "roadwarrior" #1: ignoring informational payload, type INVALID_KEY_INFORMATION<br>
003 "roadwarrior" #1: received and ignored informational message<br>
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for response<br>
003 "roadwarrior" #1: ignoring informational payload, type INVALID_KEY_INFORMATION<br>
003 "roadwarrior" #1: received and ignored informational message<br>
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for response<br>
003 "roadwarrior" #1: ignoring informational payload, type INVALID_KEY_INFORMATION<br>
003 "roadwarrior" #1: received and ignored informational message<br>
<br>
IPSEC.CONF<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
klipsdebug=all<br>
plutodebug=all<br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
<br>
conn roadwarrior-net<br>
left=subnet=<a href="http://192.168.8.0/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.8.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.8.0/255.255.255.0</a><br>
also=roadwarrior<br>
<br>
conn roadwarrior<br>
left=<a href="http://remotehost.dyndns.org">remotehost.dyndns.org</a><br>
leftcert=remotehost.pem<br>
right=%defaultroute<br>
rightcert=clienthost.pem<br>
auto=add<br>
pfs=yes<br>
<br>
conn block<br>
auto=ignore<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
IPSEC.SECRETS<br>
: RSA clienthost.key "mysecret"<br>
<br>
<br>