<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Hello all, </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I'm lloking for a VPN solution as:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Client (MacosX or linux) <===VPN thought internet ===> FW <===> VPNServer <===> LAN </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>my Client have a fixed address (for now)</DIV><D
IV>my firewall is configured with iptables thought fwbuilder</DIV><DIV>yhe firewall internal ip is 10.91.130.2/24 and is the default route.</DIV><DIV>the VPNServer is at 10.91.130.61/24</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I've tried several times to make it works but i'm still unsuccessfull. I'm sure I've made big mistake as I'm no VPN expert.</DIV><DIV>Can someone help me to make it work?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>thanks in advance.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>here is my ipsec.conf and included files:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>config setup</DIV><DIV> nat_traversal=yes</DIV><DIV> plutowait=yes</DIV><DIV> nhelpers=0</DIV><DIV> dumpdir=/tmp</DIV><DIV>include /etc/ipsec.d/examples/no_oe.conf</DIV><DIV>
include /etc/ipsec.d/eos.conf</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>eos.conf:</DIV><DIV>conn L2TP-PSK</DIV><DIV> #</DIV><DIV> type=transport</DIV><DIV> authby=secret</DIV><DIV> pfs=no</DIV><DIV> keyingtries=3</DIV><DIV> left=%defaultroute</DIV><DIV> leftprotoport=17/%any</DIV><DIV> right=IPFIXE</DIV><DIV> rightprotoport=17/%any</DIV><DIV> auto=add</DIV><DIV> leftsubnet=10.91.130.0/24</DIV><DIV> leftnexthop=%defaultroute</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV>here are the logs:<BR class="Apple-interchange-newline"></SPAN> </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received Vendor ID payload [RFC 3947] method set to=110 </DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
meth=109, but already using method 110</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: responding to Main Mode</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1: sent MR1, expecting MI2</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor ID payload [KAME/racoon]</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal: Result using 3: i am NATed</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from state STATE_MAIN_R1 to state STAT
E_MAIN_R2</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2: sent MR2, expecting MI3</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer ID is ID_IPV4_ADDR: 'IPFIXE'</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send a certificate because I do not have one.</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE:500/4500)</DIV><DIV>Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to Quick Mode {msgid:99321c1d}</DIV><DIV>Apr 18 18:04:17 Zpro pluto
[11600]: "L2TP-PSK" #2: ASSERTION FAILED at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface lo/lo 127.0.0.1</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface lo/lo 127.0.0.1</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface eth0/eth0 10.91.130.61</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface eth0/eth0 10.91.130.61</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: %myid = (none)</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: debug none</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</DIV><DIV>Apr 18 18:04:
17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizem
in=160, keysizemax=160</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=2, name=OAKLEY_GROUP
_MODP1024, bits=1024</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,
0} attrs={0,0,0} </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": 10.91.130.0/24===10.91.130.61:17/%any---10.91.130.2...IPFIXE:17/49199; unrouted; eroute owner: #0</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,24; interface: eth0; </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": newest ISAKMP SA: #1; newest IPsec SA: #0; </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L
2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: #2: "L2TP-PSK":4500 STATE_QUICK_R0 (expecting QI1); EVENT_SO_DISCARD in 0s; nodpd</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: #1: "L2TP-PSK":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 3599s; newest ISAKMP; nodpd</DIV><DIV>Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: </DIV><DIV>Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 217: 11600 Aborted (core dumped) /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --nhelpers 0</DIV><DIV>Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)</DIV><DIV>Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after pause...</DIV><BR>
!DSPAM:4626438450701748911108!
</BODY></HTML>