<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Jacco -</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">I made some progress based on your suggestion, but not completely there.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's the new ipsec.conf</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"># basic configuration<BR>config setup<BR> # plutodebug / klipsdebug = "all", "none" or a combation from below:<BR> # "raw crypt parsing emitting control klips pfkey natt x509 private"<BR> # eg:<BR> # plutodebug="control parsing"<BR> #<BR> # Only enable klipsdebug=all if you are a developer<BR> #<BR> # NAT-TRAVERSAL support, see README.NAT-Traversal<BR> nat_traversal=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24<BR> interfaces=%defaultroute<BR> klipsdebug=none<BR> plutodebug=all</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"># Add connections here<BR>conn DIR130-JON<BR> # Left security gateway, subnet behind it, nexthop toward right.<BR> #left=66.27.a.b<BR> <STRONG>left=192.168.23.23</STRONG><BR> leftsubnet=192.168.23.0/24<BR> #leftnexthop=24.25.c.d<BR> <STRONG>leftnexthop=66.27.a.b</STRONG><BR> # Right security gateway, subnet behind it, nexthop toward left.<BR> right=66.27.f.g<BR> rightsubnet=192.168.99.0/24<BR>
#rightnexthop=66.27.e.1<BR> keyexchange=ike<BR> ikelifetime=480m<BR> keylife=3600s<BR> pfs=yes<BR> compress=no<BR> authby=secret<BR> keyingtries=0<BR> auto=start</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's "ipsec auto --status"</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <BR>000 <BR>000 "DIR130-JON": 192.168.23.0/24===192.168.23.23---66.27.82.147...66.27.113.46===192.168.99.0/24; prospective erouted; eroute owner: #0<BR>000 "DIR130-JON": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<BR>000 "DIR130-JON": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<BR>000 "DIR130-JON": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; <BR>000 "DIR130-JON": newest ISAKMP SA: #0; newest IPsec SA: #0; <BR>000 <BR>000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)<BR>000 #1: pending Phase 2 for "DIR130-JON" replacing #0<BR>000<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">You can see that it made it through Phase 1, but choking on Phase 2.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's auth.log output:</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> started looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK<BR>Apr 7 10:57:19 localhost pluto[23888]: | actually looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK<BR>Apr 7 10:57:19 localhost pluto[23888]: | 1: compared PSK 66.27.f.g to 192.168.23.23 / 66.27.f.g -> 2<BR>Apr 7 10:57:19 localhost pluto[23888]: | 2: compared PSK 66.27.a.b to 192.168.23.23 / 66.27.f.g -> 2<BR>Apr 7 10:57:19 localhost pluto[23888]: | concluding with best_match=0 best=(nil) (lineno=-1)<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't authenticate: no preshared key found for `192.168.23.23' and `66.27.f.g'. Attribute OAKLEY_AUTHENTICATION_METHOD<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: no acceptable Oakley Transform<BR>Apr 7 10:57:19 localhost pluto[23888]: | complete state
transition with (null)<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: sending notification NO_PROPOSAL_CHOSEN to 66.27.113.46:500<BR>Apr 7 10:57:19 localhost pluto[23888]: | **emit ISAKMP Message:<BR>Apr 7 10:57:19 localhost pluto[23888]: | initiator cookie:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff<BR>Apr 7 10:57:19 localhost pluto[23888]: | responder cookie:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 00 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_N<BR>Apr 7 10:57:19 localhost pluto[23888]: | ISAKMP version: ISAKMP Version 1.0<BR>Apr 7 10:57:19 localhost pluto[23888]: | exchange type: ISAKMP_XCHG_INFO<BR>Apr 7 10:57:19 localhost pluto[23888]: | flags:
none<BR>Apr 7 10:57:19 localhost pluto[23888]: | message ID: 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | ***emit ISAKMP Notification Payload:<BR>Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_NONE<BR>Apr 7 10:57:19 localhost pluto[23888]: | DOI: ISAKMP_DOI_IPSEC<BR>Apr 7 10:57:19 localhost pluto[23888]: | protocol ID: 1<BR>Apr 7 10:57:19 localhost pluto[23888]: | SPI size: 0<BR>Apr 7 10:57:19 localhost pluto[23888]: | Notify Message Type: NO_PROPOSAL_CHOSEN<BR>Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Notification Payload: 12<BR>Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Message: 40<BR>Apr 7 10:57:19 localhost pluto[23888]: | sending 40 bytes for notification packet through eth0:500 to
66.27.f.g:500:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff 00 00 00 00 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0b 10 05 00 00 00 00 00 00 00 00 28 00 00 00 0c<BR>Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 01 01 00 00 0e<BR>Apr 7 10:57:19 localhost pluto[23888]: | state transition function for STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN<BR>Apr 7 10:57:19 localhost pluto[23888]: | next event EVENT_PENDING_PHASE2 in 103 seconds<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Not sure what's happening here...something about the authentication, any ideas?</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">thx</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">----- Original Message ----<BR>From: Jacco de Leeuw <jacco2@dds.nl><BR>To: users@openswan.org<BR>Sent: Monday, April 7, 2008 10:47:22 AM<BR>Subject: Re: [Openswan Users] L2TP response unencrypted<BR><BR>Peter Laczko wrote:<BR><BR>> At the bottom of the message I pasted the log. It shows the starting of<BR>> openswan, a connection attempt, and eventually the time-out and<BR>> disconnection from the client side.<BR><BR>Does the problem also occur with Openswan 2.4.12?<BR><BR>> What is an 'ipsec barf'?<BR><BR>man ipsec_barf<BR><BR>In short, it dumps everything except for the key material to a text file<BR>for further inspection. E.g. run 'ipsec barf > output.txt'<BR><BR>Jacco<BR>-- <BR>Jacco de Leeuw mailto:<A href="mailto:jacco2@dds.nl"
ymailto="mailto:jacco2@dds.nl">jacco2@dds.nl</A><BR>Zaandam, The Netherlands <A href="http://www.jacco2.dds.nl/" target=_blank>http://www.jacco2.dds.nl</A><BR>_______________________________________________<BR><A href="mailto:Users@openswan.org" ymailto="mailto:Users@openswan.org">Users@openswan.org</A><BR><A href="http://lists.openswan.org/mailman/listinfo/users" target=_blank>http://lists.openswan.org/mailman/listinfo/users</A><BR>Building and Integrating Virtual Private Networks with Openswan: <BR><A href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target=_blank>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</A><BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></div><br>
<hr size=1>You rock. That's why Blockbuster's offering you <a href="http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com">one month of Blockbuster Total Access</a>, No Cost.</body></html>