<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2>HELP!!!!!</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>The client is on a
public IP, not natted (I removed the nat configuration for
testing)</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>The server is on a
public IP, but also has associated with it lots of internal machines/private
subnet.</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>laptopd is the
direct connect configuration, and I have laptopn which is the natted one, just
so I can tinker/test with this.</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>AS WELL I have 5-6
working VPN connections with a client Cisco box with no problems at
all.</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>configuration file
is as follows</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>config
setup<BR> # Debug-logging
controls: "none" for (almost) none, "all" for
lots.<BR>
#klipsdebug=all<BR>
#plutodebug=all<BR>
nat_traversal=yes<BR>
virtual_private="%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!192.168.124.0/24"<BR></FONT></SPAN></DIV><FONT
face=Arial size=2>conn laptopd<BR>
auth=esp<BR>
authby=secret<BR>
pfs=no<BR>
left=%defaultroute<BR>
leftprotoport=17/1701<BR>
leftupdown=/usr/lib/ipsec/_updownnoroute<BR>
right=%any<BR>
rightprotoport=17/%any<BR>
rightupdown=/usr/lib/ipsec/_updownnoroute<BR>
auto=add<BR></FONT>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>SOMEHOW we end up in
a funky rekeying situation, and I have not been able to capture packets/logs yet
from the windows end, but I may try that soon, the problem is the machines are
quite a distance apart right now, so hard to debug/work on this too
much.</FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>MY openswan logs
shows the following and I just noticed the first #1 main mode got modp2048,
while #3 main mode got modp1024, interesting. </FONT></SPAN></DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=828155423-22052008><FONT face=Arial size=2>May 21 09:47:36
firewall pluto[15606]: packet from 74.210.20.96:500: ignoring Vendor ID payload
[MS NT5 ISAKMPOAKLEY 00000004]<BR>May 21 09:47:36 firewall pluto[15606]: packet
from 74.210.20.96:500: ignoring Vendor ID payload [FRAGMENTATION]<BR>May 21
09:47:36 firewall pluto[15606]: packet from 74.210.20.96:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<BR>May 21 09:47:36
firewall pluto[15606]: packet from 74.210.20.96:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<BR>May 21 09:47:36 firewall pluto[15606]: "laptopn"[1]
74.210.20.96 #1: responding to Main Mode from unknown peer 74.210.20.96<BR>May
21 09:47:36 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1<BR>May 21 09:47:36 firewall
pluto[15606]: "laptopn"[1] 74.210.20.96 #1: STATE_MAIN_R1: sent MR1, expecting
MI2<BR>May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected<BR>May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>May 21 09:47:37
firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1: STATE_MAIN_R2: sent MR2,
expecting MI3<BR>May 21 09:47:37 firewall pluto[15606]: "laptopn"[1]
74.210.20.96 #1: Main mode peer ID is ID_IPV4_ADDR: '74.210.20.96'<BR>May 21
09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1: deleting
connection "laptopn" instance with peer 74.210.20.96 {isakmp=#0/ipsec=#0}<BR>May
21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1: I did not send
a certificate because I do not have one.<BR>May 21 09:47:37 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #1: transition from state STATE_MAIN_R2
to state STATE_MAIN_R3<BR>May 21 09:47:37 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp20<BR>May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96
#2: responding to Quick Mode {msgid:87418ca6}<BR>May 21 09:47:37 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #2: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1<BR>May 21 09:47:37 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2<BR>May 21 09:47:38 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<BR>May 21 09:47:38
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2: STATE_QUICK_R2: IPsec SA
established {ESP=>0x222e4dfb <0x97a8cc19 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<BR>May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96
#3: initiating Main Mode to replace #1<BR>May 21 10:43:07 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #3: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]<BR>May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96
#3: ignoring Vendor ID payload [FRAGMENTATION]<BR>May 21 10:43:07 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #3: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<BR>May 21 10:43:07 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #3: enabling possible NAT-traversal with
method RFC 3947 (NAT-Traversal)<BR>May 21 10:43:07 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #3: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<BR>May 21 10:43:07 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #3: STATE_MAIN_I2: sent MI2, expecting MR2<BR>May 21 10:43:07
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: I did not send a
certificate because I do not have one.<BR>May 21 10:43:07 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<BR>May 21 10:43:07 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #3: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>May 21 10:43:07 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #3: STATE_MAIN_I3: sent MI3, expecting MR3<BR>May 21 10:43:07
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: Main mode peer ID is
ID_IPV4_ADDR: '74.210.20.96'<BR>May 21 10:43:07 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #3: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4<BR>May 21 10:43:07 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<BR>May 21 10:43:08
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL to replace #2 {using isakmp#3}<BR>May 21 10:43:08 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #3: ignoring informational payload, type
INVALID_ID_INFORMATION<BR>May 21 10:43:08 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #3: received and ignored informational message<BR>May 21 10:44:18
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #4: max number of
retransmissions (2) reached STATE_QUICK_I1<BR>May 21 10:44:18 firewall
pluto[15606]: "laptopd"[1] 74.210.20.96 #4: starting keying attempt 2 of an
unlimited number<BR>May 21 10:44:18 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #4 {using
isakmp#3}<BR>May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96
#3: ignoring informational payload, type INVALID_ID_INFORMATION<BR>May 21
10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: received and
ignored informational message<BR>May 21 10:45:28 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #5: max number of retransmissions (2) reached
STATE_QUICK_I1<BR>May 21 10:45:28 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #5: starting keying attempt 3 of an unlimited number<BR>May 21
10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #6: initiating Quick
Mode PSK+ENCRYPT+TUNNEL to replace #5 {using isakmp#3}<BR>May 21 10:45:28
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: ignoring informational
payload, type INVALID_ID_INFORMATION<BR>May 21 10:45:28 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #3: received and ignored informational message<BR>May
21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7: responding to
Quick Mode {msgid:38485bd0}<BR>May 21 10:46:14 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #7: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<BR>May 21 10:46:14 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2<BR>May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<BR>May 21 10:46:14
firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7: STATE_QUICK_R2: IPsec SA
established {ESP=>0x30e532c3 <0x144d7c04 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<BR>May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96
#1: received Delete SA(0x222e4dfb) payload: deleting IPSEC State #2<BR>May 21
10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1: received and
ignored informational message<BR>May 21 10:46:38 firewall pluto[15606]:
"laptopd"[1] 74.210.20.96 #6: max number of retransmissions (2) reached
STATE_QUICK_I1<BR>May 21 10:46:38 firewall pluto[15606]: "laptopd"[1]
74.210.20.96 #6: starting keying attempt 4 of an unlimited
number<BR></DIV></FONT></SPAN></BODY></HTML>