<div>I'm trying to setup Openswan with certificates and xl2tpd. Both, server and client are behind a NAT device.</div><div>I followed Jacco's procedure at <a href="http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed">http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed</a></div>
<div><br></div><div>The server is Gentoo with 2.6.36 kernel, Openswan 2.4.15, xl2tpd 1.2.7</div><div>The client is MacOS 10.6 native (therefore rightprotoport=17/0).</div><div><br></div><div>So far, my PSK setup works like a charm, but L2TP-X509 doesn't.</div>
<div><br></div><div>I tried several variants regarding subnet and nexthop, but with no luck. The certificates seem to be okay, although I admit not to be an expert on this topic. ;-)</div><div>I use to disable PSK stuff for testing to keep things clean. L2TP-PSK doesn't seem to work anyway, as soon as L2TP-X509's config is in place. Once more: no idea, why.</div>
<div><br></div><div>I appreciate any suggestions. Thanks a lot!</div><div><br></div><div>Here's my config:</div><div><br></div><div><br></div><div><font class="Apple-style-span" face="'courier new', monospace"> NAT- Internet NAT-</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace">Client --------- device =================== device -------------+-------- ... <a href="http://192.168.178.0/24">192.168.178.0/24</a></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace">192.168.178.27 / \ / \ |</font></div><div><font class="Apple-style-span" face="'courier new', monospace"> / \ / 192.168.178.1 Openswan</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> <a href="http://192.168.189.1/24">192.168.189.1/24</a> 234.234.234.234 123.123.123.123 Server</font></div><div><font class="Apple-style-span" face="'courier new', monospace"> 192.168.178.253</font></div>
<div><br></div><div><br></div><div><br></div><div>/etc/ipsec/ipsec.conf</div><div><br></div><div>version 2.0</div><div>config setup</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>plutodebug="control natt"</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>nat_traversal=yes</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.178.0/24">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.178.0/24</a></div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>nhelpers=0</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>interfaces=%defaultroute</div><div><br></div><div>#include ipsec-l2tp-psk.conf</div>
<div>include ipsec-l2tp-x509.conf</div><div>include /etc/ipsec/ipsec.d/examples/no_oe.conf</div><div><br></div><div><br></div><div><br></div><div>/etc/ipsec/ipsec-l2tp-psk.conf</div><div><br></div><div>conn L2TP-PSK</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>auto=add</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>authby=secret</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>pfs=no</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>keyingtries=3</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rekey=no</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>left=%defaultroute</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>leftprotoport=17/1701</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftsubnet=<a href="http://192.168.178.0/24">192.168.178.0/24</a></div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>leftnexthop=%defaultroute</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftcert=vpn.host.linksrum.cert.pem</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>right=%any</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>rightprotoport=17/0</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rightsubnet=vhost:%no,%priv</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>#rightsubnet=<a href="http://192.168.189.0/24">192.168.189.0/24</a></div>
<div><br></div><div><br></div><div><br></div><div>/etc/ipsec/ipsec-l2tp-psk.conf</div><div><br></div><div>conn L2TP-X509</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>auto=add</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>authby=rsasig</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>pfs=no</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>keyingtries=3</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rekey=no</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>left=%defaultroute</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>#left=192.168.178.253</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftprotoport=17/1701</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>leftsubnet=<a href="http://192.168.178.0/24">192.168.178.0/24</a></div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftnexthop=%defaultroute</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>#leftnexthop=192.168.178.1</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftrsasigkey=%cert</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>leftcert=vpn.host.linksrum.cert.pem</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>right=%any</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rightprotoport=17/0</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rightsubnet=vhost:%no,%priv</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>#rightsubnet=<a href="http://192.168.189.0/24">192.168.189.0/24</a></div><div><span class="Apple-tab-span" style="white-space:pre">        </span>rightrsasigkey=%cert</div>
<div><br></div><div><br></div><div><br></div><div>/etc/ipsec/ipsec.secrets</div><div><br></div><div>#192.168.178.253 %any: PSK "mypresharedkey"</div><div>#C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a> %any: PSK "mypresharedkey"</div>
<div>C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a> %any: RSA vpn.host.linksrum.key.rsa "mysecret"</div><div>192.168.178.253 %any: RSA vpn.host.linksrum.key.rsa "mysecret"</div>
<div>: RSA vpn.host.linksrum.key.rsa "mysecret"</div><div><br></div><div><br></div><div><br></div><div>excerpt from /var/log/secure (connection attempt only):</div><div><br></div><div>2011-03-01T13:54:24.328347+01:00 linksrum pluto[22198]: | *received 300 bytes from 85.183.y.z:65463 on eth0 (port=500)</div>
<div>2011-03-01T13:54:24.328360+01:00 linksrum pluto[22198]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)</div><div>2011-03-01T13:54:24.328372+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [RFC 3947] method set to=109 </div>
<div>2011-03-01T13:54:24.328384+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 </div><div>2011-03-01T13:54:24.328397+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]</div>
<div>2011-03-01T13:54:24.328409+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]</div><div>2011-03-01T13:54:24.328421+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]</div>
<div>2011-03-01T13:54:24.328434+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]</div><div>2011-03-01T13:54:24.328448+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]</div>
<div>2011-03-01T13:54:24.328461+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110</div><div>2011-03-01T13:54:24.328474+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110</div>
<div>2011-03-01T13:54:24.328488+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110</div><div>2011-03-01T13:54:24.328500+01:00 linksrum pluto[22198]: packet from 85.183.y.z:65463: received Vendor ID payload [Dead Peer Detection]</div>
<div>2011-03-01T13:54:24.328512+01:00 linksrum pluto[22198]: | nat-t detected, sending nat-t VID</div><div>2011-03-01T13:54:24.328523+01:00 linksrum pluto[22198]: | creating state object #2 at 0x8109878</div><div>2011-03-01T13:54:24.328534+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:24.328546+01:00 linksrum pluto[22198]: | ICOOKIE: 1c d8 b4 97 4d cd 67 b0</div><div>2011-03-01T13:54:24.328556+01:00 linksrum pluto[22198]: | RCOOKIE: 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.328566+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c</div>
<div>2011-03-01T13:54:24.328578+01:00 linksrum pluto[22198]: | state hash entry 1</div><div>2011-03-01T13:54:24.328589+01:00 linksrum pluto[22198]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2</div><div>
2011-03-01T13:54:24.328601+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: responding to Main Mode from unknown peer 85.183.y.z</div><div>2011-03-01T13:54:24.328612+01:00 linksrum pluto[22198]: | complete state transition with STF_OK</div>
<div>2011-03-01T13:54:24.328623+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div><div>2011-03-01T13:54:24.328635+01:00 linksrum pluto[22198]: | sending reply packet to 85.183.y.z:65463 (from port=500)</div>
<div>2011-03-01T13:54:24.328647+01:00 linksrum pluto[22198]: | sending 136 bytes for STATE_MAIN_R0 through eth0:500 to 85.183.y.z:65463:</div><div>2011-03-01T13:54:24.328659+01:00 linksrum pluto[22198]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2</div>
<div>2011-03-01T13:54:24.328671+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>2011-03-01T13:54:24.328682+01:00 linksrum pluto[22198]: | modecfg pull: noquirk policy:push not-client</div>
<div>2011-03-01T13:54:24.328693+01:00 linksrum pluto[22198]: | phase 1 is done, looking for phase 1 to unpend</div><div>2011-03-01T13:54:24.328704+01:00 linksrum pluto[22198]: | next event EVENT_NAT_T_KEEPALIVE in 1 seconds</div>
<div>2011-03-01T13:54:24.402130+01:00 linksrum pluto[22198]: | </div><div>2011-03-01T13:54:24.402162+01:00 linksrum pluto[22198]: | *received 228 bytes from 85.183.y.z:65463 on eth0 (port=500)</div><div>2011-03-01T13:54:24.402183+01:00 linksrum pluto[22198]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)</div>
<div>2011-03-01T13:54:24.402202+01:00 linksrum pluto[22198]: | ICOOKIE: 1c d8 b4 97 4d cd 67 b0</div><div>2011-03-01T13:54:24.402218+01:00 linksrum pluto[22198]: | RCOOKIE: 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.402235+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c</div>
<div>2011-03-01T13:54:24.402250+01:00 linksrum pluto[22198]: | state hash entry 1</div><div>2011-03-01T13:54:24.402277+01:00 linksrum pluto[22198]: | peer and cookies match on #2, provided msgid 00000000 vs 00000000</div>
<div>2011-03-01T13:54:24.402287+01:00 linksrum pluto[22198]: | state object #2 found, in STATE_MAIN_R1</div><div>2011-03-01T13:54:24.402299+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:24.402311+01:00 linksrum pluto[22198]: | _natd_hash: hasher=0x80ed480(20)</div><div>2011-03-01T13:54:24.402321+01:00 linksrum pluto[22198]: | _natd_hash: icookie=</div><div>2011-03-01T13:54:24.402331+01:00 linksrum pluto[22198]: | 1c d8 b4 97 4d cd 67 b0</div>
<div>2011-03-01T13:54:24.402342+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=</div><div>2011-03-01T13:54:24.402353+01:00 linksrum pluto[22198]: | 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.402364+01:00 linksrum pluto[22198]: | _natd_hash: ip= c0 a8 b2 fd</div>
<div>2011-03-01T13:54:24.402375+01:00 linksrum pluto[22198]: | _natd_hash: port=500</div><div>2011-03-01T13:54:24.402385+01:00 linksrum pluto[22198]: | _natd_hash: hash= ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7</div>
<div>2011-03-01T13:54:24.402396+01:00 linksrum pluto[22198]: | da f7 4c c7</div><div>2011-03-01T13:54:24.402407+01:00 linksrum pluto[22198]: | _natd_hash: hasher=0x80ed480(20)</div><div>2011-03-01T13:54:24.402417+01:00 linksrum pluto[22198]: | _natd_hash: icookie=</div>
<div>2011-03-01T13:54:24.402428+01:00 linksrum pluto[22198]: | 1c d8 b4 97 4d cd 67 b0</div><div>2011-03-01T13:54:24.402441+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=</div><div>2011-03-01T13:54:24.402453+01:00 linksrum pluto[22198]: | 3d e6 35 47 f9 f8 81 b1</div>
<div>2011-03-01T13:54:24.402463+01:00 linksrum pluto[22198]: | _natd_hash: ip= 55 b7 07 0c</div><div>2011-03-01T13:54:24.402473+01:00 linksrum pluto[22198]: | _natd_hash: port=65463</div><div>2011-03-01T13:54:24.402485+01:00 linksrum pluto[22198]: | _natd_hash: hash= 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50</div>
<div>2011-03-01T13:54:24.402496+01:00 linksrum pluto[22198]: | f8 a8 45 b5</div><div>2011-03-01T13:54:24.402507+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL hash=0 (me:0) (him:0)</div><div>2011-03-01T13:54:24.402518+01:00 linksrum pluto[22198]: | expected NAT-D(me): ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7</div>
<div>2011-03-01T13:54:24.402539+01:00 linksrum pluto[22198]: | da f7 4c c7</div><div>2011-03-01T13:54:24.402550+01:00 linksrum pluto[22198]: | expected NAT-D(him):</div><div>2011-03-01T13:54:24.402561+01:00 linksrum pluto[22198]: | 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50</div>
<div>2011-03-01T13:54:24.402664+01:00 linksrum pluto[22198]: | f8 a8 45 b5</div><div>2011-03-01T13:54:24.402677+01:00 linksrum pluto[22198]: | received NAT-D: 37 34 62 03 92 0d 39 5a e1 50 05 22 c7 04 ef 33</div><div>
2011-03-01T13:54:24.402688+01:00 linksrum pluto[22198]: | d1 23 5b 81</div><div>2011-03-01T13:54:24.402698+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL hash=1 (me:0) (him:0)</div><div>2011-03-01T13:54:24.402709+01:00 linksrum pluto[22198]: | expected NAT-D(me): ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7</div>
<div>2011-03-01T13:54:24.402719+01:00 linksrum pluto[22198]: | da f7 4c c7</div><div>2011-03-01T13:54:24.402729+01:00 linksrum pluto[22198]: | expected NAT-D(him):</div><div>2011-03-01T13:54:24.402739+01:00 linksrum pluto[22198]: | 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50</div>
<div>2011-03-01T13:54:24.402750+01:00 linksrum pluto[22198]: | f8 a8 45 b5</div><div>2011-03-01T13:54:24.402760+01:00 linksrum pluto[22198]: | received NAT-D: 3e 7d c7 ad 1e 06 6c 36 b5 b3 dc f6 79 ec 86 9f</div><div>
2011-03-01T13:54:24.402770+01:00 linksrum pluto[22198]: | b8 25 37 41</div><div>2011-03-01T13:54:24.405717+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL hash=2 (me:0) (him:0)</div><div>2011-03-01T13:54:24.405737+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed</div>
<div>2011-03-01T13:54:24.405751+01:00 linksrum pluto[22198]: | helper -1 doing build_kenonce op id: 0</div><div>2011-03-01T13:54:24.405761+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:24.405777+01:00 linksrum pluto[22198]: | _natd_hash: hasher=0x80ed480(20)</div><div>2011-03-01T13:54:24.405787+01:00 linksrum pluto[22198]: | _natd_hash: icookie=</div><div>2011-03-01T13:54:24.405798+01:00 linksrum pluto[22198]: | 1c d8 b4 97 4d cd 67 b0</div>
<div>2011-03-01T13:54:24.405807+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=</div><div>2011-03-01T13:54:24.405817+01:00 linksrum pluto[22198]: | 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.405827+01:00 linksrum pluto[22198]: | _natd_hash: ip= 55 b7 07 0c</div>
<div>2011-03-01T13:54:24.405843+01:00 linksrum pluto[22198]: | _natd_hash: port=65463</div><div>2011-03-01T13:54:24.405853+01:00 linksrum pluto[22198]: | _natd_hash: hash= 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50</div>
<div>2011-03-01T13:54:24.406018+01:00 linksrum pluto[22198]: | f8 a8 45 b5</div><div>2011-03-01T13:54:24.406056+01:00 linksrum pluto[22198]: | _natd_hash: hasher=0x80ed480(20)</div><div>2011-03-01T13:54:24.406084+01:00 linksrum pluto[22198]: | _natd_hash: icookie=</div>
<div>2011-03-01T13:54:24.406115+01:00 linksrum pluto[22198]: | 1c d8 b4 97 4d cd 67 b0</div><div>2011-03-01T13:54:24.406194+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=</div><div>2011-03-01T13:54:24.406210+01:00 linksrum pluto[22198]: | 3d e6 35 47 f9 f8 81 b1</div>
<div>2011-03-01T13:54:24.406221+01:00 linksrum pluto[22198]: | _natd_hash: ip= c0 a8 b2 fd</div><div>2011-03-01T13:54:24.406231+01:00 linksrum pluto[22198]: | _natd_hash: port=500</div><div>2011-03-01T13:54:24.406241+01:00 linksrum pluto[22198]: | _natd_hash: hash= ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7</div>
<div>2011-03-01T13:54:24.406253+01:00 linksrum pluto[22198]: | da f7 4c c7</div><div>2011-03-01T13:54:24.406267+01:00 linksrum pluto[22198]: | started looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.linksrum, E=linksrum@gmail.com->C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a> of kind PPK_PSK</div>
<div>2011-03-01T13:54:24.406279+01:00 linksrum pluto[22198]: | instantiating him to 0.0.0.0</div><div>2011-03-01T13:54:24.406291+01:00 linksrum pluto[22198]: | actually looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.linksrum, E=linksrum@gmail.com->0.0.0.0 of kind PPK_PSK</div>
<div>2011-03-01T13:54:24.406302+01:00 linksrum pluto[22198]: | concluding with best_match=0 best=(nil) (lineno=-1)</div><div>2011-03-01T13:54:24.408602+01:00 linksrum pluto[22198]: | complete state transition with STF_OK</div>
<div>2011-03-01T13:54:24.408619+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div><div>2011-03-01T13:54:24.408631+01:00 linksrum pluto[22198]: | sending reply packet to 85.183.y.z:65463 (from port=500)</div>
<div>2011-03-01T13:54:24.408643+01:00 linksrum pluto[22198]: | sending 228 bytes for STATE_MAIN_R1 through eth0:500 to 85.183.y.z:65463:</div><div>2011-03-01T13:54:24.408656+01:00 linksrum pluto[22198]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2</div>
<div>2011-03-01T13:54:24.408667+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: STATE_MAIN_R2: sent MR2, expecting MI3</div><div>2011-03-01T13:54:24.408678+01:00 linksrum pluto[22198]: | modecfg pull: noquirk policy:push not-client</div>
<div>2011-03-01T13:54:24.408690+01:00 linksrum pluto[22198]: | phase 1 is done, looking for phase 1 to unpend</div><div>2011-03-01T13:54:24.408700+01:00 linksrum pluto[22198]: | complete state transition with STF_INLINE</div>
<div>2011-03-01T13:54:24.408710+01:00 linksrum pluto[22198]: | next event EVENT_NAT_T_KEEPALIVE in 1 seconds</div><div>2011-03-01T13:54:24.622351+01:00 linksrum pluto[22198]: | </div><div>2011-03-01T13:54:24.622369+01:00 linksrum pluto[22198]: | *received 1076 bytes from 85.183.y.z:36695 on eth0 (port=4500)</div>
<div>2011-03-01T13:54:24.622382+01:00 linksrum pluto[22198]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)</div><div>2011-03-01T13:54:24.622393+01:00 linksrum pluto[22198]: | ICOOKIE: 1c d8 b4 97 4d cd 67 b0</div>
<div>2011-03-01T13:54:24.622404+01:00 linksrum pluto[22198]: | RCOOKIE: 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.622414+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c</div><div>2011-03-01T13:54:24.622424+01:00 linksrum pluto[22198]: | state hash entry 1</div>
<div>2011-03-01T13:54:24.622434+01:00 linksrum pluto[22198]: | peer and cookies match on #2, provided msgid 00000000 vs 00000000</div><div>2011-03-01T13:54:24.622444+01:00 linksrum pluto[22198]: | state object #2 found, in STATE_MAIN_R2</div>
<div>2011-03-01T13:54:24.622454+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div><div>2011-03-01T13:54:24.622577+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a>'</div>
<div>2011-03-01T13:54:24.623438+01:00 linksrum pluto[22198]: | reached self-signed root ca</div><div>2011-03-01T13:54:24.623466+01:00 linksrum pluto[22198]: | requested CA: '%any'</div><div>2011-03-01T13:54:24.623536+01:00 linksrum pluto[22198]: | started looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.linksrum, E=linksrum@gmail.com->C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a> of kind PPK_RSA</div>
<div>2011-03-01T13:54:24.623568+01:00 linksrum pluto[22198]: | searching for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a</div><div>2011-03-01T13:54:24.623618+01:00 linksrum pluto[22198]: | started looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.linksrum, E=linksrum@gmail.com->(none) of kind PPK_RSA</div>
<div>2011-03-01T13:54:24.623677+01:00 linksrum pluto[22198]: | searching for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a</div><div>2011-03-01T13:54:24.623719+01:00 linksrum pluto[22198]: | offered CA: 'C=DE, ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a>'</div>
<div>2011-03-01T13:54:24.623772+01:00 linksrum pluto[22198]: | required CA is '%any'</div><div>2011-03-01T13:54:24.623823+01:00 linksrum pluto[22198]: | key issuer CA is 'C=DE, ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a>'</div>
<div>2011-03-01T13:54:24.624095+01:00 linksrum pluto[22198]: | an RSA Sig check passed with *AwEAAcU+c [preloaded key]</div><div>2011-03-01T13:54:24.624112+01:00 linksrum pluto[22198]: | thinking about whether to send my certificate:</div>
<div>2011-03-01T13:54:24.624125+01:00 linksrum pluto[22198]: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE </div><div>2011-03-01T13:54:24.624136+01:00 linksrum pluto[22198]: | sendcert: CERT_ALWAYSSEND and I did not get a certificate request </div>
<div>2011-03-01T13:54:24.624146+01:00 linksrum pluto[22198]: | so send cert.</div><div>2011-03-01T13:54:24.624158+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: I am sending my cert</div><div>2011-03-01T13:54:24.624172+01:00 linksrum pluto[22198]: | started looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.linksrum, E=linksrum@gmail.com->C=DE, ST=Hamburg, L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=<a href="mailto:linksrum@gmail.com">linksrum@gmail.com</a> of kind PPK_RSA</div>
<div>2011-03-01T13:54:24.624199+01:00 linksrum pluto[22198]: | searching for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a</div><div>2011-03-01T13:54:24.624231+01:00 linksrum pluto[22198]: | signing hash with RSA Key *AwEAAcT0a</div>
<div>2011-03-01T13:54:24.627041+01:00 linksrum pluto[22198]: | complete state transition with STF_OK</div><div>2011-03-01T13:54:24.627059+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>2011-03-01T13:54:24.627072+01:00 linksrum pluto[22198]: | sending reply packet to 85.183.y.z:65463 (from port=500)</div><div>2011-03-01T13:54:24.627084+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:24.627095+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div><div>2011-03-01T13:54:24.627106+01:00 linksrum pluto[22198]: | NAT-T: updating local port to 4500</div><div>
2011-03-01T13:54:24.627117+01:00 linksrum pluto[22198]: | NAT-T connection has wrong interface definition <a href="http://192.168.178.253:4500">192.168.178.253:4500</a> vs <a href="http://192.168.178.253:500">192.168.178.253:500</a></div>
<div>2011-03-01T13:54:24.627128+01:00 linksrum pluto[22198]: | NAT-T: using interface eth0:4500</div><div>2011-03-01T13:54:24.627140+01:00 linksrum pluto[22198]: | sending 1060 bytes for STATE_MAIN_R2 through eth0:4500 to 85.183.y.z:36695:</div>
<div>2011-03-01T13:54:24.627151+01:00 linksrum pluto[22198]: | inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for #2</div><div>2011-03-01T13:54:24.627164+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div>2011-03-01T13:54:24.627176+01:00 linksrum pluto[22198]: | modecfg pull: noquirk policy:push not-client</div><div>2011-03-01T13:54:24.627194+01:00 linksrum pluto[22198]: | phase 1 is done, looking for phase 1 to unpend</div>
<div>2011-03-01T13:54:24.627205+01:00 linksrum pluto[22198]: | next event EVENT_NAT_T_KEEPALIVE in 1 seconds</div><div>2011-03-01T13:54:24.689821+01:00 linksrum pluto[22198]: | </div><div>2011-03-01T13:54:24.689841+01:00 linksrum pluto[22198]: | *received 68 bytes from 85.183.y.z:36695 on eth0 (port=4500)</div>
<div>2011-03-01T13:54:24.689854+01:00 linksrum pluto[22198]: | processing packet with exchange type=ISAKMP_XCHG_INFO (5)</div><div>2011-03-01T13:54:24.689864+01:00 linksrum pluto[22198]: | ICOOKIE: 1c d8 b4 97 4d cd 67 b0</div>
<div>2011-03-01T13:54:24.689979+01:00 linksrum pluto[22198]: | RCOOKIE: 3d e6 35 47 f9 f8 81 b1</div><div>2011-03-01T13:54:24.689996+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c</div><div>2011-03-01T13:54:24.690008+01:00 linksrum pluto[22198]: | state hash entry 1</div>
<div>2011-03-01T13:54:24.690019+01:00 linksrum pluto[22198]: | peer and cookies match on #2, provided msgid 00000000 vs 00000000/00000000</div><div>2011-03-01T13:54:24.690123+01:00 linksrum pluto[22198]: | p15 state object #2 found, in STATE_MAIN_R3</div>
<div>2011-03-01T13:54:24.690139+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div><div>2011-03-01T13:54:24.690225+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: next payload type of ISAKMP Hash Payload has an unknown value: 83</div>
<div>2011-03-01T13:54:24.690242+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: malformed payload in packet</div><div>2011-03-01T13:54:24.690367+01:00 linksrum pluto[22198]: | payload malformed after IV</div>
<div>2011-03-01T13:54:24.690384+01:00 linksrum pluto[22198]: | ba 6f 9f 65 bb 4e e1 9b</div><div>2011-03-01T13:54:24.690400+01:00 linksrum pluto[22198]: "L2TP-X509"[2] 85.183.y.z #2: sending notification PAYLOAD_MALFORMED to 85.183.y.z:36695</div>
<div>2011-03-01T13:54:24.690505+01:00 linksrum pluto[22198]: | sending 40 bytes for notification packet through eth0:4500 to 85.183.y.z:36695:</div><div>2011-03-01T13:54:24.690522+01:00 linksrum pluto[22198]: | next event EVENT_NAT_T_KEEPALIVE in 1 seconds</div>
<div>2011-03-01T13:54:25.691630+01:00 linksrum pluto[22198]: | </div><div>2011-03-01T13:54:25.691657+01:00 linksrum pluto[22198]: | *time to handle event</div><div>2011-03-01T13:54:25.691672+01:00 linksrum pluto[22198]: | handling event EVENT_NAT_T_KEEPALIVE</div>
<div>2011-03-01T13:54:25.691683+01:00 linksrum pluto[22198]: | event after this is EVENT_PENDING_PHASE2 in 55 seconds</div><div>2011-03-01T13:54:25.691693+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:25.691704+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div><div>2011-03-01T13:54:25.691852+01:00 linksrum pluto[22198]: | processing connection L2TP-X509[2] 85.183.y.z</div>
<div>2011-03-01T13:54:25.691870+01:00 linksrum pluto[22198]: | ka_event: send NAT-KA to 85.183.y.z:36695 (state=#2)</div><div>2011-03-01T13:54:25.691884+01:00 linksrum pluto[22198]: | sending 1 bytes for NAT-T Keep Alive through eth0:4500 to 85.183.y.z:36695:</div>
<div>2011-03-01T13:54:25.691920+01:00 linksrum pluto[22198]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds</div><div>2011-03-01T13:54:25.691956+01:00 linksrum pluto[22198]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds</div>
<div><br></div>