<div>It's me again.</div><div><br></div><div>I couldn't get around the nss DH error (see other email)</div><div><br></div><div>So, I downloaded openswan 2.6.26 no-nss rpm provided in the downloads (thanks!), and I'm just going straight RSA. I'm thinking I may even have to give that up, but I think my problem is not RSA related.</div>
<div><br></div><div>For now I'm trying to get a single connection with *no* need to connect to private IP ranges behind client server. I basically just want all the client's IP traffic to come down the tunnel to the server which will then NAT it out to the rest of the world. Can't get easier than that, no? (sigh)</div>
<div><br></div><div>here's my config:</div><div><br></div><div><div>version<span class="Apple-tab-span" style="white-space:pre"> </span>2.0<span class="Apple-tab-span" style="white-space:pre"> </span># conforms to second version of ipsec.conf specification</div>
<div><br></div><div>config setup</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>protostack=netkey</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>nat_traversal=yes</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>oe=off</div>
<div><br></div></div><div><div>conn mobileaegisclient</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>authby=rsasig</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>left=173.255.254.20</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>leftcert=01_crt.pem</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>auto=add</div></div><div><br></div><div>This should catch any and all connections, not even worry about cert checking, although certs are there</div><div>
<br>
</div><div><br></div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 </div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 </div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [RFC 3947] method set to=109 </div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: ignoring Vendor ID payload [FRAGMENTATION 80000000]</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [Dead Peer Detection]</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: packet from <a href="http://74.137.71.67:53540">74.137.71.67:53540</a>: received Vendor ID payload [Cisco-Unity]</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: responding to Main Mode from unknown peer 74.137.71.67</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: STATE_MAIN_R1: sent MR1, expecting MI2</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed</div><div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div>
<div>Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: STATE_MAIN_R2: sent MR2, expecting MI3</div><div>Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Kentucky, O=MA, OU=Admin, CN=Richard.Pickett@CSRTechnologies.com'</div>
<div><b>Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: no suitable connection for peer 'C=US, ST=Kentucky, O=MA, OU=Admin, CN=Richard.Pickett@CSRTechnologies.com'</b></div><div>
Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: sending encrypted notification INVALID_ID_INFORMATION to <a href="http://74.137.71.67:53540">74.137.71.67:53540</a></div><div>Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: byte 2 of ISAKMP Hash Payload must be zero, but is not</div>
<div>Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: malformed payload in packet</div><div>Jul 26 01:20:35 vhost5 pluto[6709]: | payload malformed after IV</div><div>Jul 26 01:20:35 vhost5 pluto[6709]: | 7e 25 dd fa d1 93 98 4b 05 bf b1 15 30 2a 36 0e</div>
<div>Jul 26 01:20:35 vhost5 pluto[6709]: | 8b 95 e1 a9</div><div>Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2: sending notification PAYLOAD_MALFORMED to <a href="http://74.137.71.67:53540">74.137.71.67:53540</a></div>
<div>Jul 26 01:20:47 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #1: max number of retransmissions (2) reached STATE_MAIN_R2</div><div><br></div><div>I can get that bold line (no suitable connection for peer) to alternate between that and this:</div>
<div><br></div><div><div><b>Jul 26 01:55:43 vhost5 pluto[14632]: packet from <a href="http://74.137.71.67:46099">74.137.71.67:46099</a>: initial Main Mode message received on <a href="http://173.255.254.20:500">173.255.254.20:500</a> but no connection has been authorized with policy=RSASIG</b></div>
</div><div><br></div><div>by changing the righ*= settings, but no matter what I do, I can't get it to connect at all.</div><div><br></div><div>One thing to note - even though the certs are create with an L=BG, you only see it in the ca when openswan talks about it, but when it mentions the certs (as you can see in the log), it's not displayed. Don't know if that's related or not, but it's something I've noticed.</div>
<div><br></div><div>Searching the Internet for either of those phrases turns up other people who had problems, but none of them who tell the answer.</div><div><br></div><div>Surely the answer isn't that I have to ditch NSS, RSA, and go to something lame like xauth...</div>