<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.E-MailFormatvorlage17
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.E-MailFormatvorlage18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hey, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m an experienced administrator but new to openswan and iPhone VPN connectivity.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I am running…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Gentoo Base System release 2.0.3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Linux <system> 2.6.39-hardened-r8 #2 SMP Wed Sep 21 17:35:56 CEST 2011 i686 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Linux Openswan 2.6.35 (klips)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">xl2tpd-1.2.4<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">iPhone 4.2.1 (8C148)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I have been able to VPN from the iPhone to the Gentoo server using l2tp and PSK, but not with signed identity certificates (this is mandated by my company to set up).
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The ipsec.log shows the connection starting, the iPhone sends its cert, the cert is authenticated, and then the iPhone (appears) to start sending XAUTH authentication requests which are simply never responded to.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Openswan was installed via emerge, however when I manually open the /usr/portage/distfiles/openswan-2.6.35.tar.gz (which SHOULD be the install file used by emerge…I think) it looks like the XAUTH was enabled…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(from Makefile.inc)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">USE_XAUTH?=true<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">USE_XAUTHPAM?=false<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I did not change these settings. These were what I found in the default downloaded file.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">!!!Question 1: Is there a way to actually confirm XAUTH is activated in openswan beside examining the Makefile,inc?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">!!!Question 2: How can I trace the failure of he XAUTH password requests. The ipsec.log (even when ipsec.conf is set to plutodebug="all") doesn’t really seem to show much info about where these requests are disappearing
to.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">!!!Question 3: Any other suggestions to make this work :-)?
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">LOGS and CONFIGS:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(ipsec.log)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK START IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK START IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK START IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">|<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *received 644 bytes from 89.XXX.XXX.89:500 on ppp0 (port=500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [RFC 3947] method set to=109<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [XAUTH]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [Cisco-Unity]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">packet from 89.XXX.XXX.89:500: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| creating state object #2 at 0x13c688b8<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| ICOOKIE: 34 ce 98 50 65 42 94 85<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| RCOOKIE: 5c b0 70 eb c1 e1 50 b3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| state hash entry 18<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting state object #2 on chain 18<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: responding to Main Mode from unknown peer 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| complete state transition with STF_OK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending reply packet to 89.XXX.XXX.89:500 (from port 500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending 152 bytes for STATE_MAIN_R0 through ppp0:500 to 89.XXX.XXX.89:500 (using #2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: STATE_MAIN_R1: sent MR1, expecting MI2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| modecfg pull: quirk-poll policy:push not-client<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| phase 1 is done, looking for phase 2 to unpend<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| * processed 0 messages from cryptographic helpers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| helper 0 has finished work (cnt now 1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| helper 0 replies to id: q#3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| started looking for secret for (none)->C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de of kind PPK_PSK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| actually looking for secret for (none)->C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de of kind PPK_PSK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| 1: compared key %any to (none) / C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de -> 2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| 2: compared key %any to (none) / C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de -> 2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| line 1: match=2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| best_match 0>2 best=0x13c635a8 (line=1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| concluding with best_match=2 best=0x13c635a8 (lineno=1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| parent1 type: 7 group: 5 len: 2668<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| asking helper 0 to do compute dh+iv op on seq: 4 (len=2668, pcw_work=1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| crypto helper write of request: cnt=2668<wlen=2668.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| complete state transition with STF_OK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending reply packet to 89.XXX.XXX.89:500 (from port 500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending 292 bytes for STATE_MAIN_R1 through ppp0:500 to 89.XXX.XXX.89:500 (using #2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: STATE_MAIN_R2: sent MR2, expecting MI3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| modecfg pull: quirk-poll policy:push not-client<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| phase 1 is done, looking for phase 2 to unpend<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| * processed 1 messages from cryptographic helpers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 10 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">! helper 0 read 2664+4/2668 bytesfd: 7<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">! helper 0 doing compute dh+iv op id: 4<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *received 1804 bytes from 89.XXX.XXX.89:4500 on ppp0 (port=4500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| ICOOKIE: 34 ce 98 50 65 42 94 85<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| RCOOKIE: 5c b0 70 eb c1 e1 50 b3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| state hash entry 18<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 state object #2 found, in STATE_MAIN_R2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: no crl from issuer "C=DE, ST=Niedersachsen, L=Georgsmarienh\303\274tte, O=team Datentechnik, CN=teamDatentechnik, E=rightmire@team-datentechnik.de" found (strict=no)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| reached self-signed root ca<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| requested CA: '%any'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| started looking for secret for (none)->C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de of kind PPK_RSA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_XAUTH:N/A vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAbBkW vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAQsJs vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| started looking for secret for (none)->(none) of kind PPK_RSA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_XAUTH:N/A vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAbBkW vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAQsJs vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal">| offered CA: 'C=DE, ST=Niedersachsen, L=Georgsmarienh\303\274tte, O=team Datentechnik, CN=teamDatentechnik, E=rightmire@team-datentechnik.de'<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">| required CA is '%any'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| key issuer CA is 'C=DE, ST=Niedersachsen, L=Georgsmarienh\303\274tte, O=team Datentechnik, CN=teamDatentechnik, E=rightmire@team-datentechnik.de'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| an RSA Sig check passed with *AwEAAbBkW [preloaded key]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| thinking about whether to send my certificate:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sendcert: CERT_ALWAYSSEND and I did not get a certificate request<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| so send cert.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: I am sending my cert<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| started looking for secret for (none)->C=DE, ST=Niedersachsen, O=team Datentechnik, CN=89.166.154.251, E=rightmire@team-datentechnik.de of kind PPK_RSA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_XAUTH:N/A vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAbBkW vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| searching for certificate PPK_RSA:AwEAAQsJs vs PPK_RSA:AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| signing hash with RSA Key *AwEAAQsJs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| complete state transition with STF_OK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: new NAT mapping for #2, was 89.XXX.XXX.89:500, now 89.XXX.XXX.89:4500<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending reply packet to 89.XXX.XXX.89:4500 (from port 4500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending 1644 bytes for STATE_MAIN_R2 through ppp0:4500 to 89.XXX.XXX.89:4500 (using #2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: XAUTH: Sending XAUTH Login/Password Request<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: XAUTH: Sending Username/Password request (XAUTH_R0)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending 76 bytes for XAUTH: req through ppp0:4500 to 89.XXX.XXX.89:4500 (using #2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_RETRANSMIT, timeout in 30 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| * processed 0 messages from cryptographic helpers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 13 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 13 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *received 1804 bytes from 89.XXX.XXX.89:4500 on ppp0 (port=4500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| ICOOKIE: 34 ce 98 50 65 42 94 85<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| RCOOKIE: 5c b0 70 eb c1 e1 50 b3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| state hash entry 18<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 state object #2 found, in STATE_XAUTH_R0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: discarding duplicate packet; already STATE_XAUTH_R0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| * processed 0 messages from cryptographic helpers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 3 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 3 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(the above block repeated three times)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 0 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *time to handle event<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_RETRANSMIT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| event after this is EVENT_NAT_T_KEEPALIVE in 5 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_RETRANSMIT for 89.XXX.XXX.89 "td-L2TP" #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| sending 76 bytes for EVENT_RETRANSMIT through ppp0:4500 to 89.XXX.XXX.89:4500 (using #1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_NAT_T_KEEPALIVE in 5 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">|<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_NAT_T_KEEPALIVE in 0 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *time to handle event<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_NAT_T_KEEPALIVE<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| event after this is EVENT_PENDING_DDNS in 0 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_PENDING_DDNS<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| event after this is EVENT_SHUNT_SCAN in 0 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_SHUNT_SCAN<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| event after this is EVENT_PENDING_PHASE2 in 0 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| scanning for shunt eroutes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| handling event EVENT_PENDING_PHASE2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| event after this is EVENT_RETRANSMIT in 12 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| pending review: connection "td-L2TP" was not up, skipped<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| pending review: connection "td-L2TP" was not up, skipped<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 12 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">|<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| *received 1804 bytes from 89.XXX.XXX.89:4500 on ppp0 (port=4500)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| ICOOKIE: 34 ce 98 50 65 42 94 85<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| RCOOKIE: 5c b0 70 eb c1 e1 50 b3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| state hash entry 18<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| v1 state object #2 found, in STATE_XAUTH_R0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| processing connection td-L2TP[2] 89.XXX.XXX.89<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">"td-L2TP"[2] 89.XXX.XXX.89 #2: discarding duplicate packet; already STATE_XAUTH_R0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| * processed 0 messages from cryptographic helpers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 9 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">| next event EVENT_RETRANSMIT in 9 seconds for #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK STOP IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK STOP IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">MARK STOP IPHONE VPN CONNECT ATTEMPT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(ipsec.conf)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">version 2.0 # conforms to second version of ipsec.conf specification<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">config setup<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> plutodebug="control"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dumpdir=/var/run/pluto/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> nat_traversal=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.168.2.0/24<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> oe=off<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> protostack=klips<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> plutostderrlog=/var/log/ipsec.log<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> interfaces="ipsec0=ppp0"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn block<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn private<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn private-or-clear<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn clear-or-private<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn clear<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn packetdefault<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=ignore<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn td-L2TP<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> authby=rsasig<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> pfs=no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=add<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rekey=no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> type=transport<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> left=%ppp0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftcert=/etc/ipsec.d/certs/teamfirewall.crt<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftid=%myid<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftxauthserver=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftxauthusername=mrightmi<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dpdaction=clear<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> right=%any<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rightsubnet=vhost:%priv,%no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(ipsec.secrets)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">%any %any : PSK "xxxxxxxx"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">%any %any : RSA /etc/ipsec.d/private/teamfirewall.key "xxxxxx"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">%any %any : RSA /etc/ipsec.d/private/iphone.key "xxxxxxxxxx"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">@mrightmi : XAUTH "xxxxxxxxxx"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(/etc/ipsec.d/htpasswd AND /etc/ipsec.d/passwd…I have seen posts saying to use both…???)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">(both files created with command “htpasswd –c –m /etc/ipsec.d/<filename> mrightmi”)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">mrightmi:$aprxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbv/:*<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>