<div>Hello,<br></div><div><br></div><div>I use Openswan Version 2.6.39dr3 (KLIPS/mast stack, kernel 3.2.36).</div><div><br></div><div><div>Configs from <a href="http://git.openswan.org/cgi-bin/cgit/openswan/tree/programs/examples">http://git.openswan.org/cgi-bin/cgit/openswan/tree/programs/examples</a></div>
<div><br></div></div><div>But when the first client is connected with a certificate (authby=rsasig), the second can not connect with a password (authby=secret). And vice versa.</div><div><br></div><div>Log from Server TEST:</div>
<div>+++ Client 1 (cert) connected</div><div>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [RFC 3947] method set to=115 <br>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received Vendor ID payload [Dead Peer Detection]<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: responding to Main Mode from unknown peer 213.77.XX.XX<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: STATE_MAIN_R2: sent MR2, expecting MI3<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, E=ca@test.lan'<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: no crl from issuer "O=TEST, CN=Test VPN CA, E=ca@test.lan" found (strict=no)<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: switched from "L2TP-CERT-NAT" to "L2TP-CERT-NAT"<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: deleting connection "L2TP-CERT-NAT" instance with peer 213.77.XX.XX {isakmp=#0/ipsec=#0}<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: I am sending my cert<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: new NAT mapping for #114, was 213.77.XX.XX:500, now 213.77.XX.XX:4500<br>
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1024}<br>Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: Dead Peer Detection (RFC 3706): enabled<br>
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: the peer proposed: 80.77.XX.YY/32:17/1701 -> <a href="http://172.16.237.185/32:17/0">172.16.237.185/32:17/0</a><br>Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: responding to Quick Mode proposal {msgid:a5978880}<br>Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: us: 80.77.XX.YY<80.77.XX.YY>[@TEST.test.lan]:17/1701<br>
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: them: 213.77.XX.XX[C=XX, E=ca@test.lan]:17/63668===<a href="http://172.16.237.185/32">172.16.237.185/32</a><br>Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: Dead Peer Detection (RFC 3706): enabled<br>
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x063692b9 <0x77b7c96c xfrm=AES_256-HMAC_SHA1 NATOA=172.16.237.185 NATD=213.77.XX.XX:4500 DPD=enabled}</div>
<div><br></div><div>+++ Client 2 (PSK) try connect<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [RFC 3947] method set to=115 <br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [Dead Peer Detection]<br>
Jan 14 13:49:15 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116: responding to Main Mode from unknown peer 213.77.XX.XX<br>Jan 14 13:49:15 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Jan 14 13:49:16 TEST last message repeated 5 times<br>Jan 14 13:49:16 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116: no acceptable Oakley Transform<br>Jan 14 13:49:16 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116: sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [RFC 3947] method set to=115 <br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [Dead Peer Detection]<br>
Jan 14 13:49:18 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117: responding to Main Mode from unknown peer 213.77.XX.XX<br>Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Jan 14 13:49:19 TEST last message repeated 5 times<br>Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117: no acceptable Oakley Transform<br>Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117: sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [RFC 3947] method set to=115 <br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [Dead Peer Detection]<br>
Jan 14 13:49:21 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118: responding to Main Mode from unknown peer 213.77.XX.XX<br>Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Jan 14 13:49:22 TEST last message repeated 5 times<br>Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118: no acceptable Oakley Transform<br>Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118: sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [RFC 3947] method set to=115 <br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received Vendor ID payload [Dead Peer Detection]<br>
Jan 14 13:49:24 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119: responding to Main Mode from unknown peer 213.77.XX.XX<br>Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Jan 14 13:49:25 TEST last message repeated 5 times<br>Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119: no acceptable Oakley Transform<br>Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119: sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1<br>
</div><div><br></div><div><br></div><div>Best regards</div><div><br></div><div>Pavel</div><div><br></div><div><br></div>