<div dir="ltr">Hello and once again, thanks for your reply.<div><br></div><div><br></div><div>I've then exported the certificates to the pkcs#12 format and imported the do my nss database. I've done that on both machines.</div>
<div><br></div><div><br></div><div>I've edited both my secrets and conf files to reflect the ninckname that nss database shows but i'm still getting problems.</div><div><br></div><div>Using the log I've managed to solve some problems but now I'm stuck.</div>
<div><br></div><div><br></div><div>Here is my /var/log/secure on machine after service ipsec start:<br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine ipsec__plutorun: Starting Pluto subsystem...</font></div>
<div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: nss directory plutomain: /etc/ipsec.d</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: NSS Initialized</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in /proc/sys/crypto/fips_enabled</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:10894</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in /proc/sys/crypto/fips_enabled</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: LEAK_DETECTIVE support [disabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: OCF support for IKE [disabled]</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: SAref support [disabled]: Protocol not available</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: SAbind support [disabled]: Protocol not available</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: NSS support [enabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: HAVE_STATSD notification support not compiled in</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Setting NAT-Traversal port-4500 floating to on</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: port floating activation criteria nat_t=1/port_float=1</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: NAT-Traversal support [enabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: starting up 1 cryptographic helpers</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: started helper (thread) pid=-1217217680 (fd:10)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Using Linux 2.6 IPsec interface code on 2.6.32-358.23.2.el6.i686 (experimental code)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Changed path to directory '/etc/ipsec.d/cacerts'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: loaded CA cert file 'cacert.crt' (843 bytes)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory '/etc/ipsec.d/aacerts': /var/run/pluto</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory '/etc/ipsec.d/ocspcerts': /var/run/pluto</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: Changing to directory '/etc/ipsec.d/crls'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: loaded crl file 'crl.pem' (516 bytes)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: | selinux support is enabled. </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: loading certificate from <a href="http://www.gwone.pt">www.gwone.pt</a> - ONE </font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: added connection description "cert"</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: listening for IKE messages</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3 <a href="http://172.16.1.1:500">172.16.1.1:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3 <a href="http://172.16.1.1:4500">172.16.1.1:4500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2 <a href="http://192.168.1.1:500">192.168.1.1:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2 <a href="http://192.168.1.1:4500">192.168.1.1:4500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1 <a href="http://10.1.1.254:500">10.1.1.254:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1 <a href="http://10.1.1.254:4500">10.1.1.254:4500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo ::1:500</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: loading secrets from "/etc/ipsec.secrets"</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: loaded private key for keyid: PPK_RSA:AwEAAd7/L</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: "cert" #1: initiating Main Mode</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:48 mainmachine pluto[10894]: ERROR: asynchronous network error report on eth2 (sport=500) for message to 192.168.1.2 port 500, complainant <a href="http://192.168.1.2">192.168.1.2</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [Dead Peer Detection]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [RFC 3947] method set to=109 </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: responding to Main Mode</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R1: sent MR1, expecting MI2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R2: sent MR2, expecting MI3</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div></blockquote><div><br></div><div>And after ipsec auto --up cert</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [Dead Peer Detection]</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [RFC 3947] method set to=109 </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: enabling possible NAT-traversal with method 4</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending my cert</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending a certificate request</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [CAN-IKEv2]</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received 1 malformed payload notifies</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [Dead Peer Detection]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [RFC 3947] method set to=109 </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: packet from <a href="http://192.168.1.2:500">192.168.1.2:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: responding to Main Mode</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R1: sent MR1, expecting MI2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R2: sent MR2, expecting MI3</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div>
</div></blockquote><div><br></div><div><br></div><div>Likewise, on macine B I got this:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine ipsec__plutorun: Starting Pluto subsystem...</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: nss directory plutomain: /etc/ipsec.d</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: NSS Initialized</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in /proc/sys/crypto/fips_enabled</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:4985</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in /proc/sys/crypto/fips_enabled</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: LEAK_DETECTIVE support [disabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: OCF support for IKE [disabled]</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: SAref support [disabled]: Protocol not available</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: SAbind support [disabled]: Protocol not available</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: NSS support [enabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: HAVE_STATSD notification support not compiled in</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Setting NAT-Traversal port-4500 floating to on</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: port floating activation criteria nat_t=1/port_float=1</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: NAT-Traversal support [enabled]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: starting up 1 cryptographic helpers</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: started helper (thread) pid=-1220584592 (fd:10)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Using Linux 2.6 IPsec interface code on 2.6.32-358.23.2.el6.i686 (experimental code)</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Changed path to directory '/etc/ipsec.d/cacerts'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loaded CA cert file 'cacert.crt' (843 bytes)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory '/etc/ipsec.d/aacerts': /var/run/pluto</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory '/etc/ipsec.d/ocspcerts': /var/run/pluto</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: Changing to directory '/etc/ipsec.d/crls'</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loaded crl file 'crl.pem' (516 bytes)</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: | selinux support is enabled. </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from <a href="http://www.gwtwo.pt">www.gwtwo.pt</a> - ONE </font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from <a href="http://www.gwone.pt">www.gwone.pt</a> - ONE </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: added connection description "cert"</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: listening for IKE messages</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6 <a href="http://192.168.1.2:500">192.168.1.2:500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6 <a href="http://192.168.1.2:4500">192.168.1.2:4500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5 <a href="http://10.1.2.254:500">10.1.2.254:500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5 <a href="http://10.1.2.254:4500">10.1.2.254:4500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a></font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo ::1:500</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loading secrets from "/etc/ipsec.secrets"</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid: PPK_RSA:AwEAAd7/L</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid: PPK_RSA:AwEAAcFsb</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: initiating Main Mode</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [Dead Peer Detection]</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [RFC 3947] method set to=109 </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: enabling possible NAT-traversal with method 4</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending my cert</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending a certificate request</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div></div><div>
<div><font face="courier new, monospace" size="1">Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received and ignored informational message</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [Dead Peer Detection]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [RFC 3947] method set to=109 </font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: packet from <a href="http://192.168.1.1:500">192.168.1.1:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: responding to Main Mode</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R1: sent MR1, expecting MI2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R2: sent MR2, expecting MI3</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: I am sending my cert</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: next payload type of ISAKMP Hash Payload has an unknown value: 251</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: malformed payload in packet</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: | payload malformed after IV</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: | d3 87 42 1b 2b 62 84 1e 13 0b 12 57 2d b3 4a 6c</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: sending notification PAYLOAD_MALFORMED to <a href="http://192.168.1.1:500">192.168.1.1:500</a></font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div></div><div>
<div><font face="courier new, monospace" size="1">Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: received and ignored informational message</font></div></div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div>
</div><div><div><font face="courier new, monospace" size="1">Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: received and ignored informational message</font></div></div></blockquote><div><br></div><div>and after ipsec auto --up cert</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: starting keying attempt 2 of an unlimited number</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: initiating Main Mode to replace #1</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [Dead Peer Detection]</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [RFC 3947] method set to=109 </font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: enabling possible NAT-traversal with method 4</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I2: sent MI2, expecting MR2</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div></div><div><div>
<font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending my cert</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending a certificate request</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I3: sent MI3, expecting MR3</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div></div><div>
<div><font size="1" face="courier new, monospace">Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received and ignored informational message</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: received and ignored informational message</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: received and ignored informational message</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: starting keying attempt 3 of an unlimited number</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: initiating Main Mode to replace #3</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [Openswan (this version) 2.6.32 ]</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [Dead Peer Detection]</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [RFC 3947] method set to=109 </font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: enabling possible NAT-traversal with method 4</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I2: sent MI2, expecting MR2</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div></div><div><div>
<font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending my cert</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending a certificate request</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I3: sent MI3, expecting MR3</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div></div><div>
<div><font size="1" face="courier new, monospace">Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received and ignored informational message</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: received and ignored informational message</font></div></div><div><div><font size="1" face="courier new, monospace">Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000</font></div>
</div><div><div><font size="1" face="courier new, monospace">Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: received and ignored informational message</font></div></div></blockquote><div><br></div><div><br>
</div><div><br></div><div>On both machines, the only iptables rules that exists are this:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div><font face="courier new, monospace" size="1">iptables -A INPUT -p icmp -j ACCEPT</font></div>
</div><div><div><font face="courier new, monospace" size="1">iptables -A FORWARD -p icmp -j ACCEPT</font></div></div><div><div><font face="courier new, monospace" size="1">iptables -A INPUT -p esp -j ACCEPT</font></div></div>
<div><div><font face="courier new, monospace" size="1">iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT</font></div></div><div><div><font face="courier new, monospace" size="1">iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT</font></div>
</div><div><div><font face="courier new, monospace" size="1">iptables -A FORWARD -s <a href="http://10.1.1.0/24">10.1.1.0/24</a> -d <a href="http://10.1.2.0/24">10.1.2.0/24</a> -j ACCEPT</font></div></div><div><div><font face="courier new, monospace" size="1">iptables -A FORWARD -s <a href="http://10.1.2.0/24">10.1.2.0/24</a> -d <a href="http://10.1.1.0/24">10.1.1.0/24</a> -j ACCEPT</font></div>
</div></blockquote><div><br></div><div>Any idea of what I'm doing wrong?</div><div><br></div><div>Thanks,</div><div><br></div><div>Kent Davies</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br>
</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 18, 2013 at 10:43 AM, Bart Smink <span dir="ltr"><<a href="mailto:bartsmink@gmail.com" target="_blank">bartsmink@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You could check the logs, and as you're on Centos they're in /var/log/secure . There you find the error that Openswan gives when you try to start the connection.<br>
</div><div class="gmail_extra"><div><div class="h5"><br>
<br><div class="gmail_quote">2013/11/18 Ana <span dir="ltr"><<a href="mailto:kentdavies@gmail.com" target="_blank">kentdavies@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello.<div><br></div><div>Thanks for your answer.</div><div><br></div><div>All you said is new to me. </div><div><br></div><div>I've started by converting all my certs to the pkcs#12 format like this:</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div><font face="courier new, monospace" size="1">openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out ca.p12</font></div></div></blockquote>
<div><br></div><div>And then, I've imported them to ipsec.d like this:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div><font face="courier new, monospace" size="1">[root@mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d /etc/ipsec.d/</font></div>
</div><div><div><font face="courier new, monospace" size="1">Enter Password or Pin for "NSS Certificate DB":</font></div></div><div><div><font face="courier new, monospace" size="1">Enter password for PKCS12 file: </font></div>
</div><div><div><font face="courier new, monospace" size="1">pk12util: no nickname for cert in PKCS12 file.</font></div></div><div><div><font face="courier new, monospace" size="1">pk12util: using nickname: <a href="http://www.mysite.com" target="_blank">www.mysite.com</a> - XPTO</font></div>
</div><div><div><font face="courier new, monospace" size="1">pk12util: PKCS12 IMPORT SUCCESSFUL</font></div></div></blockquote><div><br></div><div>And now I'm completely lost :(</div><div><br></div><div>Sorry, but what should I do next? I can't seem to find a proper tutorial explaining this steps.</div>
<div><br></div><div>Thanks,</div><div><br></div><div>Kent Davies</div><div><br></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 18, 2013 at 4:47 AM, Leto <span dir="ltr"><<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>if using the centos builds, those use nss, so you cannot put private key and certs in /etc/ipsec.d/</div>
<div><br></div><div>you need to use ipsec initnss and then ipsec import on the certs in pkcs#12 format. see README.NSS</div><div><br>sent from a tiny device </div><div><div><div><br>On 2013-11-17, at 6:00, Ana <<a href="mailto:kentdavies@gmail.com" target="_blank">kentdavies@gmail.com</a>> wrote:<br>
<br></div></div></div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><div><p class="MsoNormal"><span lang="EN-US">Hi
everybody. Hello again.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Following my last cry for help, here am I again with some IPsec problems.</span></p><p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">After managing to get IPsec running using secrets, I'm now trying (without success) to accomplish the same but now using X.509 certificates.</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">Just for remembering, I’m running
two virtual machines with CentOS that simulates the network depicted in the
bellow picture.</p></div></div><p class="MsoNormal"><span lang="EN-US"><image.png><br></span></p><div><div><div><div><p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p>
<p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span lang="EN-US">I want to
create an IPsec tunnel between machine A and machine B. The keys should be negotiated
using IKE and the tunnel should enable total connectivity between the two
machines. My goal is to achieve this using x.509 certificates.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">My machine A will act as a gateway and as an Certificate Authority.</span></p>
<p class="MsoNormal"><br></p><p class="MsoNormal">The first step, was to create my CA and two certificates. One for machine A and one for machine B. So, on machine A I've run this commands:</p><p class="MsoNormal"> 1) Create the CA:</p>
</div></div></div></div></div></div><div><div><div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl genrsa -des3 -out cakey.key 1024</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl req -new -key cakey.key -out cacsr.csr</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal">
<font face="courier new, monospace" size="1">openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey cakey.key </font></p></div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><br>
</p><p class="MsoNormal">2) For each machine, create a certificate signed using the CA created above:</p><p class="MsoNormal"><br></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote">
<div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl genrsa -des3 -out gwonekey.key 1024</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl req -new -key </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonekey</span><font face="courier new, monospace" size="1">.key -out gwonecsr.csr</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl ca -in </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonecsr</span><font face="courier new, monospace" size="1">.csr -cert cacert.crt -keyfile cakey.key -out </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonecert</span><font face="courier new, monospace" size="1">.crt</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1"><br></font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl genrsa -des3 -out gwtwokey.key 1024</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl req -new -key </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwokey</span><font face="courier new, monospace" size="1">.key -out </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwocsr</span><font face="courier new, monospace" size="1">.csr</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">openssl ca -in </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwocsr</span><font face="courier new, monospace" size="1">.csr -cert cacert.crt -keyfile cakey.key -out gwtwocert.crt</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">3) I've also created a Certification Revocation list:</span></p>
</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace" size="1">echo 01 > /etc/pki/CA/crlnumber</font></span></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace" size="1">openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem</font></span></p></div></div>
</blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">On machine A I've done this:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/private</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/certs</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/cacerts</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/crls</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwonekey.key /etc/ipsec.d/private</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwonecert.crt /etc/ipsec.d/certs</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp cacert.crt /etc/ipsec.d/cacerts</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp crl.pem /etc/ipsec.d/crls</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><font face="courier new, monospace" size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><br></p><p class="MsoNormal">And on Machine B after copying the files:</p>
</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/private</font></p></div></div>
<div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/certs</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/cacerts</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/crls</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwtwokey.key /etc/ipsec.d/private</font></p>
<p class="MsoNormal"><span style="font-family:'courier new',monospace;font-size:x-small">cp gwonecert.crt /etc/ipsec.d/certs</span><font face="courier new, monospace" size="1"><br></font></p></div></div><div class="gmail_quote">
<div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwtwocert.crt /etc/ipsec.d/certs</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp cacert.crt /etc/ipsec.d/cacerts</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span lang="EN-US">I've then edited the <b>ipsec.secrets</b> file on both machines:</span></p>
<p class="MsoNormal"><span lang="EN-US">Machine A:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">%any %any : PSK "test"</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">: RSA gwonecert.crt "test"</font></p></div></div></blockquote><div class="gmail_quote"><div dir="ltr">
<p class="MsoNormal">
<font face="courier new, monospace" size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Machine B:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">%any %any : PSK "test"</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">: RSA gwonecert.crt "test"</font></p>
<p class="MsoNormal"><span style="font-family:'courier new',monospace;font-size:x-small">: RSA gwtwocert.crt "test"</span><font face="courier new, monospace" size="1"><br></font></p></div></div></blockquote>
<div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><font size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">The last step was to edit the <b>ipsec.conf</b> on those machines:</span></p>
<p class="MsoNormal"><span lang="EN-US">Machine A:</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">config setup</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> protostack=netkey</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> dumpdir=/var/run/pluto/</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> nat_traversal=yes</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24" target="_blank">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">#conn gw-to-gw</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># authby=secret</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># leftsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># auto=start</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># type=tunnel</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">conn cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> authby=rsasig</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftrsasigkey=%cert</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftcert=gwonecert.crt</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> right=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> auto=start</span></p><p class="MsoNormal"><span lang="EN-US">
</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> type=tunnel</span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal">Machine B:<br></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">config setup</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> protostack=netkey</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> dumpdir=/var/run/pluto/</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> nat_traversal=yes</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24" target="_blank">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">#conn gw-to-gw</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># authby=secret</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># leftsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># auto=start</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"># type=tunnel</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">conn cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> authby=rsasig</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftrsasigkey=%cert</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightrsasigkey=%cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftcert=gwtwocert.crt</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightcert=gwonecert.crt</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> left=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> right=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> auto=start</span></p><p class="MsoNormal"><span lang="EN-US">
</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> type=tunnel</span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US">I've restarted ipsec on both machines using <b>service ipsec restart</b> but now, after doing <b>ipsec auto --up</b> <b>cert </b>nothing happens. In terminal I have to hit ctrl C.</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Once again, can someone tell me what I am doing wrong?</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US">Many thanks,</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Kent Davies</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p></div>
</div><br></div></div></div></div></div>
</div></blockquote><div><div><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br>
<span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br>
<span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br>
</div></blockquote></div></div></div></blockquote></div><br></div></div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br><br clear="all"><br></div></div><div class="im">-- <br><span style="font-family:Calibri,sans-serif;font-size:14px;border-collapse:collapse">**** DISCLAIMER ****<br><br>"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. <br>
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. <br>If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".<br>
<br>Thank you for your cooperation.</span>
</div></div>
</blockquote></div><br></div>