[Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT

Meron Lavie lavie at netvision.net.il
Thu Aug 3 02:42:08 EDT 2006


I am trying to set up a typical Road Warrior connection, where both the
OpenSwan server and the XP clients are both NAT-ed. Authentication is via
PSK. OpenSwan sits on my gateway/firewall, which is connected to the
Internet by an ADSL PPPoE modem. The open Internet address is
111.111.111.111. This is PPP'd to the ADSL modem, which presents itself as
10.0.0.138 to the external interface on the gateway. The external interface
on the gateway/firewall is 10.0.0.1. Its internal interface to the LAN is
192.168.254/

OpenSwan 2.4.5 is installed on an FC5 with the latest kernel on that
gateway/firewall, which NATs to 192.168.1.0/24. I made a test of connecting
a WinXP/SP2 client from within the LAN and it worked fine. However, external
access from behind a NAT'ed Road Warrior fails. I should emphasize that the
XP/SP2 Road Warrior clients have the registry fix to allow NAT-ed use.

My "ipsec verify" returns everything OK.

Yet it doesn't work.

Any help would be greatly appreciated.

Lavie


Following is my ipsec.secrets:
==========================
10.0.0.1 %any: PSK "password"
192.168.1.254 %any: PSK "password"
111.111.111.111 %any: PSK "password"
10.0.0.138 %any: PSK "password"
==========================

Following is my ipsec.conf:
==========================
# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual:     ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="control parsing"
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.1/24
        
conn L2TP-PSK-INTERNAL
        authby=secret 
        pfs=no
        rekey=no
        keyingtries=3
        left=192.168.1.254
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        auto=add
        
conn L2TP-PSK-EXTERNAL
        authby=secret 
        pfs=no
        rekey=no
        keyingtries=3
        left=10.0.0.1
        leftnexthop=10.0.0.138
        leftid=10.0.0.1
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        #rightid=@LAVIED610.chdomain.careerharmony.com
        auto=add
        
#include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
==========================

Following is /var/log/secure
==========================
Aug  3 07:35:33 lavie010 pluto[30617]: |  
Aug  3 07:35:33 lavie010 pluto[30617]: | *time to handle event
Aug  3 07:35:33 lavie010 pluto[30617]: | handling event EVENT_PENDING_PHASE2
Aug  3 07:35:33 lavie010 pluto[30617]: | event after this is
EVENT_REINIT_SECRET in 3360 seconds
Aug  3 07:35:33 lavie010 pluto[30617]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
Aug  3 07:35:33 lavie010 pluto[30617]: | pending review: connection
"L2TP-PSK-INTERNAL" was not up, skipped
Aug  3 07:35:33 lavie010 pluto[30617]: | pending review: connection
"L2TP-PSK-EXTERNAL" was not up, skipped
Aug  3 07:35:33 lavie010 pluto[30617]: | next event EVENT_PENDING_PHASE2 in
120 seconds
Aug  3 07:35:36 lavie010 pluto[30617]: |  
Aug  3 07:35:36 lavie010 pluto[30617]: | *received 312 bytes from
72.72.115.187:500 on eth0 (port=500)
Aug  3 07:35:36 lavie010 pluto[30617]: | **parse ISAKMP Message:
Aug  3 07:35:36 lavie010 pluto[30617]: |    initiator cookie:
Aug  3 07:35:36 lavie010 pluto[30617]: |   0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:36 lavie010 pluto[30617]: |    responder cookie:
Aug  3 07:35:36 lavie010 pluto[30617]: |   00 00 00 00  00 00 00 00
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_SA
Aug  3 07:35:36 lavie010 pluto[30617]: |    ISAKMP version: ISAKMP Version
1.0
Aug  3 07:35:36 lavie010 pluto[30617]: |    exchange type:
ISAKMP_XCHG_IDPROT
Aug  3 07:35:36 lavie010 pluto[30617]: |    flags: none
Aug  3 07:35:36 lavie010 pluto[30617]: |    message ID:  00 00 00 00
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 312
Aug  3 07:35:36 lavie010 pluto[30617]: |  processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)
Aug  3 07:35:36 lavie010 pluto[30617]: | ***parse ISAKMP Security
Association Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 200
Aug  3 07:35:36 lavie010 pluto[30617]: |    DOI: ISAKMP_DOI_IPSEC
Aug  3 07:35:36 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:36 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:36 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:36 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:36 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug  3 07:35:36 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug  3 07:35:36 lavie010 pluto[30617]: packet from 72.72.115.187:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug  3 07:35:36 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug  3 07:35:36 lavie010 pluto[30617]: | instantiated "L2TP-PSK-EXTERNAL"
for 72.72.115.187
Aug  3 07:35:36 lavie010 pluto[30617]: | creating state object #1 at
0x89ff3f8
Aug  3 07:35:36 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:36 lavie010 pluto[30617]: | ICOOKIE:  0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:36 lavie010 pluto[30617]: | RCOOKIE:  e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:36 lavie010 pluto[30617]: | peer:  48 48 73 bb
Aug  3 07:35:36 lavie010 pluto[30617]: | state hash entry 14
Aug  3 07:35:36 lavie010 pluto[30617]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1
Aug  3 07:35:36 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: responding to Main Mode from unknown peer 72.72.115.187
Aug  3 07:35:36 lavie010 pluto[30617]: | ****parse IPsec DOI SIT:
Aug  3 07:35:36 lavie010 pluto[30617]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Aug  3 07:35:36 lavie010 pluto[30617]: | ****parse ISAKMP Proposal Payload:
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 188
Aug  3 07:35:36 lavie010 pluto[30617]: |    proposal number: 1
Aug  3 07:35:36 lavie010 pluto[30617]: |    protocol ID: PROTO_ISAKMP
Aug  3 07:35:36 lavie010 pluto[30617]: |    SPI size: 0
Aug  3 07:35:36 lavie010 pluto[30617]: |    number of transforms: 5
Aug  3 07:35:36 lavie010 pluto[30617]: | *****parse ISAKMP Transform Payload
(ISAKMP):
Aug  3 07:35:36 lavie010 pluto[30617]: |    next payload type: ISAKMP_NEXT_T
Aug  3 07:35:36 lavie010 pluto[30617]: |    length: 36
Aug  3 07:35:36 lavie010 pluto[30617]: |    transform number: 1
Aug  3 07:35:36 lavie010 pluto[30617]: |    transform ID: KEY_IKE
Aug  3 07:35:36 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:36 lavie010 pluto[30617]: |    af+type:
OAKLEY_ENCRYPTION_ALGORITHM
Aug  3 07:35:36 lavie010 pluto[30617]: |    length/value: 5
Aug  3 07:35:36 lavie010 pluto[30617]: |    [5 is OAKLEY_3DES_CBC]
Aug  3 07:35:36 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:36 lavie010 pluto[30617]: |    af+type: OAKLEY_HASH_ALGORITHM
Aug  3 07:35:36 lavie010 pluto[30617]: |    length/value: 2
Aug  3 07:35:36 lavie010 pluto[30617]: |    [2 is OAKLEY_SHA1]
Aug  3 07:35:36 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:36 lavie010 pluto[30617]: |    af+type:
OAKLEY_GROUP_DESCRIPTION
Aug  3 07:35:36 lavie010 pluto[30617]: |    length/value: 14
Aug  3 07:35:36 lavie010 pluto[30617]: |    [14 is OAKLEY_GROUP_MODP2048]
Aug  3 07:35:37 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:37 lavie010 pluto[30617]: |    af+type:
OAKLEY_AUTHENTICATION_METHOD
Aug  3 07:35:37 lavie010 pluto[30617]: |    length/value: 1
Aug  3 07:35:37 lavie010 pluto[30617]: |    [1 is OAKLEY_PRESHARED_KEY]
Aug  3 07:35:37 lavie010 pluto[30617]: | started looking for secret for
10.0.0.1->72.72.115.187 of kind PPK_PSK
Aug  3 07:35:37 lavie010 pluto[30617]: | instantiating him to 0.0.0.0
Aug  3 07:35:37 lavie010 pluto[30617]: | actually looking for secret for
10.0.0.1->0.0.0.0 of kind PPK_PSK
Aug  3 07:35:37 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.138 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 2: compared PSK 192.117.103.195 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 2: compared PSK 192.168.1.254 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:37 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.1 to
10.0.0.1 / 72.72.115.187 -> 6
Aug  3 07:35:37 lavie010 pluto[30617]: | best_match 0>6 best=0x89fdf38
(line=16)
Aug  3 07:35:37 lavie010 pluto[30617]: | concluding with best_match=6
best=0x89fdf38 (lineno=16)
Aug  3 07:35:37 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:37 lavie010 pluto[30617]: |    af+type: OAKLEY_LIFE_TYPE
Aug  3 07:35:37 lavie010 pluto[30617]: |    length/value: 1
Aug  3 07:35:37 lavie010 pluto[30617]: |    [1 is OAKLEY_LIFE_SECONDS]
Aug  3 07:35:37 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:37 lavie010 pluto[30617]: |    af+type: OAKLEY_LIFE_DURATION
(variable length)
Aug  3 07:35:37 lavie010 pluto[30617]: |    length/value: 4
Aug  3 07:35:37 lavie010 pluto[30617]: |    long duration: 28800
Aug  3 07:35:37 lavie010 pluto[30617]: | Oakley Transform 1 accepted
Aug  3 07:35:37 lavie010 pluto[30617]: | complete state transition with
STF_OK
Aug  3 07:35:37 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  3 07:35:37 lavie010 pluto[30617]: | sending reply packet to
72.72.115.187:500 (from port=500)
Aug  3 07:35:37 lavie010 pluto[30617]: | sending 140 bytes for STATE_MAIN_R0
through eth0:500 to 72.72.115.187:500:
Aug  3 07:35:37 lavie010 pluto[30617]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Aug  3 07:35:37 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  3 07:35:37 lavie010 pluto[30617]: | modecfg pull: noquirk policy:push
not-client
Aug  3 07:35:37 lavie010 pluto[30617]: | phase 1 is done, looking for phase
1 to unpend
Aug  3 07:35:37 lavie010 pluto[30617]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Aug  3 07:35:37 lavie010 pluto[30617]: |  
Aug  3 07:35:37 lavie010 pluto[30617]: | *received 312 bytes from
72.72.115.187:500 on eth0 (port=500)
Aug  3 07:35:37 lavie010 pluto[30617]: | **parse ISAKMP Message:
Aug  3 07:35:37 lavie010 pluto[30617]: |    initiator cookie:
Aug  3 07:35:37 lavie010 pluto[30617]: |   0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:37 lavie010 pluto[30617]: |    responder cookie:
Aug  3 07:35:37 lavie010 pluto[30617]: |   00 00 00 00  00 00 00 00
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_SA
Aug  3 07:35:37 lavie010 pluto[30617]: |    ISAKMP version: ISAKMP Version
1.0
Aug  3 07:35:37 lavie010 pluto[30617]: |    exchange type:
ISAKMP_XCHG_IDPROT
Aug  3 07:35:37 lavie010 pluto[30617]: |    flags: none
Aug  3 07:35:37 lavie010 pluto[30617]: |    message ID:  00 00 00 00
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 312
Aug  3 07:35:37 lavie010 pluto[30617]: |  processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)
Aug  3 07:35:37 lavie010 pluto[30617]: | ***parse ISAKMP Security
Association Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 200
Aug  3 07:35:37 lavie010 pluto[30617]: |    DOI: ISAKMP_DOI_IPSEC
Aug  3 07:35:37 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:37 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:37 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_VID
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:37 lavie010 pluto[30617]: | ***parse ISAKMP Vendor ID Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 20
Aug  3 07:35:37 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug  3 07:35:37 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug  3 07:35:37 lavie010 pluto[30617]: packet from 72.72.115.187:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug  3 07:35:37 lavie010 pluto[30617]: packet from 72.72.115.187:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug  3 07:35:37 lavie010 pluto[30617]: | creating state object #2 at
0x89ffa50
Aug  3 07:35:37 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:37 lavie010 pluto[30617]: | ICOOKIE:  0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:37 lavie010 pluto[30617]: | RCOOKIE:  a0 73 4e 9e  05 b3 6d 3e
Aug  3 07:35:37 lavie010 pluto[30617]: | peer:  48 48 73 bb
Aug  3 07:35:37 lavie010 pluto[30617]: | state hash entry 10
Aug  3 07:35:37 lavie010 pluto[30617]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #2
Aug  3 07:35:37 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#2: responding to Main Mode from unknown peer 72.72.115.187
Aug  3 07:35:37 lavie010 pluto[30617]: | ****parse IPsec DOI SIT:
Aug  3 07:35:37 lavie010 pluto[30617]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Aug  3 07:35:37 lavie010 pluto[30617]: | ****parse ISAKMP Proposal Payload:
Aug  3 07:35:37 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:37 lavie010 pluto[30617]: |    length: 188
Aug  3 07:35:38 lavie010 pluto[30617]: |    proposal number: 1
Aug  3 07:35:38 lavie010 pluto[30617]: |    protocol ID: PROTO_ISAKMP
Aug  3 07:35:38 lavie010 pluto[30617]: |    SPI size: 0
Aug  3 07:35:38 lavie010 pluto[30617]: |    number of transforms: 5
Aug  3 07:35:38 lavie010 pluto[30617]: | *****parse ISAKMP Transform Payload
(ISAKMP):
Aug  3 07:35:38 lavie010 pluto[30617]: |    next payload type: ISAKMP_NEXT_T
Aug  3 07:35:38 lavie010 pluto[30617]: |    length: 36
Aug  3 07:35:38 lavie010 pluto[30617]: |    transform number: 1
Aug  3 07:35:38 lavie010 pluto[30617]: |    transform ID: KEY_IKE
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type:
OAKLEY_ENCRYPTION_ALGORITHM
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 5
Aug  3 07:35:38 lavie010 pluto[30617]: |    [5 is OAKLEY_3DES_CBC]
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type: OAKLEY_HASH_ALGORITHM
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 2
Aug  3 07:35:38 lavie010 pluto[30617]: |    [2 is OAKLEY_SHA1]
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type:
OAKLEY_GROUP_DESCRIPTION
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 14
Aug  3 07:35:38 lavie010 pluto[30617]: |    [14 is OAKLEY_GROUP_MODP2048]
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type:
OAKLEY_AUTHENTICATION_METHOD
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 1
Aug  3 07:35:38 lavie010 pluto[30617]: |    [1 is OAKLEY_PRESHARED_KEY]
Aug  3 07:35:38 lavie010 pluto[30617]: | started looking for secret for
10.0.0.1->72.72.115.187 of kind PPK_PSK
Aug  3 07:35:38 lavie010 pluto[30617]: | instantiating him to 0.0.0.0
Aug  3 07:35:38 lavie010 pluto[30617]: | actually looking for secret for
10.0.0.1->0.0.0.0 of kind PPK_PSK
Aug  3 07:35:38 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.138 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 2: compared PSK 192.117.103.195 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 2: compared PSK 192.168.1.254 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:38 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.1 to
10.0.0.1 / 72.72.115.187 -> 6
Aug  3 07:35:38 lavie010 pluto[30617]: | best_match 0>6 best=0x89fdf38
(line=16)
Aug  3 07:35:38 lavie010 pluto[30617]: | concluding with best_match=6
best=0x89fdf38 (lineno=16)
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type: OAKLEY_LIFE_TYPE
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 1
Aug  3 07:35:38 lavie010 pluto[30617]: |    [1 is OAKLEY_LIFE_SECONDS]
Aug  3 07:35:38 lavie010 pluto[30617]: | ******parse ISAKMP Oakley
attribute:
Aug  3 07:35:38 lavie010 pluto[30617]: |    af+type: OAKLEY_LIFE_DURATION
(variable length)
Aug  3 07:35:38 lavie010 pluto[30617]: |    length/value: 4
Aug  3 07:35:38 lavie010 pluto[30617]: |    long duration: 28800
Aug  3 07:35:38 lavie010 pluto[30617]: | Oakley Transform 1 accepted
Aug  3 07:35:38 lavie010 pluto[30617]: | complete state transition with
STF_OK
Aug  3 07:35:38 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  3 07:35:38 lavie010 pluto[30617]: | sending reply packet to
72.72.115.187:500 (from port=500)
Aug  3 07:35:38 lavie010 pluto[30617]: | sending 140 bytes for STATE_MAIN_R0
through eth0:500 to 72.72.115.187:500:
Aug  3 07:35:38 lavie010 pluto[30617]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Aug  3 07:35:38 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#2: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  3 07:35:38 lavie010 pluto[30617]: | modecfg pull: noquirk policy:push
not-client
Aug  3 07:35:38 lavie010 pluto[30617]: | phase 1 is done, looking for phase
1 to unpend
Aug  3 07:35:38 lavie010 pluto[30617]: | next event EVENT_RETRANSMIT in 9
seconds for #1
Aug  3 07:35:38 lavie010 pluto[30617]: |  
Aug  3 07:35:38 lavie010 pluto[30617]: | *received 360 bytes from
72.72.115.187:500 on eth0 (port=500)
Aug  3 07:35:38 lavie010 pluto[30617]: | **parse ISAKMP Message:
Aug  3 07:35:38 lavie010 pluto[30617]: |    initiator cookie:
Aug  3 07:35:38 lavie010 pluto[30617]: |   0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:38 lavie010 pluto[30617]: |    responder cookie:
Aug  3 07:35:38 lavie010 pluto[30617]: |   e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:38 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_KE
Aug  3 07:35:38 lavie010 pluto[30617]: |    ISAKMP version: ISAKMP Version
1.0
Aug  3 07:35:38 lavie010 pluto[30617]: |    exchange type:
ISAKMP_XCHG_IDPROT
Aug  3 07:35:38 lavie010 pluto[30617]: |    flags: none
Aug  3 07:35:38 lavie010 pluto[30617]: |    message ID:  00 00 00 00
Aug  3 07:35:38 lavie010 pluto[30617]: |    length: 360
Aug  3 07:35:38 lavie010 pluto[30617]: |  processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)
Aug  3 07:35:38 lavie010 pluto[30617]: | ICOOKIE:  0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:38 lavie010 pluto[30617]: | RCOOKIE:  e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:38 lavie010 pluto[30617]: | peer:  48 48 73 bb
Aug  3 07:35:38 lavie010 pluto[30617]: | state hash entry 14
Aug  3 07:35:38 lavie010 pluto[30617]: | peer and cookies match on #1,
provided msgid 00000000 vs 00000000
Aug  3 07:35:38 lavie010 pluto[30617]: | state object #1 found, in
STATE_MAIN_R1
Aug  3 07:35:38 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:38 lavie010 pluto[30617]: | ***parse ISAKMP Key Exchange
Payload:
Aug  3 07:35:38 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONCE
Aug  3 07:35:38 lavie010 pluto[30617]: |    length: 260
Aug  3 07:35:38 lavie010 pluto[30617]: | ***parse ISAKMP Nonce Payload:
Aug  3 07:35:38 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NAT-D
Aug  3 07:35:39 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:39 lavie010 pluto[30617]: | ***parse ISAKMP NAT-D Payload:
Aug  3 07:35:39 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NAT-D
Aug  3 07:35:39 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:39 lavie010 pluto[30617]: | ***parse ISAKMP NAT-D Payload:
Aug  3 07:35:39 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:39 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:39 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
NATed
Aug  3 07:35:39 lavie010 pluto[30617]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Aug  3 07:35:39 lavie010 pluto[30617]: | 0: w->pcw_dead: 0 w->pcw_work: 0
cnt: 1
Aug  3 07:35:39 lavie010 pluto[30617]: | asking helper 0 to do build_kenonce
op on seq: 1
Aug  3 07:35:39 lavie010 pluto[30617]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
Aug  3 07:35:39 lavie010 pluto[30623]: ! helper -1 doing build_kenonce op
id: 1
Aug  3 07:35:39 lavie010 pluto[30617]: | complete state transition with
STF_SUSPEND
Aug  3 07:35:39 lavie010 pluto[30617]: | next event EVENT_RETRANSMIT in 9
seconds for #2
Aug  3 07:35:39 lavie010 pluto[30617]: |  
Aug  3 07:35:39 lavie010 pluto[30617]: | *received 360 bytes from
72.72.115.187:500 on eth0 (port=500)
Aug  3 07:35:39 lavie010 pluto[30617]: | **parse ISAKMP Message:
Aug  3 07:35:39 lavie010 pluto[30617]: |    initiator cookie:
Aug  3 07:35:39 lavie010 pluto[30617]: |   0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:39 lavie010 pluto[30617]: |    responder cookie:
Aug  3 07:35:39 lavie010 pluto[30617]: |   e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:39 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_KE
Aug  3 07:35:39 lavie010 pluto[30617]: |    ISAKMP version: ISAKMP Version
1.0
Aug  3 07:35:39 lavie010 pluto[30617]: |    exchange type:
ISAKMP_XCHG_IDPROT
Aug  3 07:35:39 lavie010 pluto[30617]: |    flags: none
Aug  3 07:35:39 lavie010 pluto[30617]: |    message ID:  00 00 00 00
Aug  3 07:35:39 lavie010 pluto[30617]: |    length: 360
Aug  3 07:35:39 lavie010 pluto[30617]: |  processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)
Aug  3 07:35:39 lavie010 pluto[30617]: | ICOOKIE:  0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:39 lavie010 pluto[30617]: | RCOOKIE:  e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:39 lavie010 pluto[30617]: | peer:  48 48 73 bb
Aug  3 07:35:39 lavie010 pluto[30617]: | state hash entry 14
Aug  3 07:35:39 lavie010 pluto[30617]: | peer and cookies match on #1,
provided msgid 00000000 vs 00000000
Aug  3 07:35:39 lavie010 pluto[30617]: | state object #1 found, in
STATE_MAIN_R1
Aug  3 07:35:39 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:39 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: discarding packet received during asynchronous work (DNS or crypto) in
STATE_MAIN_R1
Aug  3 07:35:39 lavie010 pluto[30617]: | next event EVENT_RETRANSMIT in 9
seconds for #2
Aug  3 07:35:39 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:39 lavie010 pluto[30617]: | started looking for secret for
10.0.0.1->72.72.115.187 of kind PPK_PSK
Aug  3 07:35:39 lavie010 pluto[30617]: | instantiating him to 0.0.0.0
Aug  3 07:35:39 lavie010 pluto[30617]: | actually looking for secret for
10.0.0.1->0.0.0.0 of kind PPK_PSK
Aug  3 07:35:39 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.138 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 2: compared PSK 192.117.103.195 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 2: compared PSK 192.168.1.254 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:39 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.1 to
10.0.0.1 / 72.72.115.187 -> 6
Aug  3 07:35:39 lavie010 pluto[30617]: | best_match 0>6 best=0x89fdf38
(line=16)
Aug  3 07:35:39 lavie010 pluto[30617]: | concluding with best_match=6
best=0x89fdf38 (lineno=16)
Aug  3 07:35:39 lavie010 pluto[30617]: | complete state transition with
STF_OK
Aug  3 07:35:39 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  3 07:35:39 lavie010 pluto[30617]: | sending reply packet to
72.72.115.187:500 (from port=500)
Aug  3 07:35:39 lavie010 pluto[30617]: | sending 356 bytes for STATE_MAIN_R1
through eth0:500 to 72.72.115.187:500:
Aug  3 07:35:39 lavie010 pluto[30617]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Aug  3 07:35:39 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  3 07:35:39 lavie010 pluto[30617]: | modecfg pull: noquirk policy:push
not-client
Aug  3 07:35:39 lavie010 pluto[30617]: | phase 1 is done, looking for phase
1 to unpend
Aug  3 07:35:39 lavie010 pluto[30617]: | next event EVENT_RETRANSMIT in 9
seconds for #2
Aug  3 07:35:40 lavie010 pluto[30617]: |  
Aug  3 07:35:40 lavie010 pluto[30617]: | *received 100 bytes from
72.72.115.187:50576 on eth0 (port=4500)
Aug  3 07:35:40 lavie010 pluto[30617]: | **parse ISAKMP Message:
Aug  3 07:35:40 lavie010 pluto[30617]: |    initiator cookie:
Aug  3 07:35:40 lavie010 pluto[30617]: |   0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:40 lavie010 pluto[30617]: |    responder cookie:
Aug  3 07:35:40 lavie010 pluto[30617]: |   e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:40 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_ID
Aug  3 07:35:40 lavie010 pluto[30617]: |    ISAKMP version: ISAKMP Version
1.0
Aug  3 07:35:40 lavie010 pluto[30617]: |    exchange type:
ISAKMP_XCHG_IDPROT
Aug  3 07:35:40 lavie010 pluto[30617]: |    flags: ISAKMP_FLAG_ENCRYPTION
Aug  3 07:35:40 lavie010 pluto[30617]: |    message ID:  00 00 00 00
Aug  3 07:35:40 lavie010 pluto[30617]: |    length: 100
Aug  3 07:35:40 lavie010 pluto[30617]: |  processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)
Aug  3 07:35:40 lavie010 pluto[30617]: | ICOOKIE:  0c 2b 55 a7  6e e5 b6 c4
Aug  3 07:35:40 lavie010 pluto[30617]: | RCOOKIE:  e5 94 45 5f  b5 ac 1d f3
Aug  3 07:35:40 lavie010 pluto[30617]: | peer:  48 48 73 bb
Aug  3 07:35:40 lavie010 pluto[30617]: | state hash entry 14
Aug  3 07:35:40 lavie010 pluto[30617]: | peer and cookies match on #1,
provided msgid 00000000 vs 00000000
Aug  3 07:35:40 lavie010 pluto[30617]: | state object #1 found, in
STATE_MAIN_R2
Aug  3 07:35:40 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[1] 72.72.115.187
Aug  3 07:35:40 lavie010 pluto[30617]: | ***parse ISAKMP Identification
Payload:
Aug  3 07:35:40 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_HASH
Aug  3 07:35:40 lavie010 pluto[30617]: |    length: 44
Aug  3 07:35:40 lavie010 pluto[30617]: |    ID type: ID_FQDN
Aug  3 07:35:40 lavie010 pluto[30617]: |    DOI specific A: 0
Aug  3 07:35:40 lavie010 pluto[30617]: |    DOI specific B: 0
Aug  3 07:35:40 lavie010 pluto[30617]: | ***parse ISAKMP Hash Payload:
Aug  3 07:35:40 lavie010 pluto[30617]: |    next payload type:
ISAKMP_NEXT_NONE
Aug  3 07:35:40 lavie010 pluto[30617]: |    length: 24
Aug  3 07:35:40 lavie010 pluto[30617]: | removing 4 bytes of padding
Aug  3 07:35:40 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[1] 72.72.115.187
#1: Main mode peer ID is ID_FQDN: '@LAVIED610.chdomain.careerharmony.com'
Aug  3 07:35:40 lavie010 pluto[30617]: | started looking for secret for
10.0.0.1->72.72.115.187 of kind PPK_PSK
Aug  3 07:35:40 lavie010 pluto[30617]: | instantiating him to 0.0.0.0
Aug  3 07:35:40 lavie010 pluto[30617]: | actually looking for secret for
10.0.0.1->0.0.0.0 of kind PPK_PSK
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.138 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 192.117.103.195 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 192.168.1.254 to
10.0.0.1 / 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ 72.72.115.187 -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.1 to
10.0.0.1 / 72.72.115.187 -> 6
Aug  3 07:35:40 lavie010 pluto[30617]: | best_match 0>6 best=0x89fdf38
(line=16)
Aug  3 07:35:40 lavie010 pluto[30617]: | concluding with best_match=6
best=0x89fdf38 (lineno=16)
Aug  3 07:35:40 lavie010 pluto[30617]: | started looking for secret for
10.0.0.1->(none) of kind PPK_PSK
Aug  3 07:35:40 lavie010 pluto[30617]: | replace him to 0.0.0.0
Aug  3 07:35:40 lavie010 pluto[30617]: | actually looking for secret for
10.0.0.1->0.0.0.0 of kind PPK_PSK
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.138 to
10.0.0.1 / (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 192.117.103.195 to
10.0.0.1 / (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 192.168.1.254 to
10.0.0.1 / (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 1: compared PSK 0.0.0.0 to 10.0.0.1
/ (none) -> 2
Aug  3 07:35:40 lavie010 pluto[30617]: | 2: compared PSK 10.0.0.1 to
10.0.0.1 / (none) -> 6
Aug  3 07:35:40 lavie010 pluto[30617]: | best_match 0>6 best=0x89fdf38
(line=16)
Aug  3 07:35:40 lavie010 pluto[30617]: | concluding with best_match=6
best=0x89fdf38 (lineno=16)
Aug  3 07:35:40 lavie010 pluto[30617]: | offered CA: '%none'
Aug  3 07:35:40 lavie010 pluto[30617]: | switched from "L2TP-PSK-EXTERNAL"
to "L2TP-PSK-EXTERNAL"
Aug  3 07:35:40 lavie010 pluto[30617]: | instantiated "L2TP-PSK-EXTERNAL"
for 72.72.115.187
Aug  3 07:35:40 lavie010 pluto[30617]: | processing connection
L2TP-PSK-EXTERNAL[2] 72.72.115.187
Aug  3 07:35:40 lavie010 pluto[30617]: | thinking about whether to send my
certificate:
Aug  3 07:35:40 lavie010 pluto[30617]: |   I have RSA key:
OAKLEY_PRESHARED_KEY cert.type: CERT_NONE 
Aug  3 07:35:40 lavie010 pluto[30617]: |   sendcert: CERT_ALWAYSSEND and I
did not get a certificate request 
Aug  3 07:35:40 lavie010 pluto[30617]: |   so do not send cert.
Aug  3 07:35:40 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[2] 72.72.115.187
#1: I did not send a certificate because I do not have one.
Aug  3 07:35:40 lavie010 pluto[30617]: | complete state transition with
STF_OK
Aug  3 07:35:40 lavie010 pluto[30617]: "L2TP-PSK-EXTERNAL"[2] 72.72.115.187
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
==========================




More information about the Users mailing list