[Openswan Users] Changed certificates and it stopped working (Was: L2TP/IPsec doesn't work)

Fri Nov 3 15:10:25 EST 2006

Replacing the kernel (with module from OpenSwan 2.4) worked flawlessly!!
I managed to do the connections twice, but then I desided to 'clean up'.

When I created the CA, it's name ended up as just 'CA'... Naturaly I
wanted to have the company name there. So I removed all certificates
and the whole CA and started all over.

I made new certs for the workfw machine and myself, copied the new
certs around and restarted pluto and the l2tp daemon. Removed my old
cert on the Win2k machine and imported the new...

Now when I try to connect, I get (as usually!) this:

----- s n i p -----
workfw:/etc/ipsec.d# tail -n0 -f /var/log/{auth.,sys}log | tee /tmp/ipsec.out2
==> /var/log/auth.log <==

==> /var/log/syslog <==

==> /var/log/auth.log <==
Nov  3 21:02:22 workfw pluto[2978]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Nov  3 21:02:22 workfw pluto[2978]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov  3 21:02:22 workfw pluto[2978]: packet from <HOMEFW_IP>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov  3 21:02:22 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: responding to Main Mode from unknown peer <HOMEFW_IP>
Nov  3 21:02:22 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  3 21:02:22 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  3 21:02:23 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov  3 21:02:23 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  3 21:02:23 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: Main mode peer ID is ID_DER_ASN1_DN: '<DN_OF_MY_PRIVATE_CERT'
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #3: switched from "roadwarrior" to "roadwarrior"
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: I am sending my cert
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  3 21:02:24 workfw pluto[2978]: | NAT-T: new mapping <HOMEFW_IP>:500/4500)
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #4: responding to Quick Mode {msgid:c70f5efa}
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  3 21:02:24 workfw pluto[2978]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x9a1ce7d2 <0xe0727fee xfrm=3DES_0-HMAC_MD5 NATD=<HOMEFW_IP>:4500 DPD=none}

==> /var/log/syslog <==
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  3 21:02:24 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.

==> /var/log/auth.log <==
Nov  3 21:02:37 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP> #2: max number of retransmissions (2) reached STATE_MAIN_R2
Nov  3 21:02:37 workfw pluto[2978]: "roadwarrior"[2] <HOMEFW_IP>: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  3 21:02:59 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: received Delete SA(0x9a1ce7d2) payload: deleting IPSEC State #4
Nov  3 21:02:59 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: deleting connection "roadwarrior-l2tp" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  3 21:02:59 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: received and ignored informational message
Nov  3 21:02:59 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP> #3: received Delete SA payload: deleting ISAKMP State #3
Nov  3 21:02:59 workfw pluto[2978]: "roadwarrior"[3] <HOMEFW_IP>: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  3 21:02:59 workfw pluto[2978]: packet from <HOMEFW_IP>:4500: received and ignored informational message
----- s n i p -----

I get 'Error 678: There was no answer.' on the Win2k machine...

DANG! Why can't I just leave things alone!?! And naturally I knew what
I was doing, so I didn't save any copies of the old CA or certs. :(