[Openswan Users] Apologies for double posting, attached is the log

Wed Apr 22 16:44:06 EDT 2009

Hello all,

This is a IPsec/L2TP setup.

The same setup works for older Mac OS X for both public IP and for NAT,
also works with Windows XP and linux.  I am having issues with the newest
Mac OS X 10.5.  I attached the logs and if I disable nat_traversal, then
I able to connect.

I cannot tell if it's Mac OS X bug or if it is my setup missing
something.

Any help on this would be much appreciated. 

Openswan version:
Linux Openswan U2.4.12/K2.6.18-6-686 (netkey)

xl2tpd version:  xl2tpd-1.2.4

My ipsec.conf:
############################################################################################
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.11.0/24
        nhelpers=0
        plutodebug=none
        plutostderrlog=/var/log/pluto.log

conn roadwarrior-l2tp
        leftprotoport=17/1701
        rightprotoport=17/%any
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        authby=secret
        pfs=no
        keyingtries=3
        rekey=no
        left=132.206.54.11
        right=%any
        rightsubnet=vhost:%priv,%no
        auto=add
############################################################################################

Regards,
Kailesh 
-------------- next part --------------
packet from 132.206.51.33:500: received Vendor ID payload [RFC 3947] method set to=109 
packet from 132.206.51.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
packet from 132.206.51.33:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
packet from 132.206.51.33:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
packet from 132.206.51.33:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
packet from 132.206.51.33:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
packet from 132.206.51.33:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
packet from 132.206.51.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
packet from 132.206.51.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
packet from 132.206.51.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
packet from 132.206.51.33:500: received Vendor ID payload [Dead Peer Detection]
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: responding to Main Mode from unknown peer 132.206.51.33
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: STATE_MAIN_R1: sent MR1, expecting MI2
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: STATE_MAIN_R2: sent MR2, expecting MI3
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: Main mode peer ID is ID_IPV4_ADDR: '132.206.51.33'
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: I did not send a certificate because I do not have one.
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"roadwarrior-l2tp-updatedwin"[4] 132.206.51.33 #5: received and ignored informational message
"roadwarrior-l2tp"[1] 132.206.51.33 #6: ENCAPSULATION_MODE_UDP_TRANSPORT must only be used if NAT-Traversal is detected
"roadwarrior-l2tp"[1] 132.206.51.33 #6: sending encrypted notification BAD_PROPOSAL_SYNTAX to 132.206.51.33:4500
"roadwarrior-l2tp"[1] 132.206.51.33: deleting connection "roadwarrior-l2tp" instance with peer 132.206.51.33 {isakmp=#0/ipsec=#0}