[Openswan Users] openswan + certificates + xl2tpd + no suitable connection error
Francis GASCHET
fg at numlog.fr
Wed Dec 8 09:43:33 EST 2010
Hi Adam,
Are you sure that rightid=%fromcert is OK?
I would put: rightid="C=PL, ST=cos, O=name1, OU=it, CN=mycert,
E=myname at wp.pl".
But may be I'm wrong and it should work...
Best regards,
--
Francis GASCHET / NUMLOG
http://www.numlog.fr
Tel.: +33 (0) 130 791 616
Fax.: +33 (0) 130 819 286
Le 12/08/2010 01:08 PM Adam Sienkiewicz a écrit :
> Hi all;
>
> From few days I'm trying to get working openswan + l2tpd with
> certificates.
> Firth I have installed openswan +l2tpd like I made before and I tested
> connetcion with PSK - it work's great.
> Next I modified config file ipsec.conf liek below:
>
> config setup
> interfaces=%defaultroute
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,!%v4:192.168.0.0/16
> <http://10.0.0.0/8,%v4:172.16.0.0/12,%21%v4:192.168.0.0/16>
> nat_traversal=yes
> protostack=netkey
> plutodebug=private
> OE=off
> #conn l2tp
> # rightsubnet=vhost:%priv
> # also=l2tp-X.509
>
> conn l2tp-X.509
> #
> # Configuration for one user with any type of IPsec/L2TP client
> # including the updated Windows 2000/XP (MS KB Q818043), but
> # excluding the non-updated Windows 2000/XP.
> #
> #
> # Use a certificate. Disable Perfect Forward Secrecy.
> #
> #auth=esp
> authby=rsasig
> pfs=no
> auto=add
> # we cannot rekey for %any, let client rekey
> rekey=no
> # Set ikelifetime and keylife to same defaults windows has
> ikelifetime=8h
> keylife=1h
> # l2tp-over-ipsec is transport mode
> # See http://bugs.xelerance.com/view.php?id=466
> type=transport
> #
> left=83.230.105.135
> leftnexthop=83.230.105.129
> leftid=%fromcert
>
> leftca=/etc/ipsec.d/cacert/
> cacert.pem
> leftrsasigkey=%cert
> leftcert=/etc/ipsec.d/certs/vpntest.pem
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> rightca=%same
> rightid=%fromcert
> rightrsasigkey=%cert
> # Using the magic port of "0" means "any one single port". This is
> # a work around required for Apple OSX clients that use a randomly
> # high port, but propose "0" instead of their port. If that does
> # not work, try 17/%any
> rightprotoport=17/0
> rightsubnet=vhost:%priv,%no
>
> I didn't change my xl2tpd config file.
> Because I used openvpn vpn server I want to use the same certificates
> to openswan. So earlier generated certificates (via easy-rsa tool from
> openswan) I copied:
> cacert.pem to /etc/ipsed.d/cacert, vpntest.pem to /etc/ipsec.d/certs
> and key file i put into /etc/ipsec.d/private. I don't use pass for
> vpntest key I also put a line into ipsec.secrets
>
> : RSA /etc/ipsec.d/private/vpntest.key *
>
> Next I added the connection
> ipsec setup start
>
> and in /var/log/secure I got
>
> Dec 7 13:28:58 slack13 pluto[26544]: Starting Pluto (Openswan Version
> 2.6.31; Vendor ID OE}GnD\177ZAYe[) pid:26544
> Dec 7 13:28:58 slack13 pluto[26544]: LEAK_DETECTIVE support [enabled]
> Dec 7 13:28:58 slack13 pluto[26544]: SAref support [disabled]:
> Protocol not available
> Dec 7 13:28:58 slack13 pluto[26544]: SAbind support [disabled]:
> Protocol not available
> Dec 7 13:28:58 slack13 pluto[26544]: NSS support [disabled]
> Dec 7 13:28:58 slack13 pluto[26544]: HAVE_STATSD notification support
> not compiled in
> Dec 7 13:28:58 slack13 pluto[26544]: Setting NAT-Traversal port-4500
> floating to on
> Dec 7 13:28:58 slack13 pluto[26544]: port floating activation
> criteria nat_t=1/port_float=1
> Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal support [enabled]
> Dec 7 13:28:58 slack13 pluto[26544]: 1 bad entries in virtual_private
> - none loaded
> Dec 7 13:28:58 slack13 pluto[26544]: using /dev/urandom as source of
> random entropy
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: starting up 1 cryptographic helpers
> Dec 7 13:28:58 slack13 pluto[26544]: started helper pid=26548 (fd:7)
> Dec 7 13:28:58 slack13 pluto[26544]: Using Linux 2.6 IPsec interface
> code on 2.6.33.4 (experimental code)
> Dec 7 13:28:58 slack13 pluto[26548]: using /dev/urandom as source of
> random entropy
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok (ret=0)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
> already exists
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_ccm_12: FAILED (ret=-17)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
> already exists
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_ccm_16: FAILED (ret=-17)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
> already exists
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_gcm_8: FAILED (ret=-17)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
> already exists
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_gcm_12: FAILED (ret=-17)
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
> already exists
> Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc():
> Activating aes_gcm_16: FAILED (ret=-17)
> Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Dec 7 13:28:58 slack13 pluto[26544]: loaded CA cert file
> 'cacert.pem' (1334 bytes)
> Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Dec 7 13:28:58 slack13 pluto[26544]: Changing to directory
> '/etc/ipsec.d/crls'
> Dec 7 13:28:58 slack13 pluto[26544]: loaded crl file 'crl.crl' (528
> bytes)
> Dec 7 13:28:58 slack13 pluto[26544]: loading certificate from
> /etc/ipsec.d/certs/vpntest.pem
> Dec 7 13:28:58 slack13 pluto[26544]: loaded host cert file
> '/etc/ipsec.d/certs/vpntest.pem' (3802 bytes)
> Dec 7 13:28:58 slack13 pluto[26544]: no subjectAltName matches ID
> '%fromcert', replaced by subject DN
> Dec 7 13:28:58 slack13 pluto[26544]: | keyid: *AwEAAZ+GM
> Dec 7 13:28:58 slack13 pluto[26544]: | Modulus:
> 9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
> Dec 7 13:28:58 slack13 pluto[26544]: | PublicExponent: 10001
> Dec 7 13:28:58 slack13 pluto[26544]: added connection description
> "l2tp-X.509"
> Dec 7 13:28:58 slack13 pluto[26544]: listening for IKE messages
> Dec 7 13:28:58 slack13 pluto[26544]: | invalid listen= option
> ignored: empty string
> Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying new style
> NAT-T
> Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: ESPINUDP(1) setup
> failed for new style NAT-T family IPv4 (errno=19)
> Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying old style
> NAT-T
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
> 192.168.1.19:500 <http://192.168.1.19:500/>
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
> 192.168.1.19:4500 <http://192.168.1.19:4500/>
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
> MYIPADDRESS:500
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
> MYIPADDRESS:4500
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo
> 127.0.0.1:500 <http://127.0.0.1:500/>
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo
> 127.0.0.1:4500 <http://127.0.0.1:4500/>
> Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo ::1:500
> Dec 7 13:28:58 slack13 pluto[26544]: loading secrets from
> "/etc/ipsec.secrets"
> Dec 7 13:28:58 slack13 pluto[26544]: loaded private key file
> '/etc/ipsec.d/private/vpntest.key' (887 bytes)
> Dec 7 13:28:58 slack13 pluto[26544]: | 30 82 02 5b 02 01 00 02 81
> 81 00 9f 86 33 38 df
> Dec 7 13:28:58 slack13 pluto[26544]: | 00 08 12 eb 92 b6 6a 4f 91
> b5 5e 17 4f 23 e0 ae
> Dec 7 13:28:58 slack13 pluto[26544]: | 53 88 9b 96 26 24 5e 2a 8e
> 4f cc c5 61 af 89 af
> Dec 7 13:28:58 slack13 pluto[26544]: | 8d ad a9 25 61 4c 3b 78 1b
> c0 1b 9e db 28 e1 dc
> Dec 7 13:28:58 slack13 pluto[26544]: | de 07 aa c1 7c bb d7 1a 6b
> 43 50 a2 85 73 af d1
> Dec 7 13:28:58 slack13 pluto[26544]: | 95 13 1d 84 f5 f4 25 fb 00
> 65 a5 24 31 df db e1
> Dec 7 13:28:58 slack13 pluto[26544]: | a7 4f 62 24 bf 37 99 76 c9
> be 1a f5 6c 80 67 c7
> Dec 7 13:28:58 slack13 pluto[26544]: | 8e f8 51 f0 c4 82 d3 42 99
> b4 18 aa 9d 33 f8 98
> Dec 7 13:28:58 slack13 pluto[26544]: | e5 d5 78 03 b2 96 7a b3 82
> 4e eb 02 03 01 00 01
> Dec 7 13:28:58 slack13 pluto[26544]: | 02 81 80 3b 4d fc c4 eb c2
> 6b 3d fd 6d f1 7a dc
> Dec 7 13:28:58 slack13 pluto[26544]: | 51 e3 07 33 cb 2c 1f 5f 2f
> 96 dd a0 98 55 74 dc
> Dec 7 13:28:58 slack13 pluto[26544]: | 85 43 8d 70 e3 bc 0a 87 c5
> 38 06 65 eb 22 18 09
> Dec 7 13:28:58 slack13 pluto[26544]: | b2 e7 5c 5d 56 44 80 93 47
> c7 b9 e7 6c a3 b8 78
> Dec 7 13:28:58 slack13 pluto[26544]: | 0d e0 5c 07 81 06 6b c0 60
> 4b ad 0b 57 cf 4a 5f
> Dec 7 13:28:58 slack13 pluto[26544]: | 13 1a 9b a0 60 29 f1 2d 76
> a0 ae e2 39 7c eb bd
> Dec 7 13:28:58 slack13 pluto[26544]: | 15 0f 42 c7 fe 88 94 7c d1
> cc 6d f6 7d 89 1a db
> Dec 7 13:28:58 slack13 pluto[26544]: | d1 d3 37 30 95 14 10 0e 9a
> fa fe 5c d7 19 ef 45
> Dec 7 13:28:58 slack13 pluto[26544]: | 21 da 81 02 41 00 cf 60 88
> e1 bc 73 43 96 04 de
> Dec 7 13:28:58 slack13 pluto[26544]: | 33 79 f2 87 fd 9a 71 e4 f6
> f3 96 39 27 fc 6d 02
> Dec 7 13:28:58 slack13 pluto[26544]: | 13 6f 25 6a 60 67 11 ff 56
> cf 6b c3 9b 65 81 a8
> Dec 7 13:28:58 slack13 pluto[26544]: | ed 96 8e 00 2e 48 3f ae a5
> f6 44 44 e3 a9 fb ae
> Dec 7 13:28:58 slack13 pluto[26544]: | 64 cb 81 35 b5 b1 02 41 00
> c4 ed 60 5a 43 3c d5
> Dec 7 13:28:58 slack13 pluto[26544]: | bc 4c a3 d9 b2 d1 24 f5 f2
> 1e bc ef 73 2a 5a f7
> Dec 7 13:28:58 slack13 pluto[26544]: | 4c ce 4d fb a2 e0 ef 9b 51
> b7 48 2b b4 f7 3c 88
> Dec 7 13:28:58 slack13 pluto[26544]: | d8 bb d0 fc 3f 22 29 a6 ab
> 9a 2b 7d 85 8f 4f c4
> Dec 7 13:28:58 slack13 pluto[26544]: | f2 0d 56 b5 d7 62 df 89 5b
> 02 40 4f a9 1e 8b d0
> Dec 7 13:28:58 slack13 pluto[26544]: | 4f 5a bc 0b 1c ac 1b 81 2d
> fa 1e 54 f8 06 61 25
> Dec 7 13:28:58 slack13 pluto[26544]: | e8 c8 d2 6f b1 67 73 bf a4
> b0 69 87 81 55 80 92
> Dec 7 13:28:58 slack13 pluto[26544]: | 3d ee b8 bc 68 fe f3 61 92
> f2 34 70 ba 0f 28 9d
> Dec 7 13:28:58 slack13 pluto[26544]: | aa f4 e5 7c 37 ce a2 59 fd
> 1e d1 02 40 39 13 a0
> Dec 7 13:28:58 slack13 pluto[26544]: | 10 a9 5a 51 8c b1 1d f0 74
> 1e a0 3a d4 c1 49 fb
> Dec 7 13:28:58 slack13 pluto[26544]: | 91 02 9e b8 fc be f2 e5 53
> 51 24 c1 7c ce c5 91
> Dec 7 13:28:58 slack13 pluto[26544]: | 3d 73 47 4d 56 9c 21 37 6b
> 49 08 8f 71 3f 4f 09
> Dec 7 13:28:58 slack13 pluto[26544]: | a3 93 65 08 6d 2b a6 8d 2f
> ef 4d 60 ef 02 40 7e
> Dec 7 13:28:58 slack13 pluto[26544]: | a8 84 d9 d7 76 93 96 50 1a
> 50 40 6d ba db ec 66
> Dec 7 13:28:58 slack13 pluto[26544]: | 37 2c 7d 77 f9 88 9e 2f e8
> 43 26 64 96 92 35 4b
> Dec 7 13:28:58 slack13 pluto[26544]: | 84 59 e1 6a 44 e1 0d 8e fb
> 70 bb ca 27 7c 96 75
> Dec 7 13:28:58 slack13 pluto[26544]: | a6 15 db 9e 79 d1 01 73 0c
> ff a0 ca cd c1 c8
> Dec 7 13:28:58 slack13 pluto[26544]: | 00
> Dec 7 13:28:58 slack13 pluto[26544]: | 00 9f 86 33 38 df 00 08 12
> eb 92 b6 6a 4f 91 b5
> Dec 7 13:28:58 slack13 pluto[26544]: | 5e 17 4f 23 e0 ae 53 88 9b
> 96 26 24 5e 2a 8e 4f
> Dec 7 13:28:58 slack13 pluto[26544]: | cc c5 61 af 89 af 8d ad a9
> 25 61 4c 3b 78 1b c0
> Dec 7 13:28:58 slack13 pluto[26544]: | 1b 9e db 28 e1 dc de 07 aa
> c1 7c bb d7 1a 6b 43
> Dec 7 13:28:58 slack13 pluto[26544]: | 50 a2 85 73 af d1 95 13 1d
> 84 f5 f4 25 fb 00 65
> Dec 7 13:28:58 slack13 pluto[26544]: | a5 24 31 df db e1 a7 4f 62
> 24 bf 37 99 76 c9 be
> Dec 7 13:28:58 slack13 pluto[26544]: | 1a f5 6c 80 67 c7 8e f8 51
> f0 c4 82 d3 42 99 b4
> Dec 7 13:28:58 slack13 pluto[26544]: | 18 aa 9d 33 f8 98 e5 d5 78
> 03 b2 96 7a b3 82 4e
> Dec 7 13:28:58 slack13 pluto[26544]: | eb
> Dec 7 13:28:58 slack13 pluto[26544]: | 01 00 01
> Dec 7 13:28:58 slack13 pluto[26544]: | 3b 4d fc c4 eb c2 6b 3d fd
> 6d f1 7a dc 51 e3 07
> Dec 7 13:28:58 slack13 pluto[26544]: | 33 cb 2c 1f 5f 2f 96 dd a0
> 98 55 74 dc 85 43 8d
> Dec 7 13:28:58 slack13 pluto[26544]: | 70 e3 bc 0a 87 c5 38 06 65
> eb 22 18 09 b2 e7 5c
> Dec 7 13:28:58 slack13 pluto[26544]: | 5d 56 44 80 93 47 c7 b9 e7
> 6c a3 b8 78 0d e0 5c
> Dec 7 13:28:58 slack13 pluto[26544]: | 07 81 06 6b c0 60 4b ad 0b
> 57 cf 4a 5f 13 1a 9b
> Dec 7 13:28:58 slack13 pluto[26544]: | a0 60 29 f1 2d 76 a0 ae e2
> 39 7c eb bd 15 0f 42
> Dec 7 13:28:58 slack13 pluto[26544]: | c7 fe 88 94 7c d1 cc 6d f6
> 7d 89 1a db d1 d3 37
> Dec 7 13:28:58 slack13 pluto[26544]: | 30 95 14 10 0e 9a fa fe 5c
> d7 19 ef 45 21 da 81
> Dec 7 13:28:58 slack13 pluto[26544]: | 00 cf 60 88 e1 bc 73 43 96
> 04 de 33 79 f2 87 fd
> Dec 7 13:28:58 slack13 pluto[26544]: | 9a 71 e4 f6 f3 96 39 27 fc
> 6d 02 13 6f 25 6a 60
> Dec 7 13:28:58 slack13 pluto[26544]: | 67 11 ff 56 cf 6b c3 9b 65
> 81 a8 ed 96 8e 00 2e
> Dec 7 13:28:58 slack13 pluto[26544]: | 48 3f ae a5 f6 44 44 e3 a9
> fb ae 64 cb 81 35 b5
> Dec 7 13:28:58 slack13 pluto[26544]: | b1
> Dec 7 13:28:58 slack13 pluto[26544]: | 00 c4 ed 60 5a 43 3c d5 bc
> 4c a3 d9 b2 d1 24 f5
> Dec 7 13:28:58 slack13 pluto[26544]: | f2 1e bc ef 73 2a 5a f7 4c
> ce 4d fb a2 e0 ef 9b
> Dec 7 13:28:58 slack13 pluto[26544]: | 51 b7 48 2b b4 f7 3c 88 d8
> bb d0 fc 3f 22 29 a6
> Dec 7 13:28:58 slack13 pluto[26544]: | ab 9a 2b 7d 85 8f 4f c4 f2
> 0d 56 b5 d7 62 df 89
> Dec 7 13:28:58 slack13 pluto[26544]: | 5b
> Dec 7 13:28:58 slack13 pluto[26544]: | 4f a9 1e 8b d0 4f 5a bc 0b
> 1c ac 1b 81 2d fa 1e
> Dec 7 13:28:58 slack13 pluto[26544]: | 54 f8 06 61 25 e8 c8 d2 6f
> b1 67 73 bf a4 b0 69
> Dec 7 13:28:58 slack13 pluto[26544]: | 87 81 55 80 92 3d ee b8 bc
> 68 fe f3 61 92 f2 34
> Dec 7 13:28:58 slack13 pluto[26544]: | 70 ba 0f 28 9d aa f4 e5 7c
> 37 ce a2 59 fd 1e d1
> Dec 7 13:28:58 slack13 pluto[26544]: | 39 13 a0 10 a9 5a 51 8c b1
> 1d f0 74 1e a0 3a d4
> Dec 7 13:28:58 slack13 pluto[26544]: | c1 49 fb 91 02 9e b8 fc be
> f2 e5 53 51 24 c1 7c
> Dec 7 13:28:58 slack13 pluto[26544]: | ce c5 91 3d 73 47 4d 56 9c
> 21 37 6b 49 08 8f 71
> Dec 7 13:28:58 slack13 pluto[26544]: | 3f 4f 09 a3 93 65 08 6d 2b
> a6 8d 2f ef 4d 60 ef
> Dec 7 13:28:58 slack13 pluto[26544]: | 7e a8 84 d9 d7 76 93 96 50
> 1a 50 40 6d ba db ec
> Dec 7 13:28:58 slack13 pluto[26544]: | 66 37 2c 7d 77 f9 88 9e 2f
> e8 43 26 64 96 92 35
> Dec 7 13:28:58 slack13 pluto[26544]: | 4b 84 59 e1 6a 44 e1 0d 8e
> fb 70 bb ca 27 7c 96
> Dec 7 13:28:58 slack13 pluto[26544]: | 75 a6 15 db 9e 79 d1 01 73
> 0c ff a0 ca cd c1 c8
> Dec 7 13:28:58 slack13 pluto[26544]: | keyid: *AwEAAZ+GM
> Dec 7 13:28:58 slack13 pluto[26544]: | Modulus:
> 9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
> Dec 7 13:28:58 slack13 pluto[26544]: | PublicExponent: 10001
> Dec 7 13:28:58 slack13 pluto[26544]: | PrivateExponent:
> 3b4dfcc4ebc26b3dfd6df17adc51e30733cb2c1f5f2f96dda0985574dc85438d70e3bc0a87c5380665eb221809b2e75c5d5644809347c7b9e76ca3b8780de05c0781066bc0604bad0b57cf4a5f131a9ba06029f12d76a0aee2397cebbd150f42c7fe88947cd1cc6df67d891adbd1d337309514100e9afafe5cd719ef4521da81
> Dec 7 13:28:58 slack13 pluto[26544]: | Prime1:
> cf6088e1bc73439604de3379f287fd9a71e4f6f3963927fc6d02136f256a606711ff56cf6bc39b6581a8ed968e002e483faea5f64444e3a9fbae64cb8135b5b1
> Dec 7 13:28:58 slack13 pluto[26544]: | Prime2:
> c4ed605a433cd5bc4ca3d9b2d124f5f21ebcef732a5af74cce4dfba2e0ef9b51b7482bb4f73c88d8bbd0fc3f2229a6ab9a2b7d858f4fc4f20d56b5d762df895b
> Dec 7 13:28:58 slack13 pluto[26544]: | Exponent1:
> 4fa91e8bd04f5abc0b1cac1b812dfa1e54f8066125e8c8d26fb16773bfa4b06987815580923deeb8bc68fef36192f23470ba0f289daaf4e57c37cea259fd1ed1
> Dec 7 13:28:58 slack13 pluto[26544]: | Exponent2:
> 3913a010a95a518cb11df0741ea03ad4c149fb91029eb8fcbef2e5535124c17ccec5913d73474d569c21376b49088f713f4f09a39365086d2ba68d2fef4d60ef
> Dec 7 13:28:58 slack13 pluto[26544]: | Coefficient:
> 7ea884d9d7769396501a50406dbadbec66372c7d77f9889e2fe84326649692354b8459e16a44e10d8efb70bbca277c9675a615db9e79d101730cffa0cacdc1c8
> Dec 7 13:28:58 slack13 pluto[26544]: loaded private key for keyid:
> PPK_RSA:AwEAAZ+GM
>
>
> On windows side I imported my certificate (from p12 format) and also
> ca.crt and placed they in right place.
> After configuring vpn connection in windows side
> I tryed to connect but with no luck. On windows side I get error "792
> the l2tp connection attempt failed because security negotiation timed out"
>
> on linux side in var /log/secure I get:
>
> acket from 131.207.242.5:59780 <http://131.207.242.5:59780/>: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
> ignoring Vendor ID payload [FRAGMENTATION]
> Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
> set to=106
> Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Dec 7 13:34:14 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
> responding to Main Mode from unknown peer 131.207.xx.xx
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Dec 7 13:34:14 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
> is NATed
> Dec 7 13:34:14 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:14 slack13 pluto[26544]: | no Preshared Key Found
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Dec 7 13:34:14 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:15 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1,
> OU=it, CN=mycert, E=myname at wp.pl <mailto:myname at wp.pl>'
> Dec 7 13:34:15 slack13 pluto[26544]: | keyid: *AwEAAc+Lo
> Dec 7 13:34:15 slack13 pluto[26544]: | Modulus:
> cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
> Dec 7 13:34:15 slack13 pluto[26544]: | PublicExponent: 10001
> Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: no suitable connection for peer 'C=PL, ST=cos, O=name1, OU=it,
> CN=mycert, E=myname at wp.pl <mailto:myname at wp.pl>'
> Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx
> #1: sending encrypted notification INVALID_ID_INFORMATION to
> 131.207.xx.xx:59780
> Dec 7 13:34:15 slack13 pluto[26544]: | processing connection
> l2tp-X.509[1] 131.207.xx.xx
> Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.242.5
> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1,
> OU=it, CN=mycert, E=myname at wp.pl <mailto:myname at wp.pl>'
> Dec 7 13:34:15 slack13 pluto[26544]: | keyid: *AwEAAc+Lo
> Dec 7 13:34:15 slack13 pluto[26544]: | Modulus:
> cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
> Dec 7 13:34:15 slack13 pluto[26544]: | PublicExponent: 10001
>
>
> I tryed to generate new certificate, but with no luck. I don't know
> what is set wrong but with PSK connection waorks well.
>
> So please help me, I hope that somebody use openswan+xl2tpd with cert
>
> Regards
>
> Adam
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list