[Openswan Users] openswan + certificates

Adam Sienkiewicz adamsienkiewicz78 at gmail.com
Tue Dec 7 07:45:50 EST 2010


Hi all;

>From few days I'm trying to get working openswan + l2tpd with certificates.
Firth I have installed openswan +l2tpd like I made before and I tested
connetcion with PSK - it work's great.
Next I modified config file ipsec.conf liek below:

config setup
    interfaces=%defaultroute
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,!%v4:192.168.0.0/16<http://10.0.0.0/8,%v4:172.16.0.0/12,%21%v4:192.168.0.0/16>
    nat_traversal=yes
    protostack=netkey
    plutodebug=private
    OE=off
#conn l2tp
#    rightsubnet=vhost:%priv
#    also=l2tp-X.509

conn l2tp-X.509
    #
    # Configuration for one user with any type of IPsec/L2TP client
    # including the updated Windows 2000/XP (MS KB Q818043), but
    # excluding the non-updated Windows 2000/XP.
    #
    #
    # Use a certificate. Disable Perfect Forward Secrecy.
    #
    #auth=esp
    authby=rsasig
    pfs=no
    auto=add
    # we cannot rekey for %any, let client rekey
    rekey=no
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    # l2tp-over-ipsec is transport mode
    # See http://bugs.xelerance.com/view.php?id=466
    type=transport
    #
    left=83.230.105.135
    leftnexthop=83.230.105.129
    leftid=%fromcert

    leftca=/etc/ipsec.d/cacert/
cacert.pem
    leftrsasigkey=%cert
    leftcert=/etc/ipsec.d/certs/vpntest.pem
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    rightca=%same
    rightid=%fromcert
    rightrsasigkey=%cert
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port. If that does
    # not work, try 17/%any
    rightprotoport=17/0
    rightsubnet=vhost:%priv,%no

I didn't change my xl2tpd config file.
Because I used openvpn vpn server I want to use the same certificates to
openswan. So earlier generated certificates (via easy-rsa tool from
openswan) I copied:
cacert.pem to /etc/ipsed.d/cacert, vpntest.pem to /etc/ipsec.d/certs and key
file i put into /etc/ipsec.d/private. I don't use pass for vpntest key I
also put a line into ipsec.secrets

: RSA /etc/ipsec.d/private/vpntest.key *

Next I added the connection
ipsec setup start

and in /var/log/secure I got

Dec  7 13:28:58 slack13 pluto[26544]: Starting Pluto (Openswan Version
2.6.31; Vendor ID OE}GnD\177ZAYe[) pid:26544
Dec  7 13:28:58 slack13 pluto[26544]: LEAK_DETECTIVE support [enabled]
Dec  7 13:28:58 slack13 pluto[26544]: SAref support [disabled]: Protocol not
available
Dec  7 13:28:58 slack13 pluto[26544]: SAbind support [disabled]: Protocol
not available
Dec  7 13:28:58 slack13 pluto[26544]: NSS support [disabled]
Dec  7 13:28:58 slack13 pluto[26544]: HAVE_STATSD notification support not
compiled in
Dec  7 13:28:58 slack13 pluto[26544]: Setting NAT-Traversal port-4500
floating to on
Dec  7 13:28:58 slack13 pluto[26544]:    port floating activation criteria
nat_t=1/port_float=1
Dec  7 13:28:58 slack13 pluto[26544]:    NAT-Traversal support  [enabled]
Dec  7 13:28:58 slack13 pluto[26544]: 1 bad entries in virtual_private -
none loaded
Dec  7 13:28:58 slack13 pluto[26544]: using /dev/urandom as source of random
entropy
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: starting up 1 cryptographic helpers
Dec  7 13:28:58 slack13 pluto[26544]: started helper pid=26548 (fd:7)
Dec  7 13:28:58 slack13 pluto[26544]: Using Linux 2.6 IPsec interface code
on 2.6.33.4 (experimental code)
Dec  7 13:28:58 slack13 pluto[26548]: using /dev/urandom as source of random
entropy
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec  7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Dec  7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/cacerts'
Dec  7 13:28:58 slack13 pluto[26544]:   loaded CA cert file 'cacert.pem'
(1334 bytes)
Dec  7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/aacerts'
Dec  7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Dec  7 13:28:58 slack13 pluto[26544]: Changing to directory
'/etc/ipsec.d/crls'
Dec  7 13:28:58 slack13 pluto[26544]:   loaded crl file 'crl.crl' (528
bytes)
Dec  7 13:28:58 slack13 pluto[26544]: loading certificate from
/etc/ipsec.d/certs/vpntest.pem
Dec  7 13:28:58 slack13 pluto[26544]:   loaded host cert file
'/etc/ipsec.d/certs/vpntest.pem' (3802 bytes)
Dec  7 13:28:58 slack13 pluto[26544]:   no subjectAltName matches ID
'%fromcert', replaced by subject DN
Dec  7 13:28:58 slack13 pluto[26544]: |  keyid: *AwEAAZ+GM
Dec  7 13:28:58 slack13 pluto[26544]: |  Modulus:
9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
Dec  7 13:28:58 slack13 pluto[26544]: |  PublicExponent: 10001
Dec  7 13:28:58 slack13 pluto[26544]: added connection description
"l2tp-X.509"
Dec  7 13:28:58 slack13 pluto[26544]: listening for IKE messages
Dec  7 13:28:58 slack13 pluto[26544]: | invalid listen= option ignored:
empty string
Dec  7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying new style NAT-T
Dec  7 13:28:58 slack13 pluto[26544]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Dec  7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying old style NAT-T
Dec  7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
192.168.1.19:500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
192.168.1.19:4500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
MYIPADDRESS:500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
MYIPADDRESS:4500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface lo/lo 127.0.0.1:500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface lo/lo 127.0.0.1:4500
Dec  7 13:28:58 slack13 pluto[26544]: adding interface lo/lo ::1:500
Dec  7 13:28:58 slack13 pluto[26544]: loading secrets from
"/etc/ipsec.secrets"
Dec  7 13:28:58 slack13 pluto[26544]:   loaded private key file
'/etc/ipsec.d/private/vpntest.key' (887 bytes)
Dec  7 13:28:58 slack13 pluto[26544]: |   30 82 02 5b  02 01 00 02  81 81 00
9f  86 33 38 df
Dec  7 13:28:58 slack13 pluto[26544]: |   00 08 12 eb  92 b6 6a 4f  91 b5 5e
17  4f 23 e0 ae
Dec  7 13:28:58 slack13 pluto[26544]: |   53 88 9b 96  26 24 5e 2a  8e 4f cc
c5  61 af 89 af
Dec  7 13:28:58 slack13 pluto[26544]: |   8d ad a9 25  61 4c 3b 78  1b c0 1b
9e  db 28 e1 dc
Dec  7 13:28:58 slack13 pluto[26544]: |   de 07 aa c1  7c bb d7 1a  6b 43 50
a2  85 73 af d1
Dec  7 13:28:58 slack13 pluto[26544]: |   95 13 1d 84  f5 f4 25 fb  00 65 a5
24  31 df db e1
Dec  7 13:28:58 slack13 pluto[26544]: |   a7 4f 62 24  bf 37 99 76  c9 be 1a
f5  6c 80 67 c7
Dec  7 13:28:58 slack13 pluto[26544]: |   8e f8 51 f0  c4 82 d3 42  99 b4 18
aa  9d 33 f8 98
Dec  7 13:28:58 slack13 pluto[26544]: |   e5 d5 78 03  b2 96 7a b3  82 4e eb
02  03 01 00 01
Dec  7 13:28:58 slack13 pluto[26544]: |   02 81 80 3b  4d fc c4 eb  c2 6b 3d
fd  6d f1 7a dc
Dec  7 13:28:58 slack13 pluto[26544]: |   51 e3 07 33  cb 2c 1f 5f  2f 96 dd
a0  98 55 74 dc
Dec  7 13:28:58 slack13 pluto[26544]: |   85 43 8d 70  e3 bc 0a 87  c5 38 06
65  eb 22 18 09
Dec  7 13:28:58 slack13 pluto[26544]: |   b2 e7 5c 5d  56 44 80 93  47 c7 b9
e7  6c a3 b8 78
Dec  7 13:28:58 slack13 pluto[26544]: |   0d e0 5c 07  81 06 6b c0  60 4b ad
0b  57 cf 4a 5f
Dec  7 13:28:58 slack13 pluto[26544]: |   13 1a 9b a0  60 29 f1 2d  76 a0 ae
e2  39 7c eb bd
Dec  7 13:28:58 slack13 pluto[26544]: |   15 0f 42 c7  fe 88 94 7c  d1 cc 6d
f6  7d 89 1a db
Dec  7 13:28:58 slack13 pluto[26544]: |   d1 d3 37 30  95 14 10 0e  9a fa fe
5c  d7 19 ef 45
Dec  7 13:28:58 slack13 pluto[26544]: |   21 da 81 02  41 00 cf 60  88 e1 bc
73  43 96 04 de
Dec  7 13:28:58 slack13 pluto[26544]: |   33 79 f2 87  fd 9a 71 e4  f6 f3 96
39  27 fc 6d 02
Dec  7 13:28:58 slack13 pluto[26544]: |   13 6f 25 6a  60 67 11 ff  56 cf 6b
c3  9b 65 81 a8
Dec  7 13:28:58 slack13 pluto[26544]: |   ed 96 8e 00  2e 48 3f ae  a5 f6 44
44  e3 a9 fb ae
Dec  7 13:28:58 slack13 pluto[26544]: |   64 cb 81 35  b5 b1 02 41  00 c4 ed
60  5a 43 3c d5
Dec  7 13:28:58 slack13 pluto[26544]: |   bc 4c a3 d9  b2 d1 24 f5  f2 1e bc
ef  73 2a 5a f7
Dec  7 13:28:58 slack13 pluto[26544]: |   4c ce 4d fb  a2 e0 ef 9b  51 b7 48
2b  b4 f7 3c 88
Dec  7 13:28:58 slack13 pluto[26544]: |   d8 bb d0 fc  3f 22 29 a6  ab 9a 2b
7d  85 8f 4f c4
Dec  7 13:28:58 slack13 pluto[26544]: |   f2 0d 56 b5  d7 62 df 89  5b 02 40
4f  a9 1e 8b d0
Dec  7 13:28:58 slack13 pluto[26544]: |   4f 5a bc 0b  1c ac 1b 81  2d fa 1e
54  f8 06 61 25
Dec  7 13:28:58 slack13 pluto[26544]: |   e8 c8 d2 6f  b1 67 73 bf  a4 b0 69
87  81 55 80 92
Dec  7 13:28:58 slack13 pluto[26544]: |   3d ee b8 bc  68 fe f3 61  92 f2 34
70  ba 0f 28 9d
Dec  7 13:28:58 slack13 pluto[26544]: |   aa f4 e5 7c  37 ce a2 59  fd 1e d1
02  40 39 13 a0
Dec  7 13:28:58 slack13 pluto[26544]: |   10 a9 5a 51  8c b1 1d f0  74 1e a0
3a  d4 c1 49 fb
Dec  7 13:28:58 slack13 pluto[26544]: |   91 02 9e b8  fc be f2 e5  53 51 24
c1  7c ce c5 91
Dec  7 13:28:58 slack13 pluto[26544]: |   3d 73 47 4d  56 9c 21 37  6b 49 08
8f  71 3f 4f 09
Dec  7 13:28:58 slack13 pluto[26544]: |   a3 93 65 08  6d 2b a6 8d  2f ef 4d
60  ef 02 40 7e
Dec  7 13:28:58 slack13 pluto[26544]: |   a8 84 d9 d7  76 93 96 50  1a 50 40
6d  ba db ec 66
Dec  7 13:28:58 slack13 pluto[26544]: |   37 2c 7d 77  f9 88 9e 2f  e8 43 26
64  96 92 35 4b
Dec  7 13:28:58 slack13 pluto[26544]: |   84 59 e1 6a  44 e1 0d 8e  fb 70 bb
ca  27 7c 96 75
Dec  7 13:28:58 slack13 pluto[26544]: |   a6 15 db 9e  79 d1 01 73  0c ff a0
ca  cd c1 c8
Dec  7 13:28:58 slack13 pluto[26544]: |   00
Dec  7 13:28:58 slack13 pluto[26544]: |   00 9f 86 33  38 df 00 08  12 eb 92
b6  6a 4f 91 b5
Dec  7 13:28:58 slack13 pluto[26544]: |   5e 17 4f 23  e0 ae 53 88  9b 96 26
24  5e 2a 8e 4f
Dec  7 13:28:58 slack13 pluto[26544]: |   cc c5 61 af  89 af 8d ad  a9 25 61
4c  3b 78 1b c0
Dec  7 13:28:58 slack13 pluto[26544]: |   1b 9e db 28  e1 dc de 07  aa c1 7c
bb  d7 1a 6b 43
Dec  7 13:28:58 slack13 pluto[26544]: |   50 a2 85 73  af d1 95 13  1d 84 f5
f4  25 fb 00 65
Dec  7 13:28:58 slack13 pluto[26544]: |   a5 24 31 df  db e1 a7 4f  62 24 bf
37  99 76 c9 be
Dec  7 13:28:58 slack13 pluto[26544]: |   1a f5 6c 80  67 c7 8e f8  51 f0 c4
82  d3 42 99 b4
Dec  7 13:28:58 slack13 pluto[26544]: |   18 aa 9d 33  f8 98 e5 d5  78 03 b2
96  7a b3 82 4e
Dec  7 13:28:58 slack13 pluto[26544]: |   eb
Dec  7 13:28:58 slack13 pluto[26544]: |   01 00 01
Dec  7 13:28:58 slack13 pluto[26544]: |   3b 4d fc c4  eb c2 6b 3d  fd 6d f1
7a  dc 51 e3 07
Dec  7 13:28:58 slack13 pluto[26544]: |   33 cb 2c 1f  5f 2f 96 dd  a0 98 55
74  dc 85 43 8d
Dec  7 13:28:58 slack13 pluto[26544]: |   70 e3 bc 0a  87 c5 38 06  65 eb 22
18  09 b2 e7 5c
Dec  7 13:28:58 slack13 pluto[26544]: |   5d 56 44 80  93 47 c7 b9  e7 6c a3
b8  78 0d e0 5c
Dec  7 13:28:58 slack13 pluto[26544]: |   07 81 06 6b  c0 60 4b ad  0b 57 cf
4a  5f 13 1a 9b
Dec  7 13:28:58 slack13 pluto[26544]: |   a0 60 29 f1  2d 76 a0 ae  e2 39 7c
eb  bd 15 0f 42
Dec  7 13:28:58 slack13 pluto[26544]: |   c7 fe 88 94  7c d1 cc 6d  f6 7d 89
1a  db d1 d3 37
Dec  7 13:28:58 slack13 pluto[26544]: |   30 95 14 10  0e 9a fa fe  5c d7 19
ef  45 21 da 81
Dec  7 13:28:58 slack13 pluto[26544]: |   00 cf 60 88  e1 bc 73 43  96 04 de
33  79 f2 87 fd
Dec  7 13:28:58 slack13 pluto[26544]: |   9a 71 e4 f6  f3 96 39 27  fc 6d 02
13  6f 25 6a 60
Dec  7 13:28:58 slack13 pluto[26544]: |   67 11 ff 56  cf 6b c3 9b  65 81 a8
ed  96 8e 00 2e
Dec  7 13:28:58 slack13 pluto[26544]: |   48 3f ae a5  f6 44 44 e3  a9 fb ae
64  cb 81 35 b5
Dec  7 13:28:58 slack13 pluto[26544]: |   b1
Dec  7 13:28:58 slack13 pluto[26544]: |   00 c4 ed 60  5a 43 3c d5  bc 4c a3
d9  b2 d1 24 f5
Dec  7 13:28:58 slack13 pluto[26544]: |   f2 1e bc ef  73 2a 5a f7  4c ce 4d
fb  a2 e0 ef 9b
Dec  7 13:28:58 slack13 pluto[26544]: |   51 b7 48 2b  b4 f7 3c 88  d8 bb d0
fc  3f 22 29 a6
Dec  7 13:28:58 slack13 pluto[26544]: |   ab 9a 2b 7d  85 8f 4f c4  f2 0d 56
b5  d7 62 df 89
Dec  7 13:28:58 slack13 pluto[26544]: |   5b
Dec  7 13:28:58 slack13 pluto[26544]: |   4f a9 1e 8b  d0 4f 5a bc  0b 1c ac
1b  81 2d fa 1e
Dec  7 13:28:58 slack13 pluto[26544]: |   54 f8 06 61  25 e8 c8 d2  6f b1 67
73  bf a4 b0 69
Dec  7 13:28:58 slack13 pluto[26544]: |   87 81 55 80  92 3d ee b8  bc 68 fe
f3  61 92 f2 34
Dec  7 13:28:58 slack13 pluto[26544]: |   70 ba 0f 28  9d aa f4 e5  7c 37 ce
a2  59 fd 1e d1
Dec  7 13:28:58 slack13 pluto[26544]: |   39 13 a0 10  a9 5a 51 8c  b1 1d f0
74  1e a0 3a d4
Dec  7 13:28:58 slack13 pluto[26544]: |   c1 49 fb 91  02 9e b8 fc  be f2 e5
53  51 24 c1 7c
Dec  7 13:28:58 slack13 pluto[26544]: |   ce c5 91 3d  73 47 4d 56  9c 21 37
6b  49 08 8f 71
Dec  7 13:28:58 slack13 pluto[26544]: |   3f 4f 09 a3  93 65 08 6d  2b a6 8d
2f  ef 4d 60 ef
Dec  7 13:28:58 slack13 pluto[26544]: |   7e a8 84 d9  d7 76 93 96  50 1a 50
40  6d ba db ec
Dec  7 13:28:58 slack13 pluto[26544]: |   66 37 2c 7d  77 f9 88 9e  2f e8 43
26  64 96 92 35
Dec  7 13:28:58 slack13 pluto[26544]: |   4b 84 59 e1  6a 44 e1 0d  8e fb 70
bb  ca 27 7c 96
Dec  7 13:28:58 slack13 pluto[26544]: |   75 a6 15 db  9e 79 d1 01  73 0c ff
a0  ca cd c1 c8
Dec  7 13:28:58 slack13 pluto[26544]: |  keyid: *AwEAAZ+GM
Dec  7 13:28:58 slack13 pluto[26544]: |  Modulus:
9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
Dec  7 13:28:58 slack13 pluto[26544]: |  PublicExponent: 10001
Dec  7 13:28:58 slack13 pluto[26544]: |  PrivateExponent:
3b4dfcc4ebc26b3dfd6df17adc51e30733cb2c1f5f2f96dda0985574dc85438d70e3bc0a87c5380665eb221809b2e75c5d5644809347c7b9e76ca3b8780de05c0781066bc0604bad0b57cf4a5f131a9ba06029f12d76a0aee2397cebbd150f42c7fe88947cd1cc6df67d891adbd1d337309514100e9afafe5cd719ef4521da81
Dec  7 13:28:58 slack13 pluto[26544]: |  Prime1:
cf6088e1bc73439604de3379f287fd9a71e4f6f3963927fc6d02136f256a606711ff56cf6bc39b6581a8ed968e002e483faea5f64444e3a9fbae64cb8135b5b1
Dec  7 13:28:58 slack13 pluto[26544]: |  Prime2:
c4ed605a433cd5bc4ca3d9b2d124f5f21ebcef732a5af74cce4dfba2e0ef9b51b7482bb4f73c88d8bbd0fc3f2229a6ab9a2b7d858f4fc4f20d56b5d762df895b
Dec  7 13:28:58 slack13 pluto[26544]: |  Exponent1:
4fa91e8bd04f5abc0b1cac1b812dfa1e54f8066125e8c8d26fb16773bfa4b06987815580923deeb8bc68fef36192f23470ba0f289daaf4e57c37cea259fd1ed1
Dec  7 13:28:58 slack13 pluto[26544]: |  Exponent2:
3913a010a95a518cb11df0741ea03ad4c149fb91029eb8fcbef2e5535124c17ccec5913d73474d569c21376b49088f713f4f09a39365086d2ba68d2fef4d60ef
Dec  7 13:28:58 slack13 pluto[26544]: |  Coefficient:
7ea884d9d7769396501a50406dbadbec66372c7d77f9889e2fe84326649692354b8459e16a44e10d8efb70bbca277c9675a615db9e79d101730cffa0cacdc1c8
Dec  7 13:28:58 slack13 pluto[26544]: loaded private key for keyid:
PPK_RSA:AwEAAZ+GM


On windows side I imported my certificate (from p12 format) and also ca.crt
and placed they in right place.
After configuring vpn connection in windows side
I tryed to connect but with no luck. On windows side I get error "792 the
l2tp connection attempt failed because security negotiation timed out"

on linux side in var /log/secure I get:

acket from 131.207.242.5:59780: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
Dec  7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
ignoring Vendor ID payload [FRAGMENTATION]
Dec  7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Dec  7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec  7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
responding to Main Mode from unknown peer 131.207.xx.xx
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec  7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec  7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:14 slack13 pluto[26544]: | no Preshared Key Found
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec  7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec  7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:15 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec  7 13:34:15 slack13 pluto[26544]: |  keyid: *AwEAAc+Lo
Dec  7 13:34:15 slack13 pluto[26544]: |  Modulus:
cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
Dec  7 13:34:15 slack13 pluto[26544]: |  PublicExponent: 10001
Dec  7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1: no
suitable connection for peer 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec  7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
sending encrypted notification INVALID_ID_INFORMATION to 131.207.xx.xx:59780
Dec  7 13:34:15 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec  7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.242.5 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec  7 13:34:15 slack13 pluto[26544]: |  keyid: *AwEAAc+Lo
Dec  7 13:34:15 slack13 pluto[26544]: |  Modulus:
cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
Dec  7 13:34:15 slack13 pluto[26544]: |  PublicExponent: 10001


I tryed to generate new certificate, but with no luck. I don't know what is
set wrong but with PSK connection waorks well.

So please help me, I hope that somebody use openswan+xl2tpd with cert

Regards

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101207/69869b59/attachment-0001.html 


More information about the Users mailing list