[Openswan Users] openswan + certificates
Adam Sienkiewicz
adamsienkiewicz78 at gmail.com
Tue Dec 7 07:45:50 EST 2010
Hi all;
>From few days I'm trying to get working openswan + l2tpd with certificates.
Firth I have installed openswan +l2tpd like I made before and I tested
connetcion with PSK - it work's great.
Next I modified config file ipsec.conf liek below:
config setup
interfaces=%defaultroute
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,!%v4:192.168.0.0/16<http://10.0.0.0/8,%v4:172.16.0.0/12,%21%v4:192.168.0.0/16>
nat_traversal=yes
protostack=netkey
plutodebug=private
OE=off
#conn l2tp
# rightsubnet=vhost:%priv
# also=l2tp-X.509
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
#auth=esp
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
# See http://bugs.xelerance.com/view.php?id=466
type=transport
#
left=83.230.105.135
leftnexthop=83.230.105.129
leftid=%fromcert
leftca=/etc/ipsec.d/cacert/
cacert.pem
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/vpntest.pem
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightca=%same
rightid=%fromcert
rightrsasigkey=%cert
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port. If that does
# not work, try 17/%any
rightprotoport=17/0
rightsubnet=vhost:%priv,%no
I didn't change my xl2tpd config file.
Because I used openvpn vpn server I want to use the same certificates to
openswan. So earlier generated certificates (via easy-rsa tool from
openswan) I copied:
cacert.pem to /etc/ipsed.d/cacert, vpntest.pem to /etc/ipsec.d/certs and key
file i put into /etc/ipsec.d/private. I don't use pass for vpntest key I
also put a line into ipsec.secrets
: RSA /etc/ipsec.d/private/vpntest.key *
Next I added the connection
ipsec setup start
and in /var/log/secure I got
Dec 7 13:28:58 slack13 pluto[26544]: Starting Pluto (Openswan Version
2.6.31; Vendor ID OE}GnD\177ZAYe[) pid:26544
Dec 7 13:28:58 slack13 pluto[26544]: LEAK_DETECTIVE support [enabled]
Dec 7 13:28:58 slack13 pluto[26544]: SAref support [disabled]: Protocol not
available
Dec 7 13:28:58 slack13 pluto[26544]: SAbind support [disabled]: Protocol
not available
Dec 7 13:28:58 slack13 pluto[26544]: NSS support [disabled]
Dec 7 13:28:58 slack13 pluto[26544]: HAVE_STATSD notification support not
compiled in
Dec 7 13:28:58 slack13 pluto[26544]: Setting NAT-Traversal port-4500
floating to on
Dec 7 13:28:58 slack13 pluto[26544]: port floating activation criteria
nat_t=1/port_float=1
Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal support [enabled]
Dec 7 13:28:58 slack13 pluto[26544]: 1 bad entries in virtual_private -
none loaded
Dec 7 13:28:58 slack13 pluto[26544]: using /dev/urandom as source of random
entropy
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: starting up 1 cryptographic helpers
Dec 7 13:28:58 slack13 pluto[26544]: started helper pid=26548 (fd:7)
Dec 7 13:28:58 slack13 pluto[26544]: Using Linux 2.6 IPsec interface code
on 2.6.33.4 (experimental code)
Dec 7 13:28:58 slack13 pluto[26548]: using /dev/urandom as source of random
entropy
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_add(): ERROR: Algorithm
already exists
Dec 7 13:28:58 slack13 pluto[26544]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/cacerts'
Dec 7 13:28:58 slack13 pluto[26544]: loaded CA cert file 'cacert.pem'
(1334 bytes)
Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/aacerts'
Dec 7 13:28:58 slack13 pluto[26544]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Dec 7 13:28:58 slack13 pluto[26544]: Changing to directory
'/etc/ipsec.d/crls'
Dec 7 13:28:58 slack13 pluto[26544]: loaded crl file 'crl.crl' (528
bytes)
Dec 7 13:28:58 slack13 pluto[26544]: loading certificate from
/etc/ipsec.d/certs/vpntest.pem
Dec 7 13:28:58 slack13 pluto[26544]: loaded host cert file
'/etc/ipsec.d/certs/vpntest.pem' (3802 bytes)
Dec 7 13:28:58 slack13 pluto[26544]: no subjectAltName matches ID
'%fromcert', replaced by subject DN
Dec 7 13:28:58 slack13 pluto[26544]: | keyid: *AwEAAZ+GM
Dec 7 13:28:58 slack13 pluto[26544]: | Modulus:
9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
Dec 7 13:28:58 slack13 pluto[26544]: | PublicExponent: 10001
Dec 7 13:28:58 slack13 pluto[26544]: added connection description
"l2tp-X.509"
Dec 7 13:28:58 slack13 pluto[26544]: listening for IKE messages
Dec 7 13:28:58 slack13 pluto[26544]: | invalid listen= option ignored:
empty string
Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying new style NAT-T
Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Dec 7 13:28:58 slack13 pluto[26544]: NAT-Traversal: Trying old style NAT-T
Dec 7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
192.168.1.19:500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface bond0/bond0
192.168.1.19:4500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
MYIPADDRESS:500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface eth3/eth3
MYIPADDRESS:4500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo 127.0.0.1:500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo 127.0.0.1:4500
Dec 7 13:28:58 slack13 pluto[26544]: adding interface lo/lo ::1:500
Dec 7 13:28:58 slack13 pluto[26544]: loading secrets from
"/etc/ipsec.secrets"
Dec 7 13:28:58 slack13 pluto[26544]: loaded private key file
'/etc/ipsec.d/private/vpntest.key' (887 bytes)
Dec 7 13:28:58 slack13 pluto[26544]: | 30 82 02 5b 02 01 00 02 81 81 00
9f 86 33 38 df
Dec 7 13:28:58 slack13 pluto[26544]: | 00 08 12 eb 92 b6 6a 4f 91 b5 5e
17 4f 23 e0 ae
Dec 7 13:28:58 slack13 pluto[26544]: | 53 88 9b 96 26 24 5e 2a 8e 4f cc
c5 61 af 89 af
Dec 7 13:28:58 slack13 pluto[26544]: | 8d ad a9 25 61 4c 3b 78 1b c0 1b
9e db 28 e1 dc
Dec 7 13:28:58 slack13 pluto[26544]: | de 07 aa c1 7c bb d7 1a 6b 43 50
a2 85 73 af d1
Dec 7 13:28:58 slack13 pluto[26544]: | 95 13 1d 84 f5 f4 25 fb 00 65 a5
24 31 df db e1
Dec 7 13:28:58 slack13 pluto[26544]: | a7 4f 62 24 bf 37 99 76 c9 be 1a
f5 6c 80 67 c7
Dec 7 13:28:58 slack13 pluto[26544]: | 8e f8 51 f0 c4 82 d3 42 99 b4 18
aa 9d 33 f8 98
Dec 7 13:28:58 slack13 pluto[26544]: | e5 d5 78 03 b2 96 7a b3 82 4e eb
02 03 01 00 01
Dec 7 13:28:58 slack13 pluto[26544]: | 02 81 80 3b 4d fc c4 eb c2 6b 3d
fd 6d f1 7a dc
Dec 7 13:28:58 slack13 pluto[26544]: | 51 e3 07 33 cb 2c 1f 5f 2f 96 dd
a0 98 55 74 dc
Dec 7 13:28:58 slack13 pluto[26544]: | 85 43 8d 70 e3 bc 0a 87 c5 38 06
65 eb 22 18 09
Dec 7 13:28:58 slack13 pluto[26544]: | b2 e7 5c 5d 56 44 80 93 47 c7 b9
e7 6c a3 b8 78
Dec 7 13:28:58 slack13 pluto[26544]: | 0d e0 5c 07 81 06 6b c0 60 4b ad
0b 57 cf 4a 5f
Dec 7 13:28:58 slack13 pluto[26544]: | 13 1a 9b a0 60 29 f1 2d 76 a0 ae
e2 39 7c eb bd
Dec 7 13:28:58 slack13 pluto[26544]: | 15 0f 42 c7 fe 88 94 7c d1 cc 6d
f6 7d 89 1a db
Dec 7 13:28:58 slack13 pluto[26544]: | d1 d3 37 30 95 14 10 0e 9a fa fe
5c d7 19 ef 45
Dec 7 13:28:58 slack13 pluto[26544]: | 21 da 81 02 41 00 cf 60 88 e1 bc
73 43 96 04 de
Dec 7 13:28:58 slack13 pluto[26544]: | 33 79 f2 87 fd 9a 71 e4 f6 f3 96
39 27 fc 6d 02
Dec 7 13:28:58 slack13 pluto[26544]: | 13 6f 25 6a 60 67 11 ff 56 cf 6b
c3 9b 65 81 a8
Dec 7 13:28:58 slack13 pluto[26544]: | ed 96 8e 00 2e 48 3f ae a5 f6 44
44 e3 a9 fb ae
Dec 7 13:28:58 slack13 pluto[26544]: | 64 cb 81 35 b5 b1 02 41 00 c4 ed
60 5a 43 3c d5
Dec 7 13:28:58 slack13 pluto[26544]: | bc 4c a3 d9 b2 d1 24 f5 f2 1e bc
ef 73 2a 5a f7
Dec 7 13:28:58 slack13 pluto[26544]: | 4c ce 4d fb a2 e0 ef 9b 51 b7 48
2b b4 f7 3c 88
Dec 7 13:28:58 slack13 pluto[26544]: | d8 bb d0 fc 3f 22 29 a6 ab 9a 2b
7d 85 8f 4f c4
Dec 7 13:28:58 slack13 pluto[26544]: | f2 0d 56 b5 d7 62 df 89 5b 02 40
4f a9 1e 8b d0
Dec 7 13:28:58 slack13 pluto[26544]: | 4f 5a bc 0b 1c ac 1b 81 2d fa 1e
54 f8 06 61 25
Dec 7 13:28:58 slack13 pluto[26544]: | e8 c8 d2 6f b1 67 73 bf a4 b0 69
87 81 55 80 92
Dec 7 13:28:58 slack13 pluto[26544]: | 3d ee b8 bc 68 fe f3 61 92 f2 34
70 ba 0f 28 9d
Dec 7 13:28:58 slack13 pluto[26544]: | aa f4 e5 7c 37 ce a2 59 fd 1e d1
02 40 39 13 a0
Dec 7 13:28:58 slack13 pluto[26544]: | 10 a9 5a 51 8c b1 1d f0 74 1e a0
3a d4 c1 49 fb
Dec 7 13:28:58 slack13 pluto[26544]: | 91 02 9e b8 fc be f2 e5 53 51 24
c1 7c ce c5 91
Dec 7 13:28:58 slack13 pluto[26544]: | 3d 73 47 4d 56 9c 21 37 6b 49 08
8f 71 3f 4f 09
Dec 7 13:28:58 slack13 pluto[26544]: | a3 93 65 08 6d 2b a6 8d 2f ef 4d
60 ef 02 40 7e
Dec 7 13:28:58 slack13 pluto[26544]: | a8 84 d9 d7 76 93 96 50 1a 50 40
6d ba db ec 66
Dec 7 13:28:58 slack13 pluto[26544]: | 37 2c 7d 77 f9 88 9e 2f e8 43 26
64 96 92 35 4b
Dec 7 13:28:58 slack13 pluto[26544]: | 84 59 e1 6a 44 e1 0d 8e fb 70 bb
ca 27 7c 96 75
Dec 7 13:28:58 slack13 pluto[26544]: | a6 15 db 9e 79 d1 01 73 0c ff a0
ca cd c1 c8
Dec 7 13:28:58 slack13 pluto[26544]: | 00
Dec 7 13:28:58 slack13 pluto[26544]: | 00 9f 86 33 38 df 00 08 12 eb 92
b6 6a 4f 91 b5
Dec 7 13:28:58 slack13 pluto[26544]: | 5e 17 4f 23 e0 ae 53 88 9b 96 26
24 5e 2a 8e 4f
Dec 7 13:28:58 slack13 pluto[26544]: | cc c5 61 af 89 af 8d ad a9 25 61
4c 3b 78 1b c0
Dec 7 13:28:58 slack13 pluto[26544]: | 1b 9e db 28 e1 dc de 07 aa c1 7c
bb d7 1a 6b 43
Dec 7 13:28:58 slack13 pluto[26544]: | 50 a2 85 73 af d1 95 13 1d 84 f5
f4 25 fb 00 65
Dec 7 13:28:58 slack13 pluto[26544]: | a5 24 31 df db e1 a7 4f 62 24 bf
37 99 76 c9 be
Dec 7 13:28:58 slack13 pluto[26544]: | 1a f5 6c 80 67 c7 8e f8 51 f0 c4
82 d3 42 99 b4
Dec 7 13:28:58 slack13 pluto[26544]: | 18 aa 9d 33 f8 98 e5 d5 78 03 b2
96 7a b3 82 4e
Dec 7 13:28:58 slack13 pluto[26544]: | eb
Dec 7 13:28:58 slack13 pluto[26544]: | 01 00 01
Dec 7 13:28:58 slack13 pluto[26544]: | 3b 4d fc c4 eb c2 6b 3d fd 6d f1
7a dc 51 e3 07
Dec 7 13:28:58 slack13 pluto[26544]: | 33 cb 2c 1f 5f 2f 96 dd a0 98 55
74 dc 85 43 8d
Dec 7 13:28:58 slack13 pluto[26544]: | 70 e3 bc 0a 87 c5 38 06 65 eb 22
18 09 b2 e7 5c
Dec 7 13:28:58 slack13 pluto[26544]: | 5d 56 44 80 93 47 c7 b9 e7 6c a3
b8 78 0d e0 5c
Dec 7 13:28:58 slack13 pluto[26544]: | 07 81 06 6b c0 60 4b ad 0b 57 cf
4a 5f 13 1a 9b
Dec 7 13:28:58 slack13 pluto[26544]: | a0 60 29 f1 2d 76 a0 ae e2 39 7c
eb bd 15 0f 42
Dec 7 13:28:58 slack13 pluto[26544]: | c7 fe 88 94 7c d1 cc 6d f6 7d 89
1a db d1 d3 37
Dec 7 13:28:58 slack13 pluto[26544]: | 30 95 14 10 0e 9a fa fe 5c d7 19
ef 45 21 da 81
Dec 7 13:28:58 slack13 pluto[26544]: | 00 cf 60 88 e1 bc 73 43 96 04 de
33 79 f2 87 fd
Dec 7 13:28:58 slack13 pluto[26544]: | 9a 71 e4 f6 f3 96 39 27 fc 6d 02
13 6f 25 6a 60
Dec 7 13:28:58 slack13 pluto[26544]: | 67 11 ff 56 cf 6b c3 9b 65 81 a8
ed 96 8e 00 2e
Dec 7 13:28:58 slack13 pluto[26544]: | 48 3f ae a5 f6 44 44 e3 a9 fb ae
64 cb 81 35 b5
Dec 7 13:28:58 slack13 pluto[26544]: | b1
Dec 7 13:28:58 slack13 pluto[26544]: | 00 c4 ed 60 5a 43 3c d5 bc 4c a3
d9 b2 d1 24 f5
Dec 7 13:28:58 slack13 pluto[26544]: | f2 1e bc ef 73 2a 5a f7 4c ce 4d
fb a2 e0 ef 9b
Dec 7 13:28:58 slack13 pluto[26544]: | 51 b7 48 2b b4 f7 3c 88 d8 bb d0
fc 3f 22 29 a6
Dec 7 13:28:58 slack13 pluto[26544]: | ab 9a 2b 7d 85 8f 4f c4 f2 0d 56
b5 d7 62 df 89
Dec 7 13:28:58 slack13 pluto[26544]: | 5b
Dec 7 13:28:58 slack13 pluto[26544]: | 4f a9 1e 8b d0 4f 5a bc 0b 1c ac
1b 81 2d fa 1e
Dec 7 13:28:58 slack13 pluto[26544]: | 54 f8 06 61 25 e8 c8 d2 6f b1 67
73 bf a4 b0 69
Dec 7 13:28:58 slack13 pluto[26544]: | 87 81 55 80 92 3d ee b8 bc 68 fe
f3 61 92 f2 34
Dec 7 13:28:58 slack13 pluto[26544]: | 70 ba 0f 28 9d aa f4 e5 7c 37 ce
a2 59 fd 1e d1
Dec 7 13:28:58 slack13 pluto[26544]: | 39 13 a0 10 a9 5a 51 8c b1 1d f0
74 1e a0 3a d4
Dec 7 13:28:58 slack13 pluto[26544]: | c1 49 fb 91 02 9e b8 fc be f2 e5
53 51 24 c1 7c
Dec 7 13:28:58 slack13 pluto[26544]: | ce c5 91 3d 73 47 4d 56 9c 21 37
6b 49 08 8f 71
Dec 7 13:28:58 slack13 pluto[26544]: | 3f 4f 09 a3 93 65 08 6d 2b a6 8d
2f ef 4d 60 ef
Dec 7 13:28:58 slack13 pluto[26544]: | 7e a8 84 d9 d7 76 93 96 50 1a 50
40 6d ba db ec
Dec 7 13:28:58 slack13 pluto[26544]: | 66 37 2c 7d 77 f9 88 9e 2f e8 43
26 64 96 92 35
Dec 7 13:28:58 slack13 pluto[26544]: | 4b 84 59 e1 6a 44 e1 0d 8e fb 70
bb ca 27 7c 96
Dec 7 13:28:58 slack13 pluto[26544]: | 75 a6 15 db 9e 79 d1 01 73 0c ff
a0 ca cd c1 c8
Dec 7 13:28:58 slack13 pluto[26544]: | keyid: *AwEAAZ+GM
Dec 7 13:28:58 slack13 pluto[26544]: | Modulus:
9f863338df000812eb92b66a4f91b55e174f23e0ae53889b9626245e2a8e4fccc561af89af8dada925614c3b781bc01b9edb28e1dcde07aac17cbbd71a6b4350a28573afd195131d84f5f425fb0065a52431dfdbe1a74f6224bf379976c9be1af56c8067c78ef851f0c482d34299b418aa9d33f898e5d57803b2967ab3824eeb
Dec 7 13:28:58 slack13 pluto[26544]: | PublicExponent: 10001
Dec 7 13:28:58 slack13 pluto[26544]: | PrivateExponent:
3b4dfcc4ebc26b3dfd6df17adc51e30733cb2c1f5f2f96dda0985574dc85438d70e3bc0a87c5380665eb221809b2e75c5d5644809347c7b9e76ca3b8780de05c0781066bc0604bad0b57cf4a5f131a9ba06029f12d76a0aee2397cebbd150f42c7fe88947cd1cc6df67d891adbd1d337309514100e9afafe5cd719ef4521da81
Dec 7 13:28:58 slack13 pluto[26544]: | Prime1:
cf6088e1bc73439604de3379f287fd9a71e4f6f3963927fc6d02136f256a606711ff56cf6bc39b6581a8ed968e002e483faea5f64444e3a9fbae64cb8135b5b1
Dec 7 13:28:58 slack13 pluto[26544]: | Prime2:
c4ed605a433cd5bc4ca3d9b2d124f5f21ebcef732a5af74cce4dfba2e0ef9b51b7482bb4f73c88d8bbd0fc3f2229a6ab9a2b7d858f4fc4f20d56b5d762df895b
Dec 7 13:28:58 slack13 pluto[26544]: | Exponent1:
4fa91e8bd04f5abc0b1cac1b812dfa1e54f8066125e8c8d26fb16773bfa4b06987815580923deeb8bc68fef36192f23470ba0f289daaf4e57c37cea259fd1ed1
Dec 7 13:28:58 slack13 pluto[26544]: | Exponent2:
3913a010a95a518cb11df0741ea03ad4c149fb91029eb8fcbef2e5535124c17ccec5913d73474d569c21376b49088f713f4f09a39365086d2ba68d2fef4d60ef
Dec 7 13:28:58 slack13 pluto[26544]: | Coefficient:
7ea884d9d7769396501a50406dbadbec66372c7d77f9889e2fe84326649692354b8459e16a44e10d8efb70bbca277c9675a615db9e79d101730cffa0cacdc1c8
Dec 7 13:28:58 slack13 pluto[26544]: loaded private key for keyid:
PPK_RSA:AwEAAZ+GM
On windows side I imported my certificate (from p12 format) and also ca.crt
and placed they in right place.
After configuring vpn connection in windows side
I tryed to connect but with no luck. On windows side I get error "792 the
l2tp connection attempt failed because security negotiation timed out"
on linux side in var /log/secure I get:
acket from 131.207.242.5:59780: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Dec 7 13:34:14 slack13 pluto[26544]: packet from 131.207.xx.xx:59780:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
responding to Main Mode from unknown peer 131.207.xx.xx
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207xx.xx #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec 7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:14 slack13 pluto[26544]: | no Preshared Key Found
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 7 13:34:14 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 7 13:34:14 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:15 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec 7 13:34:15 slack13 pluto[26544]: | keyid: *AwEAAc+Lo
Dec 7 13:34:15 slack13 pluto[26544]: | Modulus:
cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
Dec 7 13:34:15 slack13 pluto[26544]: | PublicExponent: 10001
Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1: no
suitable connection for peer 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.xx.xx #1:
sending encrypted notification INVALID_ID_INFORMATION to 131.207.xx.xx:59780
Dec 7 13:34:15 slack13 pluto[26544]: | processing connection l2tp-X.509[1]
131.207.xx.xx
Dec 7 13:34:15 slack13 pluto[26544]: "l2tp-X.509"[1] 131.207.242.5 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=cos, O=name1, OU=it, CN=mycert, E=
myname at wp.pl'
Dec 7 13:34:15 slack13 pluto[26544]: | keyid: *AwEAAc+Lo
Dec 7 13:34:15 slack13 pluto[26544]: | Modulus:
cf8ba0b57f057ceb460129baf02daeffe104dcc31313cfccd3687c99525e7a69cf879def286ead78d2e8c06790c3bd4016fca82ed2ec14703ebdbb067e86a7b5c09cb07caa4f49f63a5f03ce2efffff10ba765017f28d20edcb0366490006d2943e4787b278c02e2f0eb1890ab60e62c246a6efd728875bde653e11f1d85f64b
Dec 7 13:34:15 slack13 pluto[26544]: | PublicExponent: 10001
I tryed to generate new certificate, but with no luck. I don't know what is
set wrong but with PSK connection waorks well.
So please help me, I hope that somebody use openswan+xl2tpd with cert
Regards
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101207/69869b59/attachment-0001.html
More information about the Users
mailing list