[Openswan Users] Openswan with NAT-T and X.509 authentication

Oliver Schade linksrum at googlemail.com
Tue Mar 1 08:45:16 EST 2011 

Hello!

I'm trying to setup Openswan with certificates and xl2tpd. Both, server and
client are behind a NAT device.
I followed Jacco's procedure at
http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed

The server is Gentoo with 2.6.36 kernel, Openswan 2.4.15, xl2tpd 1.2.7
The client is MacOS 10.6 native (therefore rightprotoport=17/0).

So far, my PSK setup works like a charm, but L2TP-X509 doesn't.

I tried several variants regarding subnet and nexthop, but with no luck. The
certificates seem to be okay, although I admit not to be an expert on this
topic. ;-)
I use to disable PSK stuff for testing to keep things clean. L2TP-PSK
doesn't seem to work anyway, as soon as L2TP-X509's config is in place. Once
more: no idea, why.

I appreciate any suggestions. Thanks a lot!

Here's my config:


                   NAT-        Internet        NAT-
Client  --------- device  =================== device -------------+--------
... 192.168.178.0/24
192.168.178.27   /     \                      /     \             |
                /       \                    /   192.168.178.1  Openswan
    192.168.189.1/24  234.234.234.234   123.123.123.123         Server

 192.168.178.253



/etc/ipsec/ipsec.conf

version 2.0
config setup
plutodebug="control natt"
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.178.0/24
nhelpers=0
interfaces=%defaultroute

#include ipsec-l2tp-psk.conf
include ipsec-l2tp-x509.conf
include /etc/ipsec/ipsec.d/examples/no_oe.conf



/etc/ipsec/ipsec-l2tp-psk.conf

conn L2TP-PSK
auto=add
authby=secret
pfs=no
keyingtries=3
rekey=no
left=%defaultroute
leftprotoport=17/1701
leftsubnet=192.168.178.0/24
leftnexthop=%defaultroute
leftcert=vpn.host.linksrum.cert.pem
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv
#rightsubnet=192.168.189.0/24



/etc/ipsec/ipsec-l2tp-psk.conf

conn L2TP-X509
auto=add
authby=rsasig
pfs=no
keyingtries=3
rekey=no
left=%defaultroute
#left=192.168.178.253
leftprotoport=17/1701
leftsubnet=192.168.178.0/24
leftnexthop=%defaultroute
#leftnexthop=192.168.178.1
leftrsasigkey=%cert
leftcert=vpn.host.linksrum.cert.pem
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv
#rightsubnet=192.168.189.0/24
rightrsasigkey=%cert



/etc/ipsec/ipsec.secrets

#192.168.178.253 %any: PSK "mypresharedkey"
#C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=
linksrum at gmail.com %any: PSK "mypresharedkey"
C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=
linksrum at gmail.com %any: RSA vpn.host.linksrum.key.rsa "mysecret"
192.168.178.253 %any: RSA vpn.host.linksrum.key.rsa "mysecret"
: RSA vpn.host.linksrum.key.rsa "mysecret"



excerpt from /var/log/secure (connection attempt only):

2011-03-01T13:54:24.328347+01:00 linksrum pluto[22198]: | *received 300
bytes from 85.183.y.z:65463 on eth0 (port=500)
2011-03-01T13:54:24.328360+01:00 linksrum pluto[22198]: |  processing packet
with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.328372+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [RFC 3947] method set to=109
2011-03-01T13:54:24.328384+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
method set to=110
2011-03-01T13:54:24.328397+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
2011-03-01T13:54:24.328409+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
2011-03-01T13:54:24.328421+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
2011-03-01T13:54:24.328434+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
2011-03-01T13:54:24.328448+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
2011-03-01T13:54:24.328461+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110
2011-03-01T13:54:24.328474+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
meth=107, but already using method 110
2011-03-01T13:54:24.328488+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
2011-03-01T13:54:24.328500+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [Dead Peer Detection]
2011-03-01T13:54:24.328512+01:00 linksrum pluto[22198]: | nat-t detected,
sending nat-t VID
2011-03-01T13:54:24.328523+01:00 linksrum pluto[22198]: | creating state
object #2 at 0x8109878
2011-03-01T13:54:24.328534+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.328546+01:00 linksrum pluto[22198]: | ICOOKIE:  1c d8 b4
97  4d cd 67 b0
2011-03-01T13:54:24.328556+01:00 linksrum pluto[22198]: | RCOOKIE:  3d e6 35
47  f9 f8 81 b1
2011-03-01T13:54:24.328566+01:00 linksrum pluto[22198]: | peer:  55 b7 07 0c
2011-03-01T13:54:24.328578+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.328589+01:00 linksrum pluto[22198]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
2011-03-01T13:54:24.328601+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: responding to Main Mode from unknown peer 85.183.y.z
2011-03-01T13:54:24.328612+01:00 linksrum pluto[22198]: | complete state
transition with STF_OK
2011-03-01T13:54:24.328623+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2011-03-01T13:54:24.328635+01:00 linksrum pluto[22198]: | sending reply
packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.328647+01:00 linksrum pluto[22198]: | sending 136 bytes
for STATE_MAIN_R0 through eth0:500 to 85.183.y.z:65463:
2011-03-01T13:54:24.328659+01:00 linksrum pluto[22198]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
2011-03-01T13:54:24.328671+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R1: sent MR1, expecting MI2
2011-03-01T13:54:24.328682+01:00 linksrum pluto[22198]: | modecfg pull:
noquirk policy:push not-client
2011-03-01T13:54:24.328693+01:00 linksrum pluto[22198]: | phase 1 is done,
looking for phase 1 to unpend
2011-03-01T13:54:24.328704+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.402130+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.402162+01:00 linksrum pluto[22198]: | *received 228
bytes from 85.183.y.z:65463 on eth0 (port=500)
2011-03-01T13:54:24.402183+01:00 linksrum pluto[22198]: |  processing packet
with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.402202+01:00 linksrum pluto[22198]: | ICOOKIE:  1c d8 b4
97  4d cd 67 b0
2011-03-01T13:54:24.402218+01:00 linksrum pluto[22198]: | RCOOKIE:  3d e6 35
47  f9 f8 81 b1
2011-03-01T13:54:24.402235+01:00 linksrum pluto[22198]: | peer:  55 b7 07 0c
2011-03-01T13:54:24.402250+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.402277+01:00 linksrum pluto[22198]: | peer and cookies
match on #2, provided msgid 00000000 vs 00000000
2011-03-01T13:54:24.402287+01:00 linksrum pluto[22198]: | state object #2
found, in STATE_MAIN_R1
2011-03-01T13:54:24.402299+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.402311+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.402321+01:00 linksrum pluto[22198]: | _natd_hash:
icookie=
2011-03-01T13:54:24.402331+01:00 linksrum pluto[22198]: |   1c d8 b4 97  4d
cd 67 b0
2011-03-01T13:54:24.402342+01:00 linksrum pluto[22198]: | _natd_hash:
rcookie=
2011-03-01T13:54:24.402353+01:00 linksrum pluto[22198]: |   3d e6 35 47  f9
f8 81 b1
2011-03-01T13:54:24.402364+01:00 linksrum pluto[22198]: | _natd_hash: ip=
 c0 a8 b2 fd
2011-03-01T13:54:24.402375+01:00 linksrum pluto[22198]: | _natd_hash:
port=500
2011-03-01T13:54:24.402385+01:00 linksrum pluto[22198]: | _natd_hash: hash=
 ea 93 45 f6  66 8c 39 bf  7e 34 7d 7a  56 5f d9 f7
2011-03-01T13:54:24.402396+01:00 linksrum pluto[22198]: |   da f7 4c c7
2011-03-01T13:54:24.402407+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.402417+01:00 linksrum pluto[22198]: | _natd_hash:
icookie=
2011-03-01T13:54:24.402428+01:00 linksrum pluto[22198]: |   1c d8 b4 97  4d
cd 67 b0
2011-03-01T13:54:24.402441+01:00 linksrum pluto[22198]: | _natd_hash:
rcookie=
2011-03-01T13:54:24.402453+01:00 linksrum pluto[22198]: |   3d e6 35 47  f9
f8 81 b1
2011-03-01T13:54:24.402463+01:00 linksrum pluto[22198]: | _natd_hash: ip=
 55 b7 07 0c
2011-03-01T13:54:24.402473+01:00 linksrum pluto[22198]: | _natd_hash:
port=65463
2011-03-01T13:54:24.402485+01:00 linksrum pluto[22198]: | _natd_hash: hash=
 7c 10 bf 69  20 9e c6 61  6c 82 74 c7  ca af b1 50
2011-03-01T13:54:24.402496+01:00 linksrum pluto[22198]: |   f8 a8 45 b5
2011-03-01T13:54:24.402507+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL
hash=0 (me:0) (him:0)
2011-03-01T13:54:24.402518+01:00 linksrum pluto[22198]: | expected
NAT-D(me):  ea 93 45 f6  66 8c 39 bf  7e 34 7d 7a  56 5f d9 f7
2011-03-01T13:54:24.402539+01:00 linksrum pluto[22198]: |   da f7 4c c7
2011-03-01T13:54:24.402550+01:00 linksrum pluto[22198]: | expected
NAT-D(him):
2011-03-01T13:54:24.402561+01:00 linksrum pluto[22198]: |   7c 10 bf 69  20
9e c6 61  6c 82 74 c7  ca af b1 50
2011-03-01T13:54:24.402664+01:00 linksrum pluto[22198]: |   f8 a8 45 b5
2011-03-01T13:54:24.402677+01:00 linksrum pluto[22198]: | received NAT-D:
 37 34 62 03  92 0d 39 5a  e1 50 05 22  c7 04 ef 33
2011-03-01T13:54:24.402688+01:00 linksrum pluto[22198]: |   d1 23 5b 81
2011-03-01T13:54:24.402698+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL
hash=1 (me:0) (him:0)
2011-03-01T13:54:24.402709+01:00 linksrum pluto[22198]: | expected
NAT-D(me):  ea 93 45 f6  66 8c 39 bf  7e 34 7d 7a  56 5f d9 f7
2011-03-01T13:54:24.402719+01:00 linksrum pluto[22198]: |   da f7 4c c7
2011-03-01T13:54:24.402729+01:00 linksrum pluto[22198]: | expected
NAT-D(him):
2011-03-01T13:54:24.402739+01:00 linksrum pluto[22198]: |   7c 10 bf 69  20
9e c6 61  6c 82 74 c7  ca af b1 50
2011-03-01T13:54:24.402750+01:00 linksrum pluto[22198]: |   f8 a8 45 b5
2011-03-01T13:54:24.402760+01:00 linksrum pluto[22198]: | received NAT-D:
 3e 7d c7 ad  1e 06 6c 36  b5 b3 dc f6  79 ec 86 9f
2011-03-01T13:54:24.402770+01:00 linksrum pluto[22198]: |   b8 25 37 41
2011-03-01T13:54:24.405717+01:00 linksrum pluto[22198]: | NAT_TRAVERSAL
hash=2 (me:0) (him:0)
2011-03-01T13:54:24.405737+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS
X): both are NATed
2011-03-01T13:54:24.405751+01:00 linksrum pluto[22198]: | helper -1 doing
build_kenonce op id: 0
2011-03-01T13:54:24.405761+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.405777+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.405787+01:00 linksrum pluto[22198]: | _natd_hash:
icookie=
2011-03-01T13:54:24.405798+01:00 linksrum pluto[22198]: |   1c d8 b4 97  4d
cd 67 b0
2011-03-01T13:54:24.405807+01:00 linksrum pluto[22198]: | _natd_hash:
rcookie=
2011-03-01T13:54:24.405817+01:00 linksrum pluto[22198]: |   3d e6 35 47  f9
f8 81 b1
2011-03-01T13:54:24.405827+01:00 linksrum pluto[22198]: | _natd_hash: ip=
 55 b7 07 0c
2011-03-01T13:54:24.405843+01:00 linksrum pluto[22198]: | _natd_hash:
port=65463
2011-03-01T13:54:24.405853+01:00 linksrum pluto[22198]: | _natd_hash: hash=
 7c 10 bf 69  20 9e c6 61  6c 82 74 c7  ca af b1 50
2011-03-01T13:54:24.406018+01:00 linksrum pluto[22198]: |   f8 a8 45 b5
2011-03-01T13:54:24.406056+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.406084+01:00 linksrum pluto[22198]: | _natd_hash:
icookie=
2011-03-01T13:54:24.406115+01:00 linksrum pluto[22198]: |   1c d8 b4 97  4d
cd 67 b0
2011-03-01T13:54:24.406194+01:00 linksrum pluto[22198]: | _natd_hash:
rcookie=
2011-03-01T13:54:24.406210+01:00 linksrum pluto[22198]: |   3d e6 35 47  f9
f8 81 b1
2011-03-01T13:54:24.406221+01:00 linksrum pluto[22198]: | _natd_hash: ip=
 c0 a8 b2 fd
2011-03-01T13:54:24.406231+01:00 linksrum pluto[22198]: | _natd_hash:
port=500
2011-03-01T13:54:24.406241+01:00 linksrum pluto[22198]: | _natd_hash: hash=
 ea 93 45 f6  66 8c 39 bf  7e 34 7d 7a  56 5f d9 f7
2011-03-01T13:54:24.406253+01:00 linksrum pluto[22198]: |   da f7 4c c7
2011-03-01T13:54:24.406267+01:00 linksrum pluto[22198]: | started looking
for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg, L=Hamburg,
O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of kind PPK_PSK
2011-03-01T13:54:24.406279+01:00 linksrum pluto[22198]: | instantiating him
to 0.0.0.0
2011-03-01T13:54:24.406291+01:00 linksrum pluto[22198]: | actually looking
for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->0.0.0.0 of kind PPK_PSK
2011-03-01T13:54:24.406302+01:00 linksrum pluto[22198]: | concluding with
best_match=0 best=(nil) (lineno=-1)
2011-03-01T13:54:24.408602+01:00 linksrum pluto[22198]: | complete state
transition with STF_OK
2011-03-01T13:54:24.408619+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2011-03-01T13:54:24.408631+01:00 linksrum pluto[22198]: | sending reply
packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.408643+01:00 linksrum pluto[22198]: | sending 228 bytes
for STATE_MAIN_R1 through eth0:500 to 85.183.y.z:65463:
2011-03-01T13:54:24.408656+01:00 linksrum pluto[22198]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
2011-03-01T13:54:24.408667+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R2: sent MR2, expecting MI3
2011-03-01T13:54:24.408678+01:00 linksrum pluto[22198]: | modecfg pull:
noquirk policy:push not-client
2011-03-01T13:54:24.408690+01:00 linksrum pluto[22198]: | phase 1 is done,
looking for phase 1 to unpend
2011-03-01T13:54:24.408700+01:00 linksrum pluto[22198]: | complete state
transition with STF_INLINE
2011-03-01T13:54:24.408710+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.622351+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.622369+01:00 linksrum pluto[22198]: | *received 1076
bytes from 85.183.y.z:36695 on eth0 (port=4500)
2011-03-01T13:54:24.622382+01:00 linksrum pluto[22198]: |  processing packet
with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.622393+01:00 linksrum pluto[22198]: | ICOOKIE:  1c d8 b4
97  4d cd 67 b0
2011-03-01T13:54:24.622404+01:00 linksrum pluto[22198]: | RCOOKIE:  3d e6 35
47  f9 f8 81 b1
2011-03-01T13:54:24.622414+01:00 linksrum pluto[22198]: | peer:  55 b7 07 0c
2011-03-01T13:54:24.622424+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.622434+01:00 linksrum pluto[22198]: | peer and cookies
match on #2, provided msgid 00000000 vs 00000000
2011-03-01T13:54:24.622444+01:00 linksrum pluto[22198]: | state object #2
found, in STATE_MAIN_R2
2011-03-01T13:54:24.622454+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.622577+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hamburg,
L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com'
2011-03-01T13:54:24.623438+01:00 linksrum pluto[22198]: | reached
self-signed root ca
2011-03-01T13:54:24.623466+01:00 linksrum pluto[22198]: | requested CA:
'%any'
2011-03-01T13:54:24.623536+01:00 linksrum pluto[22198]: | started looking
for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg, L=Hamburg,
O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of kind PPK_RSA
2011-03-01T13:54:24.623568+01:00 linksrum pluto[22198]: | searching for
certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.623618+01:00 linksrum pluto[22198]: | started looking
for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->(none) of kind PPK_RSA
2011-03-01T13:54:24.623677+01:00 linksrum pluto[22198]: | searching for
certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.623719+01:00 linksrum pluto[22198]: | offered CA: 'C=DE,
ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum, E=linksrum at gmail.com'
2011-03-01T13:54:24.623772+01:00 linksrum pluto[22198]: | required CA is
'%any'
2011-03-01T13:54:24.623823+01:00 linksrum pluto[22198]: | key issuer CA is
'C=DE, ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum, E=linksrum at gmail.com'
2011-03-01T13:54:24.624095+01:00 linksrum pluto[22198]: | an RSA Sig check
passed with *AwEAAcU+c [preloaded key]
2011-03-01T13:54:24.624112+01:00 linksrum pluto[22198]: | thinking about
whether to send my certificate:
2011-03-01T13:54:24.624125+01:00 linksrum pluto[22198]: |   I have RSA key:
OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE
2011-03-01T13:54:24.624136+01:00 linksrum pluto[22198]: |   sendcert:
CERT_ALWAYSSEND and I did not get a certificate request
2011-03-01T13:54:24.624146+01:00 linksrum pluto[22198]: |   so send cert.
2011-03-01T13:54:24.624158+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: I am sending my cert
2011-03-01T13:54:24.624172+01:00 linksrum pluto[22198]: | started looking
for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg, L=Hamburg,
O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of kind PPK_RSA
2011-03-01T13:54:24.624199+01:00 linksrum pluto[22198]: | searching for
certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.624231+01:00 linksrum pluto[22198]: | signing hash with
RSA Key *AwEAAcT0a
2011-03-01T13:54:24.627041+01:00 linksrum pluto[22198]: | complete state
transition with STF_OK
2011-03-01T13:54:24.627059+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2011-03-01T13:54:24.627072+01:00 linksrum pluto[22198]: | sending reply
packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.627084+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.627095+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.627106+01:00 linksrum pluto[22198]: | NAT-T: updating
local port to 4500
2011-03-01T13:54:24.627117+01:00 linksrum pluto[22198]: | NAT-T connection
has wrong interface definition 192.168.178.253:4500 vs 192.168.178.253:500
2011-03-01T13:54:24.627128+01:00 linksrum pluto[22198]: | NAT-T: using
interface eth0:4500
2011-03-01T13:54:24.627140+01:00 linksrum pluto[22198]: | sending 1060 bytes
for STATE_MAIN_R2 through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:24.627151+01:00 linksrum pluto[22198]: | inserting event
EVENT_SA_EXPIRE, timeout in 3600 seconds for #2
2011-03-01T13:54:24.627164+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
2011-03-01T13:54:24.627176+01:00 linksrum pluto[22198]: | modecfg pull:
noquirk policy:push not-client
2011-03-01T13:54:24.627194+01:00 linksrum pluto[22198]: | phase 1 is done,
looking for phase 1 to unpend
2011-03-01T13:54:24.627205+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.689821+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.689841+01:00 linksrum pluto[22198]: | *received 68 bytes
from 85.183.y.z:36695 on eth0 (port=4500)
2011-03-01T13:54:24.689854+01:00 linksrum pluto[22198]: |  processing packet
with exchange type=ISAKMP_XCHG_INFO (5)
2011-03-01T13:54:24.689864+01:00 linksrum pluto[22198]: | ICOOKIE:  1c d8 b4
97  4d cd 67 b0
2011-03-01T13:54:24.689979+01:00 linksrum pluto[22198]: | RCOOKIE:  3d e6 35
47  f9 f8 81 b1
2011-03-01T13:54:24.689996+01:00 linksrum pluto[22198]: | peer:  55 b7 07 0c
2011-03-01T13:54:24.690008+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.690019+01:00 linksrum pluto[22198]: | peer and cookies
match on #2, provided msgid 00000000 vs 00000000/00000000
2011-03-01T13:54:24.690123+01:00 linksrum pluto[22198]: | p15 state object
#2 found, in STATE_MAIN_R3
2011-03-01T13:54:24.690139+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.690225+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: next payload type of ISAKMP Hash Payload has an unknown
value: 83
2011-03-01T13:54:24.690242+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: malformed payload in packet
2011-03-01T13:54:24.690367+01:00 linksrum pluto[22198]: | payload malformed
after IV
2011-03-01T13:54:24.690384+01:00 linksrum pluto[22198]: |   ba 6f 9f 65  bb
4e e1 9b
2011-03-01T13:54:24.690400+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: sending notification PAYLOAD_MALFORMED to 85.183.y.z:36695
2011-03-01T13:54:24.690505+01:00 linksrum pluto[22198]: | sending 40 bytes
for notification packet through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:24.690522+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:25.691630+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:25.691657+01:00 linksrum pluto[22198]: | *time to handle
event
2011-03-01T13:54:25.691672+01:00 linksrum pluto[22198]: | handling event
EVENT_NAT_T_KEEPALIVE
2011-03-01T13:54:25.691683+01:00 linksrum pluto[22198]: | event after this
is EVENT_PENDING_PHASE2 in 55 seconds
2011-03-01T13:54:25.691693+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691704+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691852+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691870+01:00 linksrum pluto[22198]: | ka_event: send
NAT-KA to 85.183.y.z:36695 (state=#2)
2011-03-01T13:54:25.691884+01:00 linksrum pluto[22198]: | sending 1 bytes
for NAT-T Keep Alive through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:25.691920+01:00 linksrum pluto[22198]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
2011-03-01T13:54:25.691956+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110301/e98f9138/attachment-0001.html

More information about the Users mailing list