[Openswan Users] Openswan with NAT-T and X.509 authentication
Oliver Schade
linksrum at googlemail.com
Wed Mar 2 05:25:54 EST 2011
Hello!
I'm trying to setup Openswan with certificates and xl2tpd. Both,
server and client are behind a NAT device.
I followed Jacco's procedure at
http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed
The server is Gentoo with 2.6.36 kernel, Openswan 2.4.15, xl2tpd 1.2.7
The client is MacOS 10.6 native (therefore rightprotoport=17/0).
So far, my PSK setup works like a charm, but L2TP-X509 doesn't.
I tried several variants regarding subnet and nexthop, but with no
luck. The certificates seem to be okay, although I admit not to be an
expert on this topic. ;-)
I use to disable PSK stuff for testing to keep things clean. L2TP-PSK
doesn't seem to work anyway, as soon as L2TP-X509's config is in
place. Once more: no idea, why.
I appreciate any suggestions. Thanks a lot!
(I sent this yesterday already, but am quite sure, it didn't come
through. Otherwise: sorry for reposting.)
Here's my config:
NAT- Internet NAT-
Client --------- device =================== device
-------------+-------- ... 192.168.178.0/24
192.168.178.27 / \ / \ |
/ \ / 192.168.178.1 Openswan
192.168.189.1/24 234.234.234.234 123.123.123.123 Server
192.168.178.253
/etc/ipsec/ipsec.conf
version 2.0
config setup
plutodebug="control natt"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.178.0/24
nhelpers=0
interfaces=%defaultroute
#include ipsec-l2tp-psk.conf
include ipsec-l2tp-x509.conf
include /etc/ipsec/ipsec.d/examples/no_oe.conf
/etc/ipsec/ipsec-l2tp-psk.conf
conn L2TP-PSK
auto=add
authby=secret
pfs=no
keyingtries=3
rekey=no
left=%defaultroute
leftprotoport=17/1701
leftsubnet=192.168.178.0/24
leftnexthop=%defaultroute
leftcert=vpn.host.linksrum.cert.pem
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv
#rightsubnet=192.168.189.0/24
/etc/ipsec/ipsec-l2tp-psk.conf
conn L2TP-X509
auto=add
authby=rsasig
pfs=no
keyingtries=3
rekey=no
left=%defaultroute
#left=192.168.178.253
leftprotoport=17/1701
leftsubnet=192.168.178.0/24
leftnexthop=%defaultroute
#leftnexthop=192.168.178.1
leftrsasigkey=%cert
leftcert=vpn.host.linksrum.cert.pem
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv
#rightsubnet=192.168.189.0/24
rightrsasigkey=%cert
/etc/ipsec/ipsec.secrets
#192.168.178.253 %any: PSK "mypresharedkey"
#C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=linksrum at gmail.com
%any: PSK "mypresharedkey"
C=DE,ST=Hamburg,L=Hamburg,O=linksrum,CN=vpn.host.linksrum,E=linksrum at gmail.com
%any: RSA vpn.host.linksrum.key.rsa "mysecret"
192.168.178.253 %any: RSA vpn.host.linksrum.key.rsa "mysecret"
: RSA vpn.host.linksrum.key.rsa "mysecret"
excerpt from /var/log/secure (connection attempt only):
2011-03-01T13:54:24.328347+01:00 linksrum pluto[22198]: | *received
300 bytes from 85.183.y.z:65463 on eth0 (port=500)
2011-03-01T13:54:24.328360+01:00 linksrum pluto[22198]: | processing
packet with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.328372+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [RFC 3947] method set
to=109
2011-03-01T13:54:24.328384+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
2011-03-01T13:54:24.328397+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
2011-03-01T13:54:24.328409+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
2011-03-01T13:54:24.328421+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
2011-03-01T13:54:24.328434+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
2011-03-01T13:54:24.328448+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
2011-03-01T13:54:24.328461+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
2011-03-01T13:54:24.328474+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
2011-03-01T13:54:24.328488+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
2011-03-01T13:54:24.328500+01:00 linksrum pluto[22198]: packet from
85.183.y.z:65463: received Vendor ID payload [Dead Peer Detection]
2011-03-01T13:54:24.328512+01:00 linksrum pluto[22198]: | nat-t
detected, sending nat-t VID
2011-03-01T13:54:24.328523+01:00 linksrum pluto[22198]: | creating
state object #2 at 0x8109878
2011-03-01T13:54:24.328534+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.328546+01:00 linksrum pluto[22198]: | ICOOKIE: 1c
d8 b4 97 4d cd 67 b0
2011-03-01T13:54:24.328556+01:00 linksrum pluto[22198]: | RCOOKIE: 3d
e6 35 47 f9 f8 81 b1
2011-03-01T13:54:24.328566+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c
2011-03-01T13:54:24.328578+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.328589+01:00 linksrum pluto[22198]: | inserting
event EVENT_SO_DISCARD, timeout in 0 seconds for #2
2011-03-01T13:54:24.328601+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: responding to Main Mode from unknown peer 85.183.y.z
2011-03-01T13:54:24.328612+01:00 linksrum pluto[22198]: | complete
state transition with STF_OK
2011-03-01T13:54:24.328623+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
2011-03-01T13:54:24.328635+01:00 linksrum pluto[22198]: | sending
reply packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.328647+01:00 linksrum pluto[22198]: | sending 136
bytes for STATE_MAIN_R0 through eth0:500 to 85.183.y.z:65463:
2011-03-01T13:54:24.328659+01:00 linksrum pluto[22198]: | inserting
event EVENT_RETRANSMIT, timeout in 10 seconds for #2
2011-03-01T13:54:24.328671+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R1: sent MR1, expecting MI2
2011-03-01T13:54:24.328682+01:00 linksrum pluto[22198]: | modecfg
pull: noquirk policy:push not-client
2011-03-01T13:54:24.328693+01:00 linksrum pluto[22198]: | phase 1 is
done, looking for phase 1 to unpend
2011-03-01T13:54:24.328704+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.402130+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.402162+01:00 linksrum pluto[22198]: | *received
228 bytes from 85.183.y.z:65463 on eth0 (port=500)
2011-03-01T13:54:24.402183+01:00 linksrum pluto[22198]: | processing
packet with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.402202+01:00 linksrum pluto[22198]: | ICOOKIE: 1c
d8 b4 97 4d cd 67 b0
2011-03-01T13:54:24.402218+01:00 linksrum pluto[22198]: | RCOOKIE: 3d
e6 35 47 f9 f8 81 b1
2011-03-01T13:54:24.402235+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c
2011-03-01T13:54:24.402250+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.402277+01:00 linksrum pluto[22198]: | peer and
cookies match on #2, provided msgid 00000000 vs 00000000
2011-03-01T13:54:24.402287+01:00 linksrum pluto[22198]: | state object
#2 found, in STATE_MAIN_R1
2011-03-01T13:54:24.402299+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.402311+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.402321+01:00 linksrum pluto[22198]: | _natd_hash: icookie=
2011-03-01T13:54:24.402331+01:00 linksrum pluto[22198]: | 1c d8 b4
97 4d cd 67 b0
2011-03-01T13:54:24.402342+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=
2011-03-01T13:54:24.402353+01:00 linksrum pluto[22198]: | 3d e6 35
47 f9 f8 81 b1
2011-03-01T13:54:24.402364+01:00 linksrum pluto[22198]: | _natd_hash:
ip= c0 a8 b2 fd
2011-03-01T13:54:24.402375+01:00 linksrum pluto[22198]: | _natd_hash: port=500
2011-03-01T13:54:24.402385+01:00 linksrum pluto[22198]: | _natd_hash:
hash= ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7
2011-03-01T13:54:24.402396+01:00 linksrum pluto[22198]: | da f7 4c c7
2011-03-01T13:54:24.402407+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.402417+01:00 linksrum pluto[22198]: | _natd_hash: icookie=
2011-03-01T13:54:24.402428+01:00 linksrum pluto[22198]: | 1c d8 b4
97 4d cd 67 b0
2011-03-01T13:54:24.402441+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=
2011-03-01T13:54:24.402453+01:00 linksrum pluto[22198]: | 3d e6 35
47 f9 f8 81 b1
2011-03-01T13:54:24.402463+01:00 linksrum pluto[22198]: | _natd_hash:
ip= 55 b7 07 0c
2011-03-01T13:54:24.402473+01:00 linksrum pluto[22198]: | _natd_hash: port=65463
2011-03-01T13:54:24.402485+01:00 linksrum pluto[22198]: | _natd_hash:
hash= 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50
2011-03-01T13:54:24.402496+01:00 linksrum pluto[22198]: | f8 a8 45 b5
2011-03-01T13:54:24.402507+01:00 linksrum pluto[22198]: |
NAT_TRAVERSAL hash=0 (me:0) (him:0)
2011-03-01T13:54:24.402518+01:00 linksrum pluto[22198]: | expected
NAT-D(me): ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7
2011-03-01T13:54:24.402539+01:00 linksrum pluto[22198]: | da f7 4c c7
2011-03-01T13:54:24.402550+01:00 linksrum pluto[22198]: | expected NAT-D(him):
2011-03-01T13:54:24.402561+01:00 linksrum pluto[22198]: | 7c 10 bf
69 20 9e c6 61 6c 82 74 c7 ca af b1 50
2011-03-01T13:54:24.402664+01:00 linksrum pluto[22198]: | f8 a8 45 b5
2011-03-01T13:54:24.402677+01:00 linksrum pluto[22198]: | received
NAT-D: 37 34 62 03 92 0d 39 5a e1 50 05 22 c7 04 ef 33
2011-03-01T13:54:24.402688+01:00 linksrum pluto[22198]: | d1 23 5b 81
2011-03-01T13:54:24.402698+01:00 linksrum pluto[22198]: |
NAT_TRAVERSAL hash=1 (me:0) (him:0)
2011-03-01T13:54:24.402709+01:00 linksrum pluto[22198]: | expected
NAT-D(me): ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7
2011-03-01T13:54:24.402719+01:00 linksrum pluto[22198]: | da f7 4c c7
2011-03-01T13:54:24.402729+01:00 linksrum pluto[22198]: | expected NAT-D(him):
2011-03-01T13:54:24.402739+01:00 linksrum pluto[22198]: | 7c 10 bf
69 20 9e c6 61 6c 82 74 c7 ca af b1 50
2011-03-01T13:54:24.402750+01:00 linksrum pluto[22198]: | f8 a8 45 b5
2011-03-01T13:54:24.402760+01:00 linksrum pluto[22198]: | received
NAT-D: 3e 7d c7 ad 1e 06 6c 36 b5 b3 dc f6 79 ec 86 9f
2011-03-01T13:54:24.402770+01:00 linksrum pluto[22198]: | b8 25 37 41
2011-03-01T13:54:24.405717+01:00 linksrum pluto[22198]: |
NAT_TRAVERSAL hash=2 (me:0) (him:0)
2011-03-01T13:54:24.405737+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike
(MacOS X): both are NATed
2011-03-01T13:54:24.405751+01:00 linksrum pluto[22198]: | helper -1
doing build_kenonce op id: 0
2011-03-01T13:54:24.405761+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.405777+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.405787+01:00 linksrum pluto[22198]: | _natd_hash: icookie=
2011-03-01T13:54:24.405798+01:00 linksrum pluto[22198]: | 1c d8 b4
97 4d cd 67 b0
2011-03-01T13:54:24.405807+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=
2011-03-01T13:54:24.405817+01:00 linksrum pluto[22198]: | 3d e6 35
47 f9 f8 81 b1
2011-03-01T13:54:24.405827+01:00 linksrum pluto[22198]: | _natd_hash:
ip= 55 b7 07 0c
2011-03-01T13:54:24.405843+01:00 linksrum pluto[22198]: | _natd_hash: port=65463
2011-03-01T13:54:24.405853+01:00 linksrum pluto[22198]: | _natd_hash:
hash= 7c 10 bf 69 20 9e c6 61 6c 82 74 c7 ca af b1 50
2011-03-01T13:54:24.406018+01:00 linksrum pluto[22198]: | f8 a8 45 b5
2011-03-01T13:54:24.406056+01:00 linksrum pluto[22198]: | _natd_hash:
hasher=0x80ed480(20)
2011-03-01T13:54:24.406084+01:00 linksrum pluto[22198]: | _natd_hash: icookie=
2011-03-01T13:54:24.406115+01:00 linksrum pluto[22198]: | 1c d8 b4
97 4d cd 67 b0
2011-03-01T13:54:24.406194+01:00 linksrum pluto[22198]: | _natd_hash: rcookie=
2011-03-01T13:54:24.406210+01:00 linksrum pluto[22198]: | 3d e6 35
47 f9 f8 81 b1
2011-03-01T13:54:24.406221+01:00 linksrum pluto[22198]: | _natd_hash:
ip= c0 a8 b2 fd
2011-03-01T13:54:24.406231+01:00 linksrum pluto[22198]: | _natd_hash: port=500
2011-03-01T13:54:24.406241+01:00 linksrum pluto[22198]: | _natd_hash:
hash= ea 93 45 f6 66 8c 39 bf 7e 34 7d 7a 56 5f d9 f7
2011-03-01T13:54:24.406253+01:00 linksrum pluto[22198]: | da f7 4c c7
2011-03-01T13:54:24.406267+01:00 linksrum pluto[22198]: | started
looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg,
L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of
kind PPK_PSK
2011-03-01T13:54:24.406279+01:00 linksrum pluto[22198]: |
instantiating him to 0.0.0.0
2011-03-01T13:54:24.406291+01:00 linksrum pluto[22198]: | actually
looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->0.0.0.0 of kind PPK_PSK
2011-03-01T13:54:24.406302+01:00 linksrum pluto[22198]: | concluding
with best_match=0 best=(nil) (lineno=-1)
2011-03-01T13:54:24.408602+01:00 linksrum pluto[22198]: | complete
state transition with STF_OK
2011-03-01T13:54:24.408619+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
2011-03-01T13:54:24.408631+01:00 linksrum pluto[22198]: | sending
reply packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.408643+01:00 linksrum pluto[22198]: | sending 228
bytes for STATE_MAIN_R1 through eth0:500 to 85.183.y.z:65463:
2011-03-01T13:54:24.408656+01:00 linksrum pluto[22198]: | inserting
event EVENT_RETRANSMIT, timeout in 10 seconds for #2
2011-03-01T13:54:24.408667+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R2: sent MR2, expecting MI3
2011-03-01T13:54:24.408678+01:00 linksrum pluto[22198]: | modecfg
pull: noquirk policy:push not-client
2011-03-01T13:54:24.408690+01:00 linksrum pluto[22198]: | phase 1 is
done, looking for phase 1 to unpend
2011-03-01T13:54:24.408700+01:00 linksrum pluto[22198]: | complete
state transition with STF_INLINE
2011-03-01T13:54:24.408710+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.622351+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.622369+01:00 linksrum pluto[22198]: | *received
1076 bytes from 85.183.y.z:36695 on eth0 (port=4500)
2011-03-01T13:54:24.622382+01:00 linksrum pluto[22198]: | processing
packet with exchange type=ISAKMP_XCHG_IDPROT (2)
2011-03-01T13:54:24.622393+01:00 linksrum pluto[22198]: | ICOOKIE: 1c
d8 b4 97 4d cd 67 b0
2011-03-01T13:54:24.622404+01:00 linksrum pluto[22198]: | RCOOKIE: 3d
e6 35 47 f9 f8 81 b1
2011-03-01T13:54:24.622414+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c
2011-03-01T13:54:24.622424+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.622434+01:00 linksrum pluto[22198]: | peer and
cookies match on #2, provided msgid 00000000 vs 00000000
2011-03-01T13:54:24.622444+01:00 linksrum pluto[22198]: | state object
#2 found, in STATE_MAIN_R2
2011-03-01T13:54:24.622454+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.622577+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hamburg,
L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com'
2011-03-01T13:54:24.623438+01:00 linksrum pluto[22198]: | reached
self-signed root ca
2011-03-01T13:54:24.623466+01:00 linksrum pluto[22198]: | requested CA: '%any'
2011-03-01T13:54:24.623536+01:00 linksrum pluto[22198]: | started
looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg,
L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of
kind PPK_RSA
2011-03-01T13:54:24.623568+01:00 linksrum pluto[22198]: | searching
for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.623618+01:00 linksrum pluto[22198]: | started
looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->(none) of kind PPK_RSA
2011-03-01T13:54:24.623677+01:00 linksrum pluto[22198]: | searching
for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.623719+01:00 linksrum pluto[22198]: | offered CA:
'C=DE, ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum,
E=linksrum at gmail.com'
2011-03-01T13:54:24.623772+01:00 linksrum pluto[22198]: | required CA is '%any'
2011-03-01T13:54:24.623823+01:00 linksrum pluto[22198]: | key issuer
CA is 'C=DE, ST=Hamburg, O=linksrum, CN=vpn.ca.linksrum,
E=linksrum at gmail.com'
2011-03-01T13:54:24.624095+01:00 linksrum pluto[22198]: | an RSA Sig
check passed with *AwEAAcU+c [preloaded key]
2011-03-01T13:54:24.624112+01:00 linksrum pluto[22198]: | thinking
about whether to send my certificate:
2011-03-01T13:54:24.624125+01:00 linksrum pluto[22198]: | I have RSA
key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE
2011-03-01T13:54:24.624136+01:00 linksrum pluto[22198]: | sendcert:
CERT_ALWAYSSEND and I did not get a certificate request
2011-03-01T13:54:24.624146+01:00 linksrum pluto[22198]: | so send cert.
2011-03-01T13:54:24.624158+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: I am sending my cert
2011-03-01T13:54:24.624172+01:00 linksrum pluto[22198]: | started
looking for secret for C=DE, ST=Hamburg, L=Hamburg, O=linksrum,
CN=vpn.host.linksrum, E=linksrum at gmail.com->C=DE, ST=Hamburg,
L=Hamburg, O=linksrum, CN=vpn.host.macbookpro, E=linksrum at gmail.com of
kind PPK_RSA
2011-03-01T13:54:24.624199+01:00 linksrum pluto[22198]: | searching
for certificate PPK_RSA:AwEAAcT0a vs PPK_RSA:AwEAAcT0a
2011-03-01T13:54:24.624231+01:00 linksrum pluto[22198]: | signing hash
with RSA Key *AwEAAcT0a
2011-03-01T13:54:24.627041+01:00 linksrum pluto[22198]: | complete
state transition with STF_OK
2011-03-01T13:54:24.627059+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
2011-03-01T13:54:24.627072+01:00 linksrum pluto[22198]: | sending
reply packet to 85.183.y.z:65463 (from port=500)
2011-03-01T13:54:24.627084+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.627095+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.627106+01:00 linksrum pluto[22198]: | NAT-T:
updating local port to 4500
2011-03-01T13:54:24.627117+01:00 linksrum pluto[22198]: | NAT-T
connection has wrong interface definition 192.168.178.253:4500 vs
192.168.178.253:500
2011-03-01T13:54:24.627128+01:00 linksrum pluto[22198]: | NAT-T: using
interface eth0:4500
2011-03-01T13:54:24.627140+01:00 linksrum pluto[22198]: | sending 1060
bytes for STATE_MAIN_R2 through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:24.627151+01:00 linksrum pluto[22198]: | inserting
event EVENT_SA_EXPIRE, timeout in 3600 seconds for #2
2011-03-01T13:54:24.627164+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
2011-03-01T13:54:24.627176+01:00 linksrum pluto[22198]: | modecfg
pull: noquirk policy:push not-client
2011-03-01T13:54:24.627194+01:00 linksrum pluto[22198]: | phase 1 is
done, looking for phase 1 to unpend
2011-03-01T13:54:24.627205+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:24.689821+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:24.689841+01:00 linksrum pluto[22198]: | *received 68
bytes from 85.183.y.z:36695 on eth0 (port=4500)
2011-03-01T13:54:24.689854+01:00 linksrum pluto[22198]: | processing
packet with exchange type=ISAKMP_XCHG_INFO (5)
2011-03-01T13:54:24.689864+01:00 linksrum pluto[22198]: | ICOOKIE: 1c
d8 b4 97 4d cd 67 b0
2011-03-01T13:54:24.689979+01:00 linksrum pluto[22198]: | RCOOKIE: 3d
e6 35 47 f9 f8 81 b1
2011-03-01T13:54:24.689996+01:00 linksrum pluto[22198]: | peer: 55 b7 07 0c
2011-03-01T13:54:24.690008+01:00 linksrum pluto[22198]: | state hash entry 1
2011-03-01T13:54:24.690019+01:00 linksrum pluto[22198]: | peer and
cookies match on #2, provided msgid 00000000 vs 00000000/00000000
2011-03-01T13:54:24.690123+01:00 linksrum pluto[22198]: | p15 state
object #2 found, in STATE_MAIN_R3
2011-03-01T13:54:24.690139+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:24.690225+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: next payload type of ISAKMP Hash Payload has an unknown
value: 83
2011-03-01T13:54:24.690242+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: malformed payload in packet
2011-03-01T13:54:24.690367+01:00 linksrum pluto[22198]: | payload
malformed after IV
2011-03-01T13:54:24.690384+01:00 linksrum pluto[22198]: | ba 6f 9f
65 bb 4e e1 9b
2011-03-01T13:54:24.690400+01:00 linksrum pluto[22198]: "L2TP-X509"[2]
85.183.y.z #2: sending notification PAYLOAD_MALFORMED to
85.183.y.z:36695
2011-03-01T13:54:24.690505+01:00 linksrum pluto[22198]: | sending 40
bytes for notification packet through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:24.690522+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 1 seconds
2011-03-01T13:54:25.691630+01:00 linksrum pluto[22198]: |
2011-03-01T13:54:25.691657+01:00 linksrum pluto[22198]: | *time to handle event
2011-03-01T13:54:25.691672+01:00 linksrum pluto[22198]: | handling
event EVENT_NAT_T_KEEPALIVE
2011-03-01T13:54:25.691683+01:00 linksrum pluto[22198]: | event after
this is EVENT_PENDING_PHASE2 in 55 seconds
2011-03-01T13:54:25.691693+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691704+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691852+01:00 linksrum pluto[22198]: | processing
connection L2TP-X509[2] 85.183.y.z
2011-03-01T13:54:25.691870+01:00 linksrum pluto[22198]: | ka_event:
send NAT-KA to 85.183.y.z:36695 (state=#2)
2011-03-01T13:54:25.691884+01:00 linksrum pluto[22198]: | sending 1
bytes for NAT-T Keep Alive through eth0:4500 to 85.183.y.z:36695:
2011-03-01T13:54:25.691920+01:00 linksrum pluto[22198]: | inserting
event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
2011-03-01T13:54:25.691956+01:00 linksrum pluto[22198]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
More information about the Users
mailing list