[Openswan Users] strongswan-4-4.1 +xl2tp/psk + OSX native client => no connection is known
Willie Gillespie
wgillespie+openswan at es2eng.com
Mon Sep 17 20:01:23 EDT 2012
Hi Steve,
This list is for Openswan, not Strongswan -- although products with the
same functionality. Are you wanting to switch your Strongswan config to
Openswan?
Willie
On 09/17/2012 04:52 PM, Jthemovie wrote:
> Hi all,
>
>
> I think i really did my best but even after having read so (too) much of
> the mailing list, i finish posting here :)
>
> To sum up quickly :
>
>
> OS running strongswan : debian 6.0.3
>
>
> I installed strongswan this way:
>
>
> apt-get install build-essential fakeroot dpkg-dev devscripts
>
> apt-get source strongswan
>
> apt-get install libcurl4-openssl-dev
>
> apt-get build-dep strongswan
>
> vi strongswan-4.4.1/debian/rules
>
>
> /*****[strongswan-4.4.1/debian/rules]******/
>
> CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
>
> --libexecdir=/usr/lib \
>
> --enable-ldap --enable-curl \
>
> --with-capabilities=libcap \
>
> --enable-smartcard \
>
> --with-default-pkcs11=/usr/lib/opensc-pkcs11.so \
>
> --enable-mediation --enable-medsrv --enable-medcli \
>
> --enable-openssl --enable-agent \
>
> --enable-eap-radius --enable-eap-identity
> --enable-eap-md5 \
>
> --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
>
> --enable-sql --enable-integrity-test \
>
> --enable-nm --enable-ha --enable-dhcp --enable-farp \
>
> --enable-test-vectors \
>
> *--enable-nat-transport*
>
> /***********/
>
> dpkg-buildpackage -rfakeroot -uc -b
>
> Then installed everything with :
>
>
> dpkg -i *.deb
>
>
> Results :
>
> *dpkg -l | grep strong*
>
> **
>
> ii libstrongswan 4.4.1-5.2
> strongSwan utility and crypto library
>
> rc network-manager-strongswan 1.1.2-1
> network management framework (strongSwan plugin)
>
> ii strongswan 4.4.1-5.2
> IPsec VPN solution metapackage
>
> ii strongswan-dbg 4.4.1-5.2
> strongSwan library and binaries - debugging symbols
>
> ii strongswan-ikev1 4.4.1-5.2
> strongSwan Internet Key Exchange (v1) daemon
>
> ii strongswan-ikev2 4.4.1-5.2
> strongSwan Internet Key Exchange (v2) daemon
>
> ii strongswan-nm 4.4.1-5.2
> strongSwan plugin to interact with NetworkManager
>
> ii strongswan-starter 4.4.1-5.2
> strongSwan daemon starter and configuration file parser
>
>
> From here, everything fine, my setup is he following :
>
>
> On one side :
>
>
> Debian strongswan vpn server : 192.168.0.20/24 <http://192.168.0.20/24>
>
> ADSL Gateway : 192.168.0.254/24 <http://192.168.0.254/24>
>
> Public IP : 88.185.173.199
>
>
> On the other side, the client (OSX 10.6.8 native client) one :
>
>
> PUBLIC IP : 84.78.198.299
>
> ADSL Gateway : 192.168.1.1/24 <http://192.168.1.1/24>
>
> OSX Client : 192.168.1.100/24 <http://192.168.1.100/24>
>
>
> so according some post in the mailing list, i configured as follow :
>
>
> */etc/ipsec.conf*
>
> /*****/******/
>
> config setup
>
> *nat_traversal=yes*
>
> charonstart=yes
>
> plutostart=yes
>
> #higher debug level mode
>
> plutodebug="control controlmore"
>
>
> conn l2tp-psk-nat
>
> authby=psk
>
> pfs=no
>
> #keyexchange=ikev1
>
> rekey=no
>
> type=transport
>
> #esp=aes128-sha1
>
> #ike=aes128-sha-modp1024
>
> left=%defaultroute
>
> leftsubnet=88.185.173.199/32 <http://88.185.173.199/32>
>
> leftprotoport=17/1701
>
> rightprotoport=17/%any
>
> auto=add
>
> /***********/
>
>
> */etc/ipsec.secrets *
>
> /******chmod 600*****/
>
> 192.168.0.20 %any : PSK "mySecretKey"
>
> /***********/
>
>
> */etc/xl2tpd/xl2tpd.conf*
>
> /***********/
>
> [global]
>
> debug network = yes
>
> debug tunnel = yes
>
> port = 1701
>
> ipsec saref = no
>
>
> [lns default]
>
> ip range = 192.168.2.35-192.168.2.39
>
> local ip = 192.168.2.34
>
> refuse chap = yes
>
> refuse pap = yes
>
> require authentication = yes
>
> ppp debug = yes
>
> pppoptfile = /etc/ppp/options.xl2tpd
>
> length bit = yes
>
> /***********/
>
>
>
> */etc/ppp/options.xl2tpd*
>
> /***********/
>
> ipcp-accept-local
>
> ipcp-accept-remote
>
> ms-dns 212.27.40.240
>
> noccp
>
> auth
>
> crtscts
>
> idle 1800
>
> mtu 1500
>
> mru 1500
>
> nodefaultroute
>
> debug
>
> lock
>
> proxyarp
>
> connect-delay 5000
>
> /***********/
>
>
> */etc/ppp/chap-secrets*
>
> /*****chmod 600******/
>
> # client server secret IP addresses
>
> myUser l2tpd myUserSecret *
>
> /***********/
>
>
> Logs results :
>
>
> command
>
> **
>
> *ipsec statusall*
>
>
> 000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
>
> 000 interface lo/lo ::1:500
>
> 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
>
> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
>
> 000 interface eth0/eth0 192.168.0.20:4500 <http://192.168.0.20:4500>
>
> 000 interface eth0/eth0 192.168.0.20:500 <http://192.168.0.20:500>
>
> 000 %myid = '%any'
>
> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem openssl hmac gmp xauth attr resolve
>
> 000 debug options: control+controlmore
>
> 000
>
> 000 "l2tp-psk-nat":
> 88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any
> <http://88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any>;
> unrouted; eroute owner: #0
>
> 000 "l2tp-psk-nat": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
>
> 000 "l2tp-psk-nat": policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32;
> interface: eth0;
>
> 000 "l2tp-psk-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000
>
> Status of IKEv2 charon daemon (strongSwan 4.4.1):
>
> uptime: 12 seconds, since Sep 18 00:32:37 2012
>
> malloc: sbrk 270336, mmap 0, used 175544, free 94792
>
> worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
>
> loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
> kernel-netlink socket-raw farp stroke updown eap-identity eap-aka
> eap-md5 eap-gtc eap-mschapv2 nm dhcp
>
> Listening IP addresses:
>
> 192.168.0.20
>
> Connections:
>
> Security Associations:
>
> none
>
>
> *auth.log when i start the service :*
>
> **
>
> Sep 17 18:34:55 debian ipsec_starter[11137]: Starting strongSwan 4.4.1
> IPsec [starter]...
>
> Sep 17 18:34:55 debian pluto[11151]: Starting IKEv1 pluto daemon
> (strongSwan 4.4.1) THREADS SMARTCARD VENDORID
>
> Sep 17 18:34:55 debian pluto[11151]: plugin 'test-vectors' failed to
> load: /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open
> shared object file: No such file or directory
>
> Sep 17 18:34:55 debian pluto[11151]: attr-sql plugin: database URI not set
>
> Sep 17 18:34:55 debian pluto[11151]: plugin 'attr-sql': failed to load -
> attr_sql_plugin_create returned NULL
>
> Sep 17 18:34:55 debian pluto[11151]: loaded plugins: curl ldap aes des
> sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp
> xauth attr resolve
>
> Sep 17 18:34:55 debian pluto[11151]: | inserting event
> EVENT_REINIT_SECRET, timeout in 3600 seconds
>
> Sep 17 18:34:55 debian pluto[11151]: including NAT-Traversal patch
> (Version 0.6c)
>
> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module
> '/usr/lib/opensc-pkcs11.so' loading...
>
> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module initializing...
>
> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module loaded and initialized
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 0
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 1
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 2
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 3
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 4
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 5
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 6
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 7
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 8
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 9
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 10
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 11
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 12
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 13
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 14
>
> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 15
>
> Sep 17 18:34:55 debian pluto[11151]: Using Linux 2.6 IPsec interface code
>
> Sep 17 18:34:55 debian ipsec_starter[11150]: pluto (11151) started after
> 20 ms
>
> Sep 17 18:34:55 debian pluto[11151]: loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Sep 17 18:34:55 debian pluto[11151]: loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Sep 17 18:34:55 debian pluto[11151]: loading ocsp certificates from
> '/etc/ipsec.d/ocspcerts'
>
> Sep 17 18:34:55 debian pluto[11151]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Sep 17 18:34:55 debian pluto[11151]: loading attribute certificates from
> '/etc/ipsec.d/acerts'
>
> Sep 17 18:34:55 debian pluto[11151]: | inserting event EVENT_LOG_DAILY,
> timeout in 84305 seconds
>
> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
> 3600 seconds
>
> Sep 17 18:34:55 debian pluto[11151]: |
>
> Sep 17 18:34:55 debian pluto[11151]: | *received whack message
>
> Sep 17 18:34:55 debian pluto[11151]: listening for IKE messages
>
> Sep 17 18:34:55 debian pluto[11151]: | found lo with address 127.0.0.1
>
> Sep 17 18:34:55 debian pluto[11151]: | found eth0 with address 192.168.0.20
>
> Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
> 192.168.0.20:500 <http://192.168.0.20:500>
>
> Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
> 192.168.0.20:4500 <http://192.168.0.20:4500>
>
> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo
> 127.0.0.1:500 <http://127.0.0.1:500>
>
> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo
> 127.0.0.1:4500 <http://127.0.0.1:4500>
>
> Sep 17 18:34:55 debian pluto[11151]: | found lo with address
> 0000:0000:0000:0000:0000:0000:0000:0001
>
> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo ::1:500
>
> Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
> 'free_preshared_secrets'
>
> Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
> 'free_preshard_secrets'
>
> Sep 17 18:34:55 debian pluto[11151]: loading secrets from
> "/etc/ipsec.secrets"
>
> Sep 17 18:34:55 debian pluto[11151]: loaded PSK secret for
> 192.168.0.20 %any
>
> Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
> 'process_secret'
>
> Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
> 'process_secrets'
>
> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
> 3600 seconds
>
> Sep 17 18:34:55 debian ipsec_starter[11150]: charon (11162) started
> after 40 ms
>
> Sep 17 18:34:55 debian pluto[11151]: |
>
> Sep 17 18:34:55 debian pluto[11151]: | *received whack message
>
> Sep 17 18:34:55 debian pluto[11151]: | from whack: got --esp=aes128-sha1
>
> Sep 17 18:34:55 debian pluto[11151]: | esp proposal: AES_CBC_128/HMAC_SHA1,
>
> Sep 17 18:34:55 debian pluto[11151]: | from whack: got
> --ike=aes128-sha-modp1024
>
> Sep 17 18:34:55 debian pluto[11151]: | ike proposal:
> AES_CBC_128/HMAC_SHA1/MODP_1024,
>
> Sep 17 18:34:55 debian pluto[11151]: *added connection description
> "l2tp-psk-nat"*
>
> Sep 17 18:34:55 debian pluto[11151]: |
> 88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any
> <http://88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any>
>
> Sep 17 18:34:55 debian pluto[11151]: | ike_life: 10800s; ipsec_life:
> 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy:
> PSK+ENCRYPT+DONTREKEY
>
> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
> 3600 seconds
>
>
>
> *auth.log when a client try to connect :*
>
>
> Sep 17 18:37:27 debian pluto[11151]: |
>
> Sep 17 18:37:27 debian pluto[11151]: | *received 300 bytes from
> 84.78.198.299:500 on eth0
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> received Vendor ID payload [RFC 3947]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>
> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Sep 17 18:37:27 debian pluto[11151]: | preparse_isakmp_policy: peer
> requests PSK authentication
>
> Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
> 84.78.198.299
>
> Sep 17 18:37:27 debian pluto[11151]: | creating state object #1 at
> 0xb8d9c320
>
> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SO_DISCARD,
> timeout in 0 seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
> responding to Main Mode from unknown peer 84.78.198.299
>
> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: |
>
> Sep 17 18:37:27 debian pluto[11151]: | *received 228 bytes from
> 84.78.198.299:500 on eth0
>
> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R1
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
> NAT-Traversal: Result using RFC 3947: both are NATed
>
> Sep 17 18:37:27 debian pluto[11151]: | inserting event
> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
>
> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: |
>
> Sep 17 18:37:27 debian pluto[11151]: | *received 100 bytes from
> 84.78.198.299:4501 on eth0
>
> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R2
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
> Peer ID is ID_IPV4_ADDR: '192.168.1.110'
>
> Sep 17 18:37:27 debian pluto[11151]: | peer CA: %none
>
> Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat: no match (id: no,
> auth: ok, trust: ok, request: ok, prio: 2048)
>
> Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat: full match (id: ok,
> auth: ok, trust: ok, request: ok, prio: 1216)
>
> Sep 17 18:37:27 debian pluto[11151]: | offered CA: %none
>
> Sep 17 18:37:27 debian pluto[11151]: | switched from "l2tp-psk-nat" to
> "l2tp-psk-nat"
>
> Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
> 84.78.198.299
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299 #1:
> deleting connection "l2tp-psk-nat" instance with peer 84.78.198.299
> {isakmp=#0/ipsec=#0}
>
> Sep 17 18:37:27 debian pluto[11151]: | certs and keys locked by
> 'delete_connection'
>
> Sep 17 18:37:27 debian pluto[11151]: | certs and keys unlocked by
> 'delete_connection'
>
> Sep 17 18:37:27 debian pluto[11151]: | *NAT-T: *new mapping
> 84.78.198.299:500/4501)
>
> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SA_EXPIRE,
> timeout in 3600 seconds for #1
>
> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: sent MR3, ISAKMP SA established
>
> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
> in 20 seconds
>
> Sep 17 18:37:28 debian pluto[11151]: |
>
> Sep 17 18:37:28 debian pluto[11151]: | *received 252 bytes from
> 84.78.198.299:4501 on eth0
>
> Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:28 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:28 debian pluto[11151]: | state object not found
>
> Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:28 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:28 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R3
>
> Sep 17 18:37:28 debian pluto[11151]: | peer client is 192.168.1.110
>
> Sep 17 18:37:28 debian pluto[11151]: | peer client protocol/port is 17/53734
>
> Sep 17 18:37:28 debian pluto[11151]: | our client is 88.185.173.199
>
> Sep 17 18:37:28 debian pluto[11151]: | our client protocol/port is 17/1701
>
> Sep 17 18:37:28 debian pluto[11151]: | find_client_connection starting
> with l2tp-psk-nat
>
> Sep 17 18:37:28 debian pluto[11151]: | looking for
> 88.185.173.199/32:17/1701 <http://88.185.173.199/32:17/1701> ->
> 192.168.1.110/32:17/53734 <http://192.168.1.110/32:17/53734>
>
> Sep 17 18:37:28 debian pluto[11151]: | concrete checking against sr#0
> 88.185.173.199/32 <http://88.185.173.199/32> -> 84.78.198.299/32
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try trying
> l2tp-psk-nat:88.185.173.199/32:17/1701
> <http://88.185.173.199/32:17/1701> -> 192.168.1.110/32:17/0
> <http://192.168.1.110/32:17/0> vs l2tp-psk-nat:88.185.173.199/32:17/1701
> <http://88.185.173.199/32:17/1701> -> 84.78.198.299/32:17/0
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try concluding with none [0]
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try l2tp-psk-nat gives none
>
> Sep 17 18:37:28 debian pluto[11151]: | checking hostpair
> 88.185.173.199/32 <http://88.185.173.199/32> -> 84.78.198.299/32 is found
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try trying
> l2tp-psk-nat:88.185.173.199/32:17/1701
> <http://88.185.173.199/32:17/1701> -> 192.168.1.110/32:17/0
> <http://192.168.1.110/32:17/0> vs l2tp-psk-nat:88.185.173.199/32:17/1701
> <http://88.185.173.199/32:17/1701> -> 0.0.0.0/32:17/0
> <http://0.0.0.0/32:17/0>
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try concluding with none [0]
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try_oppo trying
> l2tp-psk-nat:88.185.173.199/32 <http://88.185.173.199/32> ->
> 192.168.1.110/32 <http://192.168.1.110/32> vs
> l2tp-psk-nat:88.185.173.199/32 <http://88.185.173.199/32> -> 0.0.0.0/32
> <http://0.0.0.0/32>
>
> Sep 17 18:37:28 debian pluto[11151]: | fc_try_oppo concluding with
> none [0]
>
> Sep 17 18:37:28 debian pluto[11151]: | concluding with d = none
>
> Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: cannot respond to IPsec SA request because no
> connection is known for
> 88.185.173.199/32===192.168.0.20:4500[192.168.0.20]:17/1701...84.78.198.299:4501[192.168.1.110]:17/%any===192.168.1.110/32
> <http://88.185.173.199/32===192.168.0.20:4500[192.168.0.20]:17/1701...84.78.198.299:4501[192.168.1.110]:17/%any===192.168.1.110/32>
>
> Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: sending encrypted notification
> INVALID_ID_INFORMATION to 84.78.198.299:4501
>
> Sep 17 18:37:28 debian pluto[11151]: | state transition function for
> STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
>
> Sep 17 18:37:28 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
> in 19 seconds
>
> Sep 17 18:37:31 debian pluto[11151]: |
>
> Sep 17 18:37:31 debian pluto[11151]: | *received 252 bytes from
> 84.78.198.299:4501 on eth0
>
> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:31 debian pluto[11151]: | state object not found
>
> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R3
>
> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: Quick Mode I1 message is unacceptable because it
> uses a previously used Message ID 0x767ae29b (perhaps this is a
> duplicated packet)
>
> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: sending encrypted notification INVALID_MESSAGE_ID
> to 84.78.198.299:4501
>
> Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
> in 16 seconds
>
> Sep 17 18:37:31 debian pluto[11151]: |
>
> Sep 17 18:37:31 debian pluto[11151]: | *received 84 bytes from
> 84.78.198.299:4501 on eth0
>
> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R3
>
> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
> STATE_MAIN_R3
>
> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501 #1: received Delete SA payload: deleting ISAKMP State #1
>
> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
>
> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
>
> Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
>
> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>
> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
> 84.78.198.299:4501: deleting connection "l2tp-psk-nat" instance with
> peer 84.78.198.299 {isakmp=#0/ipsec=#0}
>
> Sep 17 18:37:31 debian pluto[11151]: | certs and keys locked by
> 'delete_connection'
>
> Sep 17 18:37:31 debian pluto[11151]: | certs and keys unlocked by
> 'delete_connection'
>
> Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
> in 16 seconds
>
> Sep 17 18:37:47 debian pluto[11151]: |
>
> Sep 17 18:37:47 debian pluto[11151]: | *time to handle event
>
>
> So here i am, i really tried the best i can, but i'm running out of
> ideas :((( I underlined in the latest log what's i think its going
> wrong, but despite that it seems to be a NAT problem, everything is
> nated correctly on the ADSL router
>
> the port 1701, 4500, 500 in udp are well nated to my vpn server, any
> ideas, any suggestions will be more than welcome ;)
>
> Thanks a lot in advance for your precious help and sorry for the level
> of logs, but the more the debug level of log is, the easier is the way
> to find out what is going wrong ;)
>
> Best Regards
>
> Steve
>
>
>
> **
>
> **
>
> **
>
>
> **
>
> **
>
> **
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list