[Openswan Users] strongswan-4-4.1 +xl2tp/psk + OSX native client => no connection is known

Jthemovie jthemovie at gmail.com
Tue Sep 18 05:06:04 EDT 2012


Oh my gosh, i didn't, did i ? yes i did, i'm so confused :(
I'll move this subject to strong swan, i did it late last night and i was
crossing so much help from both , open and strong that i end up here :( mea
culpa

Anyway, thanks for your answer, i tried without success :(
fc_try trying l2tp-psk-nat:88.185.173.199/32:17/1701 ->
192.168.1.116/32:17/0 vs l2tp-psk-nat:192.168.0.20/32:17/1701 ->
84.78.198.299/32:17/0
Sep 18 04:59:02 debian pluto[1981]: |   fc_try concluding with none [0]
Sep 18 04:59:02 debian pluto[1981]: |   fc_try l2tp-psk-nat gives none
Sep 18 04:59:02 debian pluto[1981]: |   checking hostpair 192.168.0.20/32
 -> 84.78.198.224/32 is found
Sep 18 04:59:02 debian pluto[1981]: |   fc_try trying l2tp-psk-nat:
88.185.173.162/32:17/1701 -> 192.168.1.116/32:17/0 vs l2tp-psk-nat:
192.168.0.20/32:17/1701 -> 0.0.0.0/32:17/0
Sep 18 04:59:02 debian pluto[1981]: |   fc_try concluding with none [0]
Sep 18 04:59:02 debian pluto[1981]: |   fc_try_oppo trying l2tp-psk-nat:
88.185.173.162/32 -> 192.168.1.116/32 vs l2tp-psk-nat:192.168.0.20/32 ->
0.0.0.0/32
Sep 18 04:59:02 debian pluto[1981]: |   fc_try_oppo concluding with none [0]
Sep 18 04:59:02 debian pluto[1981]: |   concluding with d = none
Sep 18 04:59:02 debian pluto[1981]: "l2tp-psk-nat"[2] 84.78.198.299:4502
#1: cannot respond to IPsec SA request because no connection is known for
88.185.173.199/32===192.168.0.20:4500[192.168.0.20]:17/1701...84.78.198.299:4502[192.168.1.116]:17/%any===192.168.1.116/32
Thanks again for your help, i'll move this subject to the good place ;)

On Tue, Sep 18, 2012 at 2:01 AM, Willie Gillespie <
wgillespie+openswan at es2eng.com> wrote:

> Hi Steve,
>
> This list is for Openswan, not Strongswan -- although products with the
> same functionality.  Are you wanting to switch your Strongswan config to
> Openswan?
>
> Willie
>
>
> On 09/17/2012 04:52 PM, Jthemovie wrote:
>
>> Hi all,
>>
>>
>> I think i really did my best but even after having read so (too) much of
>> the mailing list, i finish posting here :)
>>
>> To sum up quickly :
>>
>>
>> OS running strongswan : debian 6.0.3
>>
>>
>> I installed strongswan this way:
>>
>>
>> apt-get install build-essential fakeroot dpkg-dev devscripts
>>
>> apt-get source strongswan
>>
>> apt-get install libcurl4-openssl-dev
>>
>> apt-get build-dep strongswan
>>
>> vi strongswan-4.4.1/debian/rules
>>
>>
>> /*****[strongswan-4.4.1/**debian/rules]******/
>>
>> CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
>>
>>                  --libexecdir=/usr/lib \
>>
>>                  --enable-ldap --enable-curl \
>>
>>                  --with-capabilities=libcap \
>>
>>                  --enable-smartcard \
>>
>>                  --with-default-pkcs11=/usr/**lib/opensc-pkcs11.so \
>>
>>                  --enable-mediation --enable-medsrv --enable-medcli \
>>
>>                  --enable-openssl --enable-agent \
>>
>>                  --enable-eap-radius --enable-eap-identity
>> --enable-eap-md5 \
>>
>>                  --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
>>
>>                  --enable-sql --enable-integrity-test \
>>
>>                  --enable-nm --enable-ha --enable-dhcp --enable-farp \
>>
>>                  --enable-test-vectors \
>>
>> *--enable-nat-transport*
>>
>>
>> /***********/
>>
>> dpkg-buildpackage -rfakeroot -uc -b
>>
>> Then installed everything with :
>>
>>
>> dpkg -i *.deb
>>
>>
>> Results :
>>
>> *dpkg -l | grep strong*
>>
>> **
>>
>>
>> ii  libstrongswan                      4.4.1-5.2
>> strongSwan utility and crypto library
>>
>> rc  network-manager-strongswan         1.1.2-1
>> network management framework (strongSwan plugin)
>>
>> ii  strongswan                         4.4.1-5.2
>> IPsec VPN solution metapackage
>>
>> ii  strongswan-dbg                     4.4.1-5.2
>> strongSwan library and binaries - debugging symbols
>>
>> ii  strongswan-ikev1                   4.4.1-5.2
>> strongSwan Internet Key Exchange (v1) daemon
>>
>> ii  strongswan-ikev2                   4.4.1-5.2
>> strongSwan Internet Key Exchange (v2) daemon
>>
>> ii  strongswan-nm                      4.4.1-5.2
>> strongSwan plugin to interact with NetworkManager
>>
>> ii  strongswan-starter                 4.4.1-5.2
>> strongSwan daemon starter and configuration file parser
>>
>>
>>  From here, everything fine, my setup is he following :
>>
>>
>> On one side :
>>
>>
>> Debian strongswan vpn server : 192.168.0.20/24 <http://192.168.0.20/24>
>>
>> ADSL Gateway : 192.168.0.254/24 <http://192.168.0.254/24>
>>
>>
>> Public IP : 88.185.173.199
>>
>>
>> On the other side, the client (OSX 10.6.8 native client) one :
>>
>>
>> PUBLIC IP : 84.78.198.299
>>
>> ADSL Gateway : 192.168.1.1/24 <http://192.168.1.1/24>
>>
>> OSX Client : 192.168.1.100/24 <http://192.168.1.100/24>
>>
>>
>>
>> so according some post in the mailing list, i configured as follow :
>>
>>
>> */etc/ipsec.conf*
>>
>> /*****/******/
>>
>> config setup
>>
>> *nat_traversal=yes*
>>
>>
>>          charonstart=yes
>>
>>          plutostart=yes
>>
>>          #higher debug level mode
>>
>>          plutodebug="control controlmore"
>>
>>
>> conn l2tp-psk-nat
>>
>>          authby=psk
>>
>>          pfs=no
>>
>>          #keyexchange=ikev1
>>
>>          rekey=no
>>
>>          type=transport
>>
>>          #esp=aes128-sha1
>>
>>          #ike=aes128-sha-modp1024
>>
>>          left=%defaultroute
>>
>>          leftsubnet=88.185.173.199/32 <http://88.185.173.199/32>
>>
>>          leftprotoport=17/1701
>>
>>          rightprotoport=17/%any
>>
>>          auto=add
>>
>> /***********/
>>
>>
>> */etc/ipsec.secrets *
>>
>>
>> /******chmod 600*****/
>>
>> 192.168.0.20 %any : PSK "mySecretKey"
>>
>> /***********/
>>
>>
>> */etc/xl2tpd/xl2tpd.conf*
>>
>>
>> /***********/
>>
>> [global]
>>
>> debug network = yes
>>
>> debug tunnel = yes
>>
>> port = 1701
>>
>> ipsec saref = no
>>
>>
>> [lns default]
>>
>> ip range = 192.168.2.35-192.168.2.39
>>
>> local ip = 192.168.2.34
>>
>> refuse chap = yes
>>
>> refuse pap = yes
>>
>> require authentication = yes
>>
>> ppp debug = yes
>>
>> pppoptfile = /etc/ppp/options.xl2tpd
>>
>> length bit = yes
>>
>> /***********/
>>
>>
>>
>> */etc/ppp/options.xl2tpd*
>>
>>
>> /***********/
>>
>> ipcp-accept-local
>>
>> ipcp-accept-remote
>>
>> ms-dns 212.27.40.240
>>
>> noccp
>>
>> auth
>>
>> crtscts
>>
>> idle 1800
>>
>> mtu 1500
>>
>> mru 1500
>>
>> nodefaultroute
>>
>> debug
>>
>> lock
>>
>> proxyarp
>>
>> connect-delay 5000
>>
>> /***********/
>>
>>
>> */etc/ppp/chap-secrets*
>>
>>
>> /*****chmod 600******/
>>
>> # client        server  secret                  IP addresses
>>
>> myUser       l2tpd   myUserSecret                 *
>>
>> /***********/
>>
>>
>> Logs results :
>>
>>
>> command
>>
>> **
>>
>> *ipsec statusall*
>>
>>
>>
>> 000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
>>
>> 000 interface lo/lo ::1:500
>>
>> 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
>>
>> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
>>
>> 000 interface eth0/eth0 192.168.0.20:4500 <http://192.168.0.20:4500>
>>
>> 000 interface eth0/eth0 192.168.0.20:500 <http://192.168.0.20:500>
>>
>>
>> 000 %myid = '%any'
>>
>> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
>> pkcs1 pgp dnskey pem openssl hmac gmp xauth attr resolve
>>
>> 000 debug options: control+controlmore
>>
>> 000
>>
>> 000 "l2tp-psk-nat":
>> 88.185.173.199/32===192.168.0.**20[192.168.0.20]:17/1701---**
>> 192.168.0.254...%any[%any]:17/**%any
>> <http://88.185.173.199/32===**192.168.0.20[192.168.0.20]:17/**
>> 1701---192.168.0.254...%any[%**any]:17/%any>;
>>
>> unrouted; eroute owner: #0
>>
>> 000 "l2tp-psk-nat":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
>> 540s; rekey_fuzz: 100%; keyingtries: 3
>>
>> 000 "l2tp-psk-nat":   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32;
>> interface: eth0;
>>
>> 000 "l2tp-psk-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>>
>> 000
>>
>> Status of IKEv2 charon daemon (strongSwan 4.4.1):
>>
>>    uptime: 12 seconds, since Sep 18 00:32:37 2012
>>
>>    malloc: sbrk 270336, mmap 0, used 175544, free 94792
>>
>>    worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
>>
>>    loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
>> pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
>> kernel-netlink socket-raw farp stroke updown eap-identity eap-aka
>> eap-md5 eap-gtc eap-mschapv2 nm dhcp
>>
>> Listening IP addresses:
>>
>>    192.168.0.20
>>
>> Connections:
>>
>> Security Associations:
>>
>>    none
>>
>>
>> *auth.log when i start the service :*
>>
>> **
>>
>>
>> Sep 17 18:34:55 debian ipsec_starter[11137]: Starting strongSwan 4.4.1
>> IPsec [starter]...
>>
>> Sep 17 18:34:55 debian pluto[11151]: Starting IKEv1 pluto daemon
>> (strongSwan 4.4.1) THREADS SMARTCARD VENDORID
>>
>> Sep 17 18:34:55 debian pluto[11151]: plugin 'test-vectors' failed to
>> load: /usr/lib/ipsec/plugins/**libstrongswan-test-vectors.so: cannot open
>> shared object file: No such file or directory
>>
>> Sep 17 18:34:55 debian pluto[11151]: attr-sql plugin: database URI not set
>>
>> Sep 17 18:34:55 debian pluto[11151]: plugin 'attr-sql': failed to load -
>> attr_sql_plugin_create returned NULL
>>
>> Sep 17 18:34:55 debian pluto[11151]: loaded plugins: curl ldap aes des
>> sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp
>> xauth attr resolve
>>
>> Sep 17 18:34:55 debian pluto[11151]: | inserting event
>> EVENT_REINIT_SECRET, timeout in 3600 seconds
>>
>> Sep 17 18:34:55 debian pluto[11151]:   including NAT-Traversal patch
>> (Version 0.6c)
>>
>> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module
>> '/usr/lib/opensc-pkcs11.so' loading...
>>
>> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module initializing...
>>
>> Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module loaded and
>> initialized
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 0
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 1
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 2
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 3
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 4
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 5
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 6
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 7
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 8
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 9
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 10
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 11
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 12
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 13
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 14
>>
>> Sep 17 18:34:55 debian pluto[11151]: no token present in slot 15
>>
>> Sep 17 18:34:55 debian pluto[11151]: Using Linux 2.6 IPsec interface code
>>
>> Sep 17 18:34:55 debian ipsec_starter[11150]: pluto (11151) started after
>> 20 ms
>>
>> Sep 17 18:34:55 debian pluto[11151]: loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>>
>> Sep 17 18:34:55 debian pluto[11151]: loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>>
>> Sep 17 18:34:55 debian pluto[11151]: loading ocsp certificates from
>> '/etc/ipsec.d/ocspcerts'
>>
>> Sep 17 18:34:55 debian pluto[11151]: Changing to directory
>> '/etc/ipsec.d/crls'
>>
>> Sep 17 18:34:55 debian pluto[11151]: loading attribute certificates from
>> '/etc/ipsec.d/acerts'
>>
>> Sep 17 18:34:55 debian pluto[11151]: | inserting event EVENT_LOG_DAILY,
>> timeout in 84305 seconds
>>
>> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
>> 3600 seconds
>>
>> Sep 17 18:34:55 debian pluto[11151]: |
>>
>> Sep 17 18:34:55 debian pluto[11151]: | *received whack message
>>
>> Sep 17 18:34:55 debian pluto[11151]: listening for IKE messages
>>
>> Sep 17 18:34:55 debian pluto[11151]: | found lo with address 127.0.0.1
>>
>> Sep 17 18:34:55 debian pluto[11151]: | found eth0 with address
>> 192.168.0.20
>>
>> Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
>> 192.168.0.20:500 <http://192.168.0.20:500>
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
>> 192.168.0.20:4500 <http://192.168.0.20:4500>
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo
>> 127.0.0.1:500 <http://127.0.0.1:500>
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo
>> 127.0.0.1:4500 <http://127.0.0.1:4500>
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: | found lo with address
>> 0000:0000:0000:0000:0000:0000:**0000:0001
>>
>> Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo ::1:500
>>
>> Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
>> 'free_preshared_secrets'
>>
>> Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
>> 'free_preshard_secrets'
>>
>> Sep 17 18:34:55 debian pluto[11151]: loading secrets from
>> "/etc/ipsec.secrets"
>>
>> Sep 17 18:34:55 debian pluto[11151]:   loaded PSK secret for
>> 192.168.0.20 %any
>>
>> Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
>> 'process_secret'
>>
>> Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
>> 'process_secrets'
>>
>> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
>> 3600 seconds
>>
>> Sep 17 18:34:55 debian ipsec_starter[11150]: charon (11162) started
>> after 40 ms
>>
>> Sep 17 18:34:55 debian pluto[11151]: |
>>
>> Sep 17 18:34:55 debian pluto[11151]: | *received whack message
>>
>> Sep 17 18:34:55 debian pluto[11151]: | from whack: got --esp=aes128-sha1
>>
>> Sep 17 18:34:55 debian pluto[11151]: | esp proposal:
>> AES_CBC_128/HMAC_SHA1,
>>
>> Sep 17 18:34:55 debian pluto[11151]: | from whack: got
>> --ike=aes128-sha-modp1024
>>
>> Sep 17 18:34:55 debian pluto[11151]: | ike proposal:
>> AES_CBC_128/HMAC_SHA1/MODP_**1024,
>>
>> Sep 17 18:34:55 debian pluto[11151]: *added connection description
>> "l2tp-psk-nat"*
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: |
>> 88.185.173.199/32===192.168.0.**20[192.168.0.20]:17/1701---**
>> 192.168.0.254...%any[%any]:17/**%any
>> <http://88.185.173.199/32===**192.168.0.20[192.168.0.20]:17/**
>> 1701---192.168.0.254...%any[%**any]:17/%any>
>>
>>
>> Sep 17 18:34:55 debian pluto[11151]: | ike_life: 10800s; ipsec_life:
>> 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy:
>> PSK+ENCRYPT+DONTREKEY
>>
>> Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
>> 3600 seconds
>>
>>
>>
>> *auth.log when a client try to connect  :*
>>
>>
>>
>> Sep 17 18:37:27 debian pluto[11151]: |
>>
>> Sep 17 18:37:27 debian pluto[11151]: | *received 300 bytes from
>> 84.78.198.299:500 on eth0
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> received Vendor ID payload [RFC 3947]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**4df37928e9fc4fd1b3262170d515c6**62]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**8f8d83826d246b6fc7a8a6a428c11d**e8]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**439b59f8ba676c4c7737ae22eab8f5**82]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**4d1e0e136deafa34c4f3ea9f02ec72**85]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**80d0bb3def54565ee84645d4c85ce3**ee]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [**9909b64eed937c6573de52ace952fa**6b]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-**03]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-**02]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-**02_n]
>>
>> Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
>> received Vendor ID payload [Dead Peer Detection]
>>
>> Sep 17 18:37:27 debian pluto[11151]: | preparse_isakmp_policy: peer
>> requests PSK authentication
>>
>> Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
>> 84.78.198.299
>>
>> Sep 17 18:37:27 debian pluto[11151]: | creating state object #1 at
>> 0xb8d9c320
>>
>> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:27 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SO_DISCARD,
>> timeout in 0 seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
>> responding to Main Mode from unknown peer 84.78.198.299
>>
>> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
>> timeout in 10 seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
>> seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: |
>>
>> Sep 17 18:37:27 debian pluto[11151]: | *received 228 bytes from
>> 84.78.198.299:500 on eth0
>>
>> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:27 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R1
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
>> NAT-Traversal: Result using RFC 3947: both are NATed
>>
>> Sep 17 18:37:27 debian pluto[11151]: | inserting event
>> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
>>
>> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
>> timeout in 10 seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
>> seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: |
>>
>> Sep 17 18:37:27 debian pluto[11151]: | *received 100 bytes from
>> 84.78.198.299:4501 on eth0
>>
>> Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:27 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R2
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
>> ignoring informational payload, type IPSEC_INITIAL_CONTACT
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
>> Peer ID is ID_IPV4_ADDR: '192.168.1.110'
>>
>> Sep 17 18:37:27 debian pluto[11151]: | peer CA:      %none
>>
>> Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat:  no match (id: no,
>> auth: ok, trust: ok, request: ok, prio: 2048)
>>
>> Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat: full match (id: ok,
>> auth: ok, trust: ok, request: ok, prio: 1216)
>>
>> Sep 17 18:37:27 debian pluto[11151]: | offered CA:   %none
>>
>> Sep 17 18:37:27 debian pluto[11151]: | switched from "l2tp-psk-nat" to
>> "l2tp-psk-nat"
>>
>> Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
>> 84.78.198.299
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299 #1:
>> deleting connection "l2tp-psk-nat" instance with peer 84.78.198.299
>> {isakmp=#0/ipsec=#0}
>>
>> Sep 17 18:37:27 debian pluto[11151]: | certs and keys locked by
>> 'delete_connection'
>>
>> Sep 17 18:37:27 debian pluto[11151]: | certs and keys unlocked by
>> 'delete_connection'
>>
>> Sep 17 18:37:27 debian pluto[11151]: | *NAT-T: *new mapping
>>
>> 84.78.198.299:500/4501)
>>
>> Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SA_EXPIRE,
>> timeout in 3600 seconds for #1
>>
>> Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: sent MR3, ISAKMP SA established
>>
>> Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
>> in 20 seconds
>>
>> Sep 17 18:37:28 debian pluto[11151]: |
>>
>> Sep 17 18:37:28 debian pluto[11151]: | *received 252 bytes from
>> 84.78.198.299:4501 on eth0
>>
>> Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:28 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:28 debian pluto[11151]: | state object not found
>>
>> Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:28 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:28 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R3
>>
>> Sep 17 18:37:28 debian pluto[11151]: | peer client is 192.168.1.110
>>
>> Sep 17 18:37:28 debian pluto[11151]: | peer client protocol/port is
>> 17/53734
>>
>> Sep 17 18:37:28 debian pluto[11151]: | our client is 88.185.173.199
>>
>> Sep 17 18:37:28 debian pluto[11151]: | our client protocol/port is 17/1701
>>
>> Sep 17 18:37:28 debian pluto[11151]: | find_client_connection starting
>> with l2tp-psk-nat
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   looking for
>> 88.185.173.199/32:17/1701 <http://88.185.173.199/32:17/**1701<http://88.185.173.199/32:17/1701>>
>> ->
>> 192.168.1.110/32:17/53734 <http://192.168.1.110/32:17/**53734<http://192.168.1.110/32:17/53734>
>> >
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   concrete checking against sr#0
>> 88.185.173.199/32 <http://88.185.173.199/32> -> 84.78.198.299/32
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try trying
>> l2tp-psk-nat:88.185.173.199/**32:17/1701<http://88.185.173.199/32:17/1701>
>> <http://88.185.173.199/32:17/**1701 <http://88.185.173.199/32:17/1701>>
>> -> 192.168.1.110/32:17/0
>> <http://192.168.1.110/32:17/0> vs l2tp-psk-nat:88.185.173.199/**
>> 32:17/1701 <http://88.185.173.199/32:17/1701>
>> <http://88.185.173.199/32:17/**1701 <http://88.185.173.199/32:17/1701>>
>> -> 84.78.198.299/32:17/0
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try concluding with none [0]
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try l2tp-psk-nat gives none
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   checking hostpair
>> 88.185.173.199/32 <http://88.185.173.199/32> -> 84.78.198.299/32 is found
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try trying
>> l2tp-psk-nat:88.185.173.199/**32:17/1701<http://88.185.173.199/32:17/1701>
>> <http://88.185.173.199/32:17/**1701 <http://88.185.173.199/32:17/1701>>
>> -> 192.168.1.110/32:17/0
>> <http://192.168.1.110/32:17/0> vs l2tp-psk-nat:88.185.173.199/**
>> 32:17/1701 <http://88.185.173.199/32:17/1701>
>> <http://88.185.173.199/32:17/**1701 <http://88.185.173.199/32:17/1701>>
>> -> 0.0.0.0/32:17/0
>> <http://0.0.0.0/32:17/0>
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try concluding with none [0]
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try_oppo trying
>> l2tp-psk-nat:88.185.173.199/32 <http://88.185.173.199/32> ->
>> 192.168.1.110/32 <http://192.168.1.110/32> vs
>> l2tp-psk-nat:88.185.173.199/32 <http://88.185.173.199/32> -> 0.0.0.0/32
>> <http://0.0.0.0/32>
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   fc_try_oppo concluding with
>> none [0]
>>
>> Sep 17 18:37:28 debian pluto[11151]: |   concluding with d = none
>>
>> Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 88.185.173.199/32===192.168.0.**20:4500[192.168.0.20]:17/1701.**
>> ..84.78.198.299:4501[192.168.**1.110]:17/%any===192.168.1.**110/32
>> <http://88.185.173.199/32===**192.168.0.20:4500[192.168.0.**
>> 20]:17/1701...84.78.198.299:**4501[192.168.1.110]:17/%any===**
>> 192.168.1.110/32>
>>
>>
>> Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: sending encrypted notification
>> INVALID_ID_INFORMATION to 84.78.198.299:4501
>>
>> Sep 17 18:37:28 debian pluto[11151]: | state transition function for
>> STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
>>
>> Sep 17 18:37:28 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
>> in 19 seconds
>>
>> Sep 17 18:37:31 debian pluto[11151]: |
>>
>> Sep 17 18:37:31 debian pluto[11151]: | *received 252 bytes from
>> 84.78.198.299:4501 on eth0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:31 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state object not found
>>
>> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:31 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R3
>>
>> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: Quick Mode I1 message is unacceptable because it
>> uses a previously used Message ID 0x767ae29b (perhaps this is a
>> duplicated packet)
>>
>> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: sending encrypted notification INVALID_MESSAGE_ID
>> to 84.78.198.299:4501
>>
>> Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
>> in 16 seconds
>>
>> Sep 17 18:37:31 debian pluto[11151]: |
>>
>> Sep 17 18:37:31 debian pluto[11151]: | *received 84 bytes from
>> 84.78.198.299:4501 on eth0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:31 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R3
>>
>> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:31 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
>> STATE_MAIN_R3
>>
>> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501 #1: received Delete SA payload: deleting ISAKMP State
>> #1
>>
>> Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE:  96 61 2d 50  c6 46 15 77
>>
>> Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE:  32 f3 92 fa  6c af 23 86
>>
>> Sep 17 18:37:31 debian pluto[11151]: | peer:  54 4e c6 e0
>>
>> Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
>>
>> Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2]
>> 84.78.198.299:4501: deleting connection "l2tp-psk-nat" instance with
>> peer 84.78.198.299 {isakmp=#0/ipsec=#0}
>>
>> Sep 17 18:37:31 debian pluto[11151]: | certs and keys locked by
>> 'delete_connection'
>>
>> Sep 17 18:37:31 debian pluto[11151]: | certs and keys unlocked by
>> 'delete_connection'
>>
>> Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE
>> in 16 seconds
>>
>> Sep 17 18:37:47 debian pluto[11151]: |
>>
>> Sep 17 18:37:47 debian pluto[11151]: | *time to handle event
>>
>>
>> So here i am, i really tried the best i can, but i'm running out of
>> ideas :((( I underlined in the latest log what's i think its going
>> wrong, but despite that it seems to be a NAT problem, everything is
>> nated correctly on the ADSL router
>>
>> the port 1701, 4500, 500 in udp are well nated to my vpn server, any
>> ideas, any suggestions will be more than welcome ;)
>>
>> Thanks a lot in advance for your precious help and sorry for the level
>> of logs, but the more the debug level of log is, the easier is the way
>> to find out what is going wrong ;)
>>
>> Best Regards
>>
>> Steve
>>
>>
>>
>> **
>>
>> **
>>
>> **
>>
>>
>> **
>>
>> **
>>
>> **
>>
>>
>>
>>
>>
>> ______________________________**_________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
>> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
>> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/**product/1904811256/104-**
>> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120918/b73dfaed/attachment-0001.html>


More information about the Users mailing list