[Openswan Users] openswan and Mac OS X 10.8.2 problem
Pavel Kopchyk
pkopchyk at gmail.com
Mon Jan 14 08:07:29 EST 2013
Hello,
I use Openswan Version 2.6.39dr3 (KLIPS/mast stack, kernel 3.2.36).
Configs from
http://git.openswan.org/cgi-bin/cgit/openswan/tree/programs/examples
But when the first client is connected with a certificate (authby=rsasig),
the second can not connect with a password (authby=secret). And vice versa.
Log from Server TEST:
+++ Client 1 (cert) connected
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [RFC 3947] method set to=115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using
method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115
Jan 14 13:49:07 TEST pluto[6533]: packet from 213.77.XX.XX:500: received
Vendor ID payload [Dead Peer Detection]
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
responding to Main Mode from unknown peer 213.77.XX.XX
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, E=ca at test.lan'
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114: no
crl from issuer "O=TEST, CN=Test VPN CA, E=ca at test.lan" found (strict=no)
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
multiple ipsec.secrets entries with distinct secrets match endpoints: first
secret used
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[43] 213.77.XX.XX #114:
switched from "L2TP-CERT-NAT" to "L2TP-CERT-NAT"
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
deleting connection "L2TP-CERT-NAT" instance with peer 213.77.XX.XX
{isakmp=#0/ipsec=#0}
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114: I
am sending my cert
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
new NAT mapping for #114, was 213.77.XX.XX:500, now 213.77.XX.XX:4500
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 14 13:49:07 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
Dead Peer Detection (RFC 3706): enabled
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
the peer proposed: 80.77.XX.YY/32:17/1701 -> 172.16.237.185/32:17/0
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #114:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
responding to Quick Mode proposal {msgid:a5978880}
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
us: 80.77.XX.YY<80.77.XX.YY>[@TEST.test.lan]:17/1701
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
them: 213.77.XX.XX[C=XX, E=ca at test.lan]:17/63668===172.16.237.185/32
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
Dead Peer Detection (RFC 3706): enabled
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 14 13:49:08 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #115:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x063692b9
<0x77b7c96c xfrm=AES_256-HMAC_SHA1 NATOA=172.16.237.185
NATD=213.77.XX.XX:4500 DPD=enabled}
+++ Client 2 (PSK) try connect
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [RFC 3947] method set to=115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using
method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jan 14 13:49:15 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [Dead Peer Detection]
Jan 14 13:49:15 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116:
responding to Main Mode from unknown peer 213.77.XX.XX
Jan 14 13:49:15 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116:
policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
Jan 14 13:49:16 TEST last message repeated 5 times
Jan 14 13:49:16 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116: no
acceptable Oakley Transform
Jan 14 13:49:16 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #116:
sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [RFC 3947] method set to=115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using
method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jan 14 13:49:18 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [Dead Peer Detection]
Jan 14 13:49:18 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117:
responding to Main Mode from unknown peer 213.77.XX.XX
Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117:
policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
Jan 14 13:49:19 TEST last message repeated 5 times
Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117: no
acceptable Oakley Transform
Jan 14 13:49:19 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #117:
sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [RFC 3947] method set to=115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using
method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jan 14 13:49:21 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [Dead Peer Detection]
Jan 14 13:49:21 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118:
responding to Main Mode from unknown peer 213.77.XX.XX
Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118:
policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
Jan 14 13:49:22 TEST last message repeated 5 times
Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118: no
acceptable Oakley Transform
Jan 14 13:49:22 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #118:
sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [RFC 3947] method set to=115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using
method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jan 14 13:49:24 TEST pluto[6533]: packet from 213.77.XX.XX:1: received
Vendor ID payload [Dead Peer Detection]
Jan 14 13:49:24 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119:
responding to Main Mode from unknown peer 213.77.XX.XX
Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119:
policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
Jan 14 13:49:25 TEST last message repeated 5 times
Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119: no
acceptable Oakley Transform
Jan 14 13:49:25 TEST pluto[6533]: "L2TP-CERT-NAT"[44] 213.77.XX.XX #119:
sending notification NO_PROPOSAL_CHOSEN to 213.77.XX.XX:1
Best regards
Pavel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130114/28594dd6/attachment-0001.html>
More information about the Users
mailing list