[strongSwan] strongswan-4-4.1 +xl2tp/psk + OSX native client => no connection is known
Jthemovie
jthemovie at gmail.com
Tue Sep 18 11:10:58 CEST 2012
Hi all,
I think i really did my best but even after having read so (too) much of
the mailing list, i finish posting here :)
To sum up quickly :
OS running strongswan : debian 6.0.3
I installed strongswan this way:
apt-get install build-essential fakeroot dpkg-dev devscripts
apt-get source strongswan
apt-get install libcurl4-openssl-dev
apt-get build-dep strongswan
vi strongswan-4.4.1/debian/rules
/*****[strongswan-4.4.1/debian/rules]******/
CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--libexecdir=/usr/lib \
--enable-ldap --enable-curl \
--with-capabilities=libcap \
--enable-smartcard \
--with-default-pkcs11=/usr/lib/opensc-pkcs11.so \
--enable-mediation --enable-medsrv --enable-medcli \
--enable-openssl --enable-agent \
--enable-eap-radius --enable-eap-identity --enable-eap-md5 \
--enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
--enable-sql --enable-integrity-test \
--enable-nm --enable-ha --enable-dhcp --enable-farp \
--enable-test-vectors \
*--enable-nat-transport*
/***********/
dpkg-buildpackage -rfakeroot -uc -b
Then installed everything with :
dpkg -i *.deb
Results :
*dpkg -l | grep strong*
**
ii libstrongswan 4.4.1-5.2
strongSwan utility and crypto library
rc network-manager-strongswan 1.1.2-1
network management framework (strongSwan plugin)
ii strongswan 4.4.1-5.2
IPsec VPN solution metapackage
ii strongswan-dbg 4.4.1-5.2
strongSwan library and binaries - debugging symbols
ii strongswan-ikev1 4.4.1-5.2
strongSwan Internet Key Exchange (v1) daemon
ii strongswan-ikev2 4.4.1-5.2
strongSwan Internet Key Exchange (v2) daemon
ii strongswan-nm 4.4.1-5.2
strongSwan plugin to interact with NetworkManager
ii strongswan-starter 4.4.1-5.2
strongSwan daemon starter and configuration file parser
>From here, everything fine, my setup is he following :
On one side :
Debian strongswan vpn server : 192.168.0.20/24
ADSL Gateway : 192.168.0.254/24
Public IP : 88.185.173.199
On the other side, the client (OSX 10.6.8 native client) one :
PUBLIC IP : 84.78.198.299
ADSL Gateway : 192.168.1.1/24
OSX Client : 192.168.1.100/24
so according some post in the mailing list, i configured as follow :
*/etc/ipsec.conf*
/*****/******/
config setup
*nat_traversal=yes*
charonstart=yes
plutostart=yes
#higher debug level mode
plutodebug="control controlmore"
conn l2tp-psk-nat
authby=psk
pfs=no
#keyexchange=ikev1
rekey=no
type=transport
#esp=aes128-sha1
#ike=aes128-sha-modp1024
left=%defaultroute
leftsubnet=88.185.173.199/32
leftprotoport=17/1701
rightprotoport=17/%any
auto=add
/***********/
*/etc/ipsec.secrets *
/******chmod 600*****/
192.168.0.20 %any : PSK "mySecretKey"
/***********/
*/etc/xl2tpd/xl2tpd.conf*
/***********/
[global]
debug network = yes
debug tunnel = yes
port = 1701
ipsec saref = no
[lns default]
ip range = 192.168.2.35-192.168.2.39
local ip = 192.168.2.34
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/***********/
*/etc/ppp/options.xl2tpd*
/***********/
ipcp-accept-local
ipcp-accept-remote
ms-dns 212.27.40.240
noccp
auth
crtscts
idle 1800
mtu 1500
mru 1500
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
/***********/
*/etc/ppp/chap-secrets*
/*****chmod 600******/
# client server secret IP addresses
myUser l2tpd myUserSecret *
/***********/
Logs results :
command
**
*ipsec statusall*
000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.0.20:4500
000 interface eth0/eth0 192.168.0.20:500
000 %myid = '%any'
000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
pkcs1 pgp dnskey pem openssl hmac gmp xauth attr resolve
000 debug options: control+controlmore
000
000 "l2tp-psk-nat":
88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any;
unrouted; eroute owner: #0
000 "l2tp-psk-nat": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk-nat": policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32;
interface: eth0;
000 "l2tp-psk-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 12 seconds, since Sep 18 00:32:37 2012
malloc: sbrk 270336, mmap 0, used 175544, free 94792
worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 nm dhcp
Listening IP addresses:
192.168.0.20
Connections:
Security Associations:
none
*auth.log when i start the service :*
**
Sep 17 18:34:55 debian ipsec_starter[11137]: Starting strongSwan 4.4.1
IPsec [starter]...
Sep 17 18:34:55 debian pluto[11151]: Starting IKEv1 pluto daemon
(strongSwan 4.4.1) THREADS SMARTCARD VENDORID
Sep 17 18:34:55 debian pluto[11151]: plugin 'test-vectors' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared
object file: No such file or directory
Sep 17 18:34:55 debian pluto[11151]: attr-sql plugin: database URI not set
Sep 17 18:34:55 debian pluto[11151]: plugin 'attr-sql': failed to load -
attr_sql_plugin_create returned NULL
Sep 17 18:34:55 debian pluto[11151]: loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp xauth
attr resolve
Sep 17 18:34:55 debian pluto[11151]: | inserting event EVENT_REINIT_SECRET,
timeout in 3600 seconds
Sep 17 18:34:55 debian pluto[11151]: including NAT-Traversal patch
(Version 0.6c)
Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module
'/usr/lib/opensc-pkcs11.so' loading...
Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module initializing...
Sep 17 18:34:55 debian pluto[11151]: | pkcs11 module loaded and initialized
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 0
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 1
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 2
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 3
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 4
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 5
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 6
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 7
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 8
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 9
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 10
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 11
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 12
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 13
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 14
Sep 17 18:34:55 debian pluto[11151]: no token present in slot 15
Sep 17 18:34:55 debian pluto[11151]: Using Linux 2.6 IPsec interface code
Sep 17 18:34:55 debian ipsec_starter[11150]: pluto (11151) started after 20
ms
Sep 17 18:34:55 debian pluto[11151]: loading ca certificates from
'/etc/ipsec.d/cacerts'
Sep 17 18:34:55 debian pluto[11151]: loading aa certificates from
'/etc/ipsec.d/aacerts'
Sep 17 18:34:55 debian pluto[11151]: loading ocsp certificates from
'/etc/ipsec.d/ocspcerts'
Sep 17 18:34:55 debian pluto[11151]: Changing to directory
'/etc/ipsec.d/crls'
Sep 17 18:34:55 debian pluto[11151]: loading attribute certificates from
'/etc/ipsec.d/acerts'
Sep 17 18:34:55 debian pluto[11151]: | inserting event EVENT_LOG_DAILY,
timeout in 84305 seconds
Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
3600 seconds
Sep 17 18:34:55 debian pluto[11151]: |
Sep 17 18:34:55 debian pluto[11151]: | *received whack message
Sep 17 18:34:55 debian pluto[11151]: listening for IKE messages
Sep 17 18:34:55 debian pluto[11151]: | found lo with address 127.0.0.1
Sep 17 18:34:55 debian pluto[11151]: | found eth0 with address 192.168.0.20
Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
192.168.0.20:500
Sep 17 18:34:55 debian pluto[11151]: adding interface eth0/eth0
192.168.0.20:4500
Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo 127.0.0.1:500
Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo 127.0.0.1:4500
Sep 17 18:34:55 debian pluto[11151]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
Sep 17 18:34:55 debian pluto[11151]: adding interface lo/lo ::1:500
Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
'free_preshared_secrets'
Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
'free_preshard_secrets'
Sep 17 18:34:55 debian pluto[11151]: loading secrets from
"/etc/ipsec.secrets"
Sep 17 18:34:55 debian pluto[11151]: loaded PSK secret for 192.168.0.20
%any
Sep 17 18:34:55 debian pluto[11151]: | certs and keys locked by
'process_secret'
Sep 17 18:34:55 debian pluto[11151]: | certs and keys unlocked by
'process_secrets'
Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
3600 seconds
Sep 17 18:34:55 debian ipsec_starter[11150]: charon (11162) started after
40 ms
Sep 17 18:34:55 debian pluto[11151]: |
Sep 17 18:34:55 debian pluto[11151]: | *received whack message
Sep 17 18:34:55 debian pluto[11151]: | from whack: got --esp=aes128-sha1
Sep 17 18:34:55 debian pluto[11151]: | esp proposal: AES_CBC_128/HMAC_SHA1,
Sep 17 18:34:55 debian pluto[11151]: | from whack: got
--ike=aes128-sha-modp1024
Sep 17 18:34:55 debian pluto[11151]: | ike proposal:
AES_CBC_128/HMAC_SHA1/MODP_1024,
Sep 17 18:34:55 debian pluto[11151]: *added connection description
"l2tp-psk-nat"*
Sep 17 18:34:55 debian pluto[11151]: |
88.185.173.199/32===192.168.0.20[192.168.0.20]:17/1701---192.168.0.254...%any[%any]:17/%any
Sep 17 18:34:55 debian pluto[11151]: | ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy:
PSK+ENCRYPT+DONTREKEY
Sep 17 18:34:55 debian pluto[11151]: | next event EVENT_REINIT_SECRET in
3600 seconds
*auth.log when a client try to connect :*
Sep 17 18:37:27 debian pluto[11151]: |
Sep 17 18:37:27 debian pluto[11151]: | *received 300 bytes from
84.78.198.299:500 on eth0
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
received Vendor ID payload [RFC 3947]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 17 18:37:27 debian pluto[11151]: packet from 84.78.198.299:500:
received Vendor ID payload [Dead Peer Detection]
Sep 17 18:37:27 debian pluto[11151]: | preparse_isakmp_policy: peer
requests PSK authentication
Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
84.78.198.299
Sep 17 18:37:27 debian pluto[11151]: | creating state object #1 at
0xb8d9c320
Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
responding to Main Mode from unknown peer 84.78.198.299
Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Sep 17 18:37:27 debian pluto[11151]: |
Sep 17 18:37:27 debian pluto[11151]: | *received 228 bytes from
84.78.198.299:500 on eth0
Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R1
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
NAT-Traversal: Result using RFC 3947: both are NATed
Sep 17 18:37:27 debian pluto[11151]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Sep 17 18:37:27 debian pluto[11151]: |
Sep 17 18:37:27 debian pluto[11151]: | *received 100 bytes from
84.78.198.299:4501 on eth0
Sep 17 18:37:27 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:27 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:27 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:27 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:27 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R2
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[1] 84.78.198.299 #1:
Peer ID is ID_IPV4_ADDR: '192.168.1.110'
Sep 17 18:37:27 debian pluto[11151]: | peer CA: %none
Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat: no match (id: no,
auth: ok, trust: ok, request: ok, prio: 2048)
Sep 17 18:37:27 debian pluto[11151]: | l2tp-psk-nat: full match (id: ok,
auth: ok, trust: ok, request: ok, prio: 1216)
Sep 17 18:37:27 debian pluto[11151]: | offered CA: %none
Sep 17 18:37:27 debian pluto[11151]: | switched from "l2tp-psk-nat" to
"l2tp-psk-nat"
Sep 17 18:37:27 debian pluto[11151]: | instantiated "l2tp-psk-nat" for
84.78.198.299
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299 #1:
deleting connection "l2tp-psk-nat" instance with peer 84.78.198.299
{isakmp=#0/ipsec=#0}
Sep 17 18:37:27 debian pluto[11151]: | certs and keys locked by
'delete_connection'
Sep 17 18:37:27 debian pluto[11151]: | certs and keys unlocked by
'delete_connection'
Sep 17 18:37:27 debian pluto[11151]: | *NAT-T: *new mapping
84.78.198.299:500/4501)
Sep 17 18:37:27 debian pluto[11151]: | inserting event EVENT_SA_EXPIRE,
timeout in 3600 seconds for #1
Sep 17 18:37:27 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: sent MR3, ISAKMP SA established
Sep 17 18:37:27 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE in
20 seconds
Sep 17 18:37:28 debian pluto[11151]: |
Sep 17 18:37:28 debian pluto[11151]: | *received 252 bytes from
84.78.198.299:4501 on eth0
Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:28 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:28 debian pluto[11151]: | state object not found
Sep 17 18:37:28 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:28 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:28 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:28 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:28 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R3
Sep 17 18:37:28 debian pluto[11151]: | peer client is 192.168.1.110
Sep 17 18:37:28 debian pluto[11151]: | peer client protocol/port is 17/53734
Sep 17 18:37:28 debian pluto[11151]: | our client is 88.185.173.199
Sep 17 18:37:28 debian pluto[11151]: | our client protocol/port is 17/1701
Sep 17 18:37:28 debian pluto[11151]: | find_client_connection starting with
l2tp-psk-nat
Sep 17 18:37:28 debian pluto[11151]: | looking for
88.185.173.199/32:17/1701 -> 192.168.1.110/32:17/53734
Sep 17 18:37:28 debian pluto[11151]: | concrete checking against sr#0
88.185.173.199/32 -> 84.78.198.299/32
Sep 17 18:37:28 debian pluto[11151]: | fc_try trying l2tp-psk-nat:
88.185.173.199/32:17/1701 -> 192.168.1.110/32:17/0vs l2tp-psk-nat:
88.185.173.199/32:17/1701 -> 84.78.198.299/32:17/0
Sep 17 18:37:28 debian pluto[11151]: | fc_try concluding with none [0]
Sep 17 18:37:28 debian pluto[11151]: | fc_try l2tp-psk-nat gives none
Sep 17 18:37:28 debian pluto[11151]: | checking hostpair 88.185.173.199/32 ->
84.78.198.299/32 is found
Sep 17 18:37:28 debian pluto[11151]: | fc_try trying l2tp-psk-nat:
88.185.173.199/32:17/1701 -> 192.168.1.110/32:17/0vs l2tp-psk-nat:
88.185.173.199/32:17/1701 -> 0.0.0.0/32:17/0
Sep 17 18:37:28 debian pluto[11151]: | fc_try concluding with none [0]
Sep 17 18:37:28 debian pluto[11151]: | fc_try_oppo trying l2tp-psk-nat:
88.185.173.199/32 -> 192.168.1.110/32 vs l2tp-psk-nat:88.185.173.199/32 ->
0.0.0.0/32
Sep 17 18:37:28 debian pluto[11151]: | fc_try_oppo concluding with none
[0]
Sep 17 18:37:28 debian pluto[11151]: | concluding with d = none
Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: cannot respond to IPsec SA request because no connection is known for
88.185.173.199/32===192.168.0.20:4500[192.168.0.20]:17/1701...84.78.198.299:4501[192.168.1.110]:17/%any===192.168.1.110/32
Sep 17 18:37:28 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: sending encrypted notification INVALID_ID_INFORMATION to
84.78.198.299:4501
Sep 17 18:37:28 debian pluto[11151]: | state transition function for
STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Sep 17 18:37:28 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE in
19 seconds
Sep 17 18:37:31 debian pluto[11151]: |
Sep 17 18:37:31 debian pluto[11151]: | *received 252 bytes from
84.78.198.299:4501 on eth0
Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:31 debian pluto[11151]: | state object not found
Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R3
Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x767ae29b (perhaps this is a duplicated packet)
Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: sending encrypted notification INVALID_MESSAGE_ID to 84.78.198.299:4501
Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE in
16 seconds
Sep 17 18:37:31 debian pluto[11151]: |
Sep 17 18:37:31 debian pluto[11151]: | *received 84 bytes from
84.78.198.299:4501 on eth0
Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R3
Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:31 debian pluto[11151]: | state object #1 found, in
STATE_MAIN_R3
Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501
#1: received Delete SA payload: deleting ISAKMP State #1
Sep 17 18:37:31 debian pluto[11151]: | ICOOKIE: 96 61 2d 50 c6 46 15 77
Sep 17 18:37:31 debian pluto[11151]: | RCOOKIE: 32 f3 92 fa 6c af 23 86
Sep 17 18:37:31 debian pluto[11151]: | peer: 54 4e c6 e0
Sep 17 18:37:31 debian pluto[11151]: | state hash entry 23
Sep 17 18:37:31 debian pluto[11151]: "l2tp-psk-nat"[2] 84.78.198.299:4501:
deleting connection "l2tp-psk-nat" instance with peer 84.78.198.299
{isakmp=#0/ipsec=#0}
Sep 17 18:37:31 debian pluto[11151]: | certs and keys locked by
'delete_connection'
Sep 17 18:37:31 debian pluto[11151]: | certs and keys unlocked by
'delete_connection'
Sep 17 18:37:31 debian pluto[11151]: | next event EVENT_NAT_T_KEEPALIVE in
16 seconds
Sep 17 18:37:47 debian pluto[11151]: |
Sep 17 18:37:47 debian pluto[11151]: | *time to handle event
So here i am, i really tried the best i can, but i'm running out of ideas
:((( I underlined in the latest log what's i think its going wrong, but
despite that it seems to be a NAT problem, everything is nated correctly on
the ADSL router
the port 1701, 4500, 500 in udp are well nated to my vpn server, any ideas,
any suggestions will be more than welcome ;)
Thanks a lot in advance for your precious help and sorry for the level of
logs, but the more the debug level of log is, the easier is the way to find
out what is going wrong ;)
Best Regards
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120918/a7b260cc/attachment.html>
More information about the Users
mailing list