[Swan] Swan Digest, Vol 3, Issue 34
Pavel Kopchyk
pkopchyk at gmail.com
Mon Mar 25 14:12:41 EET 2013
If plutodebug=none log lookes like:
*** CERT
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload [MS
NT5 ISAKMPOAKLEY 00000008]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[FRAGMENTATION]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[MS-Negotiation Discovery Capable]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload [IKE
CGA version 1]
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: responding to Main Mode from
unknown peer 12.X.X.X
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: OAKLEY_GROUP 20 not
supported. Attribute OAKLEY_GROUP_DESCRIPTION
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: OAKLEY_GROUP 19 not
supported. Attribute OAKLEY_GROUP_DESCRIPTION
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal): peer is NATed
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: Main mode peer ID is ID_DER_ASN1_DN: ''
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: no crl from issuer "" found (strict=no)
pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: switched from "L2TP-CERT" to
"L2TP-CERT"
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: deleting connection
"L2TP-CERT" instance with peer 12.X.X.X {isakmp=#0/ipsec=#0}
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: I am sending my cert
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: new NAT mapping for #1, was
12.X.X.X:500, now 12.X.X.X:4500
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
prf=oakley_sha group=modp2048}
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: Dead Peer Detection (RFC
3706): not enabled because peer did not advertise it
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: the peer proposed:
12.X.X.Y/32:17/1701 -> 172.16.2.7/32:17/0
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: NAT-Traversal: received 2
NAT-OA. using first, ignoring others
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: responding to Quick Mode
proposal {msgid:01000000}
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: us:
12.X.X.Y<12.X.X.Y>[@localhost.asstra.pl]:17/1701
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: them:
12.X.X.X[]:17/1701===172.16.2.7/32
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: Dead Peer Detection (RFC
3706): not enabled because peer did not advertise it
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: STATE_QUICK_R2: IPsec SA
established transport mode {ESP=>0x00b28def <0x39238e1d
xfrm=AES_128-HMAC_SHA1 NATOA=172.16.2.7 NATD=12.X.X.X:4500 DPD=none}
*** PSK
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-08]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-07]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-06]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-05]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-04]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[FRAGMENTATION 80000000]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[Dead Peer Detection]
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: responding to Main Mode from
unknown peer 12.X.X.X
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: no acceptable Oakley Transform
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: sending notification
NO_PROPOSAL_CHOSEN to 12.X.X.X:500
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-08]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-07]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-06]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-05]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-04]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[FRAGMENTATION 80000000]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[Dead Peer Detection]
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: responding to Main Mode from
unknown peer 12.X.X.X
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: no acceptable Oakley Transform
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: sending notification
NO_PROPOSAL_CHOSEN to 12.X.X.X:500
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-08]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-07]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-06]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-05]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-04]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[FRAGMENTATION 80000000]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[Dead Peer Detection]
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: responding to Main Mode from
unknown peer 12.X.X.X
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: no acceptable Oakley Transform
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: sending notification
NO_PROPOSAL_CHOSEN to 12.X.X.X:500
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-08]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-07]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-06]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-05]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-04]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[FRAGMENTATION 80000000]
pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
[Dead Peer Detection]
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: responding to Main Mode from
unknown peer 12.X.X.X
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: no acceptable Oakley Transform
pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: sending notification
NO_PROPOSAL_CHOSEN to 12.X.X.X:500
Pavel
> Hi,
>
> I configure two connections (L2TP-CERT and L2TP-PSK) with different
> types of authby - rsasig and secret.
>
> After the client connects with a certificate, a second client with the
> PSK can not connect.
> Pluto tries to authorize a second client as the first (with a certificate).
>
More information about the Swan
mailing list