[Swan] Swan Digest, Vol 3, Issue 34
Philippe Vouters
philippe.vouters at laposte.net
Mon Mar 25 14:32:40 EET 2013
Dear Pavel,
I see to recollect I get such messages with Shrew VPN client + Libreswan
when Shrew selecting Hybrid mode (either RSA or PSK). Hybrid mode is not
yet supported by Libreswan. This feature is among things which remain to
be worked upon. However, Shrew selecting Mutual mode (either RSA or PSK)
so far gave me excellent results.
In the hope this can help you.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 25/03/2013 13:12, Pavel Kopchyk a écrit :
> If plutodebug=none log lookes like:
>
> *** CERT
>
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload [MS
> NT5 ISAKMPOAKLEY 00000008]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [FRAGMENTATION]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [MS-Negotiation Discovery Capable]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [Vid-Initial-Contact]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload [IKE
> CGA version 1]
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: responding to Main Mode from
> unknown peer 12.X.X.X
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: OAKLEY_GROUP 20 not
> supported. Attribute OAKLEY_GROUP_DESCRIPTION
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: OAKLEY_GROUP 19 not
> supported. Attribute OAKLEY_GROUP_DESCRIPTION
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: STATE_MAIN_R1: sent MR1, expecting MI2
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: NAT-Traversal: Result using
> RFC 3947 (NAT-Traversal): peer is NATed
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: STATE_MAIN_R2: sent MR2, expecting MI3
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: Main mode peer ID is ID_DER_ASN1_DN: ''
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: no crl from issuer "" found (strict=no)
> pluto[5230]: "L2TP-CERT"[1] 12.X.X.X #1: switched from "L2TP-CERT" to
> "L2TP-CERT"
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: deleting connection
> "L2TP-CERT" instance with peer 12.X.X.X {isakmp=#0/ipsec=#0}
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: I am sending my cert
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: new NAT mapping for #1, was
> 12.X.X.X:500, now 12.X.X.X:4500
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: STATE_MAIN_R3: sent MR3,
> ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
> prf=oakley_sha group=modp2048}
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: Dead Peer Detection (RFC
> 3706): not enabled because peer did not advertise it
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: the peer proposed:
> 12.X.X.Y/32:17/1701 -> 172.16.2.7/32:17/0
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #1: NAT-Traversal: received 2
> NAT-OA. using first, ignoring others
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: responding to Quick Mode
> proposal {msgid:01000000}
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: us:
> 12.X.X.Y<12.X.X.Y>[@localhost.asstra.pl]:17/1701
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: them:
> 12.X.X.X[]:17/1701===172.16.2.7/32
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: transition from state
> STATE_QUICK_R0 to state STATE_QUICK_R1
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: STATE_QUICK_R1: sent QR1,
> inbound IPsec SA installed, expecting QI2
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: Dead Peer Detection (RFC
> 3706): not enabled because peer did not advertise it
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #2: STATE_QUICK_R2: IPsec SA
> established transport mode {ESP=>0x00b28def <0x39238e1d
> xfrm=AES_128-HMAC_SHA1 NATOA=172.16.2.7 NATD=12.X.X.X:4500 DPD=none}
>
> *** PSK
>
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [Dead Peer Detection]
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: responding to Main Mode from
> unknown peer 12.X.X.X
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: no acceptable Oakley Transform
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #3: sending notification
> NO_PROPOSAL_CHOSEN to 12.X.X.X:500
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [Dead Peer Detection]
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: responding to Main Mode from
> unknown peer 12.X.X.X
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: no acceptable Oakley Transform
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #4: sending notification
> NO_PROPOSAL_CHOSEN to 12.X.X.X:500
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [Dead Peer Detection]
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: responding to Main Mode from
> unknown peer 12.X.X.X
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: no acceptable Oakley Transform
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #5: sending notification
> NO_PROPOSAL_CHOSEN to 12.X.X.X:500
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload [RFC 3947]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[5230]: packet from 12.X.X.X:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[5230]: packet from 12.X.X.X:500: received Vendor ID payload
> [Dead Peer Detection]
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: responding to Main Mode from
> unknown peer 12.X.X.X
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: policy does not allow
> OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: no acceptable Oakley Transform
> pluto[5230]: "L2TP-CERT"[2] 12.X.X.X #6: sending notification
> NO_PROPOSAL_CHOSEN to 12.X.X.X:500
>
> Pavel
>
>
>> Hi,
>>
>> I configure two connections (L2TP-CERT and L2TP-PSK) with different
>> types of authby - rsasig and secret.
>>
>> After the client connects with a certificate, a second client with the
>> PSK can not connect.
>> Pluto tries to authorize a second client as the first (with a certificate).
>>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list