[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION

Paul Wouters paul at nohats.ca
Thu Apr 28 00:07:21 UTC 2016


On Wed, 27 Apr 2016, Sergio Belkin wrote:

> I've successfuly imported everything as you explained, no I have the following issue:

> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: our client subnet returned doesn't match my proposal -
> us:192.168.40.21/32 vs them:192.0.2.65/32
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: peer client subnet returned doesn't match my proposal -
> us:190.226.58.236/32 vs them:172.16.100.2/32
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: cannot route template policy of
> RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1

Yuck, looks like a Microsoft remote server. It is a little odd that we
detect the bogus microsoft proposal, yet cannot continue. I assume
you have auto=add (or auto=start if you dont have onetime passowrds)
and not auto=route?

A full log with plutodebug=all might help me to see what's going on. Can
you mail me that offlist?

Paul


More information about the Swan mailing list