[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION

[Sergio Belkin]

Please could you tell me if the following message is an error or a warning:

we require IKEv1 peer to have ID '190.0.2.236', but peer declares 'CN=
vpn.example.com'

Thanks in advance


2016-04-27 21:07 GMT-03:00 Paul Wouters <paul at nohats.ca>:

> On Wed, 27 Apr 2016, Sergio Belkin wrote:
>
> I've successfuly imported everything as you explained, no I have the
>> following issue:
>>
>
> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: our
>> client subnet returned doesn't match my proposal -
>> us:192.168.40.21/32 vs them:192.0.2.65/32
>> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
>> Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
>> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: peer
>> client subnet returned doesn't match my proposal -
>> us:190.226.58.236/32 vs them:172.16.100.2/32
>> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
>> Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
>> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
>> cannot route template policy of
>>
>> RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW
>> abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
>> discarding duplicate packet; already STATE_QUICK_I1
>>
>
> Yuck, looks like a Microsoft remote server. It is a little odd that we
> detect the bogus microsoft proposal, yet cannot continue. I assume
> you have auto=add (or auto=start if you dont have onetime passowrds)
> and not auto=route?
>
> A full log with plutodebug=all might help me to see what's going on. Can
> you mail me that offlist?
>
> Paul
>



-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160429/a5c35f35/attachment.html>