[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION
Sergio Belkin
sebelk at gmail.com
Fri Apr 29 20:43:42 UTC 2016
2016-04-29 17:18 GMT-03:00 Paul Wouters <paul at nohats.ca>:
> An error. You need to fix the ID either on the server or the client(s)
Ok, I have now:
conn windows
type=transport
nat_traversal=yes
forceencaps=yes
authby=rsasig
pfs=no
rekey=no
keyingtries=3
narrowing=yes
left=192.168.80.250
leftprotoport=udp/l2tp
leftcert=hope.belkin.home
leftid=hope.belkin.home
leftsendcert=always
right=vpn.example.com.ar
rightsubnet=vhost:%no,%priv
rightid="CN=vpn.example.com.ar"
rightprotoport=udp/%any
auto=add
Now it renders:
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: our client
subnet returned doesn't match my proposal - us:192.168.80.250/32 vs
them:INITIATOR_WAN_IP_ADDRESS/32
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing
questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: peer client
subnet returned doesn't match my proposal - us:SERVER_WAN_IP_ADDRESS/32 vs
them:172.16.100.2/32
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing
questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established transport mode
{ESP/NAT=>0x286adb70 <0xec3e0118 xfrm=AES_128-HMAC_SHA1
NATOA=INITIATOR_WAN_IP_ADDRESS NATD=SERVER_WAN_IP_ADDRESS:4500 DPD=passive}
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: message
ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: sending
encrypted notification INVALID_PAYLOAD_TYPE to SERVER_WAN_IP_ADDRESS:4500
abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: deleting state
#2 (STATE_QUICK_I2)
abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: ESP traffic
information: in=0B out=0B
ipsec status output:
000 "windows": oriented; my_ip=unset; their_ip=unset;
mycert=hope.belkin.home
000 "windows": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "windows": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "windows": labeled_ipsec:no;
000 "windows": policy_label:unset;
000 "windows": CAs: 'DC=ar, DC=com, DC=vfc, CN=vfc-MS00009-CA'...'%any'
000 "windows": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "windows": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "windows": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;
000 "windows": policy:
RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "windows": conn_prio: 32,32; interface: wlp7s0; metric: 0; mtu:
unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "windows": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "windows": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "windows": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
@
End of Output
Important: Both ends are behind NAT!
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160429/226f244c/attachment.html>
More information about the Swan
mailing list