[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION

Paul Wouters paul at nohats.ca
Sat Apr 30 16:30:24 UTC 2016 

On Fri, 29 Apr 2016, Sergio Belkin wrote:

> conn windows
>         type=transport
>         nat_traversal=yes
>         forceencaps=yes
>         authby=rsasig
>         pfs=no
>         rekey=no
>         keyingtries=3
>         narrowing=yes
>         left=192.168.80.250
>         leftprotoport=udp/l2tp
>         leftcert=hope.belkin.home
>         leftid=hope.belkin.home
>         leftsendcert=always
>         right=vpn.example.com.ar
>         rightsubnet=vhost:%no,%priv
>         rightid="CN=vpn.example.com.ar"
>         rightprotoport=udp/%any
>         auto=add

Remove narrowing=yes and keyingtries=3
Change left= to be left=%defaultroute
Change rightprotoport=udp/%any to rightprotoport=udp/l2tp
Remove rightsubnet=vhost:%no,%priv as that is a server-only option

> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: our client subnet returned doesn't match my proposal - us:192.168.80.250/32 vs them:INITIATOR_WAN_IP_ADDRESS/32
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: peer client subnet returned doesn't match my proposal - us:SERVER_WAN_IP_ADDRESS/32 vs them:172.16.100.2/32
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x286adb70 <0xec3e0118 xfrm=AES_128-HMAC_SHA1
> NATOA=INITIATOR_WAN_IP_ADDRESS NATD=SERVER_WAN_IP_ADDRESS:4500 DPD=passive}
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
> abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: sending encrypted notification INVALID_PAYLOAD_TYPE to SERVER_WAN_IP_ADDRESS:4500
> abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: deleting state #2 (STATE_QUICK_I2)
> abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: ESP traffic information: in=0B out=0B

I kinda forgot how to properly deal with the bad windows server
proposal, you can also try to add rightsubnet=172.16.100.2/32

If you get anything that works, please let us know so we can add it to
our wiki's example configs.

Paul

More information about the Swan mailing list