[Swan] net-to-net for road warriors

[Alex]

Here is some additional debugging from pluto.log from bwimail03 where
this is failing:

Jan 29 20:36:53.923864: | checking keyid '@arcade' for match with '@arcade'
Jan 29 20:36:53.923867: | key issuer CA is '%any'
Jan 29 20:36:53.923870: | checking keyid '@bwimail03' for match with '@arcade'
Jan 29 20:36:53.923873: "bwimail03-arcade" #5: Signature check (on
@arcade) failed (wrong key?); tried *AwEAAfVyj
Jan 29 20:36:53.923902: | public key for @arcade failed: decrypted SIG
payload into a malformed ECB (SIG length does not match public key le
ngth)
Jan 29 20:36:53.923905: "bwimail03-arcade" #5: RSA authentication failed
Jan 29 20:36:53.923921: | processing: [RE]START state #5 connection
"bwimail03-arcade" 107.155.66.2 (in complete_v2_state_transition() at
ik
ev2.c:2788)
Jan 29 20:36:53.923924: | #5 complete v2 state transition from
STATE_PARENT_I2 with STF_FATAL
Jan 29 20:36:53.923951: | release_pending_whacks: state #5 fd at 23
.st_dev=9 .st_ino=7497694

It's also interesting to note that on the remote system (arcade), it
seems to think the link is up:

000 #5: "bwimail03-arcade":500 STATE_PARENT_R2 (received v2I2, PARENT
SA established); EVENT_SA_REPLACE in 1940s; idle;
000 #6: "bwimail03-arcade":500 STATE_V2_IPSEC_R (IPsec SA
established); EVENT_SA_REPLACE in 27140s; isakmp#5; idle;
000 #6: "bwimail03-arcade" esp.de22359c at 68.195.193.45
esp.bd86275f at 107.155.66.2 tun.0 at 68.195.193.45 tun.0 at 107.155.66.2 ref=0
refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #7: "bwimail03-arcade":500 STATE_PARENT_R2 (received v2I2, PARENT
SA established); EVENT_SA_REPLACE in 1988s; newest ISAKMP; idle;
000 #8: "bwimail03-arcade":500 STATE_V2_IPSEC_R (IPsec SA
established); EVENT_SA_REPLACE in 27188s; newest IPSEC; eroute owner;
isakmp#7; idle;
000 #8: "bwimail03-arcade" esp.321a0715 at 68.195.193.45
esp.29858b1b at 107.155.66.2 tun.0 at 68.195.193.45 tun.0 at 107.155.66.2 ref=0
refhim=0 Traffic: ESPin=0B ESPout=1KB! ESPmax=0B