<div dir="ltr">Hi, libreswan community!<br><div><br>I'm trying to configure a L2TP/IPsec client on Centos 7, the packages are:<br><br>- libreswan-3.15-5<br>- xl2tpd-1.3.6-8<br><br>The server is MS Windows<br><br>I cannot bring up the vpn.<br><br>Error are as follows:<br><br> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec<br> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)<br> Active: active (running) since mar 2016-04-26 10:29:13 ART; 7min ago<br> Process: 11269 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)<br> Process: 11267 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)<br> Process: 11265 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)<br> Process: 11260 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)<br> Process: 11523 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)<br> Process: 11521 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)<br> Process: 11277 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)<br> Process: 11275 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)<br> Main PID: 11534 (pluto)<br> CGroup: /system.slice/ipsec.service<br> ├─11534 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork<br> └─11563 _pluto_adns<br> <br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I am sending my cert<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I am sending a certificate request<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=<a href="http://server.example.com">server.example.com</a>'<br> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: no RSA public key known for 'CN=<a href="http://server.example.com">server.example.com</a>'<br> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://190.0.2.236:4500">190.0.2.236:4500</a><br><br>IPsec settings is:<br><br> conn windows<br> type=transport<br> authby=rsasig<br> #leftrsasigkey=%cert<br> #rightrsasigkey=%dnsondemand<br> pfs=no<br> rekey=no<br> keyingtries=3<br> narrowing=yes<br> left=192.168.40.21<br> leftprotoport=udp/l2tp<br> leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9<br> #leftid=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9<br> right=192.0.2.236<br> rightid="CN=<a href="http://server.example.com">server.example.com</a>"<br> #rightid=@<a href="http://server.example.com">server.example.com</a><br> #rightrsasigkey=%cert<br> #rightca=%same<br> #right=<a href="http://server.example.com">server.example.com</a><br> rightprotoport=udp/%any<br> auto=start<br><br><br>Certificates list:<br><br>certutil -L -d sql:/etc/ipsec.d/<br><br> Certificate Nickname Trust Attributes<br> SSL,S/MIME,JAR/XPI<br> <br> le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9 u,u,u<br><br><br>What is wrong of this configuration?<br><br><br clear="all"></div><div>Thanks in advance!<br></div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>