<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">2016-04-29 17:18 GMT-03:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">An error. You need to fix the ID either on the server or the client(s)</blockquote></div><br></div><div class="gmail_extra">Ok, I have now:<br><br><br><br>conn windows<br> type=transport<br> nat_traversal=yes<br> forceencaps=yes<br> authby=rsasig<br> pfs=no<br> rekey=no<br> keyingtries=3<br> narrowing=yes<br> left=192.168.80.250<br> leftprotoport=udp/l2tp<br> leftcert=hope.belkin.home<br> leftid=hope.belkin.home<br> leftsendcert=always<br> right=<a href="http://vpn.example.com.ar">vpn.example.com.ar</a><br> rightsubnet=vhost:%no,%priv<br> rightid="CN=<a href="http://vpn.example.com.ar">vpn.example.com.ar</a>"<br> rightprotoport=udp/%any<br> auto=add<br><br></div><div class="gmail_extra">Now it renders:<br><br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: our client subnet returned doesn't match my proposal - us:<a href="http://192.168.80.250/32">192.168.80.250/32</a> vs them:INITIATOR_WAN_IP_ADDRESS/32<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: peer client subnet returned doesn't match my proposal - us:SERVER_WAN_IP_ADDRESS/32 vs them:<a href="http://172.16.100.2/32">172.16.100.2/32</a><br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x286adb70 <0xec3e0118 xfrm=AES_128-HMAC_SHA1 NATOA=INITIATOR_WAN_IP_ADDRESS NATD=SERVER_WAN_IP_ADDRESS:4500 DPD=passive}<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)<br>abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: sending encrypted notification INVALID_PAYLOAD_TYPE to SERVER_WAN_IP_ADDRESS:4500<br>abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: deleting state #2 (STATE_QUICK_I2)<br>abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: ESP traffic information: in=0B out=0B<br><br></div><div class="gmail_extra">ipsec status output:<br><br>000 "windows": oriented; my_ip=unset; their_ip=unset; mycert=hope.belkin.home<br>000 "windows": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]<br>000 "windows": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;<br>000 "windows": labeled_ipsec:no;<br>000 "windows": policy_label:unset;<br>000 "windows": CAs: 'DC=ar, DC=com, DC=vfc, CN=vfc-MS00009-CA'...'%any'<br>000 "windows": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;<br>000 "windows": retransmit-interval: 500ms; retransmit-timeout: 60s;<br>000 "windows": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;<br>000 "windows": policy: RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;<br>000 "windows": conn_prio: 32,32; interface: wlp7s0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;<br>000 "windows": newest ISAKMP SA: #1; newest IPsec SA: #3;<br>000 "windows": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024<br>000 "windows": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A><br>000 <br>000 Total IPsec connections: loaded 3, active 1<br>000 <br>000 State Information: DDoS cookies not required, Accepting new IKE connections<br>000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)<br>000 IPsec SAs: total(1), authenticated(1), anonymous(0)<br>000 <br>@ <br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">End of Output<br><br></div><div class="gmail_extra">Important: Both ends are behind NAT!<br><br></div><div class="gmail_extra">Thanks in advance!<br clear="all"></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>