Brett Lymn wrote: On 28.02.16 10:18:13 you wrote:
> Once upon a time I did manage to get hybrid xauth working using a > NetBSD server and windows clients, so certificates did work for me. I don't even need hybrid or xauth. Just a plain signed certificate on both sides. A simple "road-warrior" client. Until now I found no example configurations for this case. > IIRC, looping in phase 1 means both ends cannot agree on an > authentication method or the credentials presented are not correct. Yes. But phase 1 is definitely ok in my case. I have now access to the VPN-status log of my office's Lancom router and it accepted everything: [VPN-Status] 2016/02/29 12:31:52,304 IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052, responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052 IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie: 0x2e8dc875b4e07c26 IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote side is behind a nat IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc authentication MD5 IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec But after 30 seconds and a few Phase 2 Inf messages it just says: [VPN-Status] 2016/02/29 12:32:22,284 VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response [VPN-Status] 2016/02/29 12:32:22,284 VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90 (91.56.236.148) > Try increasing the debug level on raccoon and see what it is offering > to the remote end and see if that matches what you expect. I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf and starting the racoon daemon with -dddd. I don't get any more information out of it. > If you have > control over the other end then try simplifying things by using a > pre-shared key (PSK) method of authentication Unfortunately that's not possible. I cannot change the configuration of my office's router, because it will break the working VPN connection of all Windows notebooks. Thanks, -- Frank Wille
