Re: [Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION

Sat, 30 Apr 2016 09:31:09 -0700 

On Fri, 29 Apr 2016, Sergio Belkin wrote:


conn windows
        type=transport
        nat_traversal=yes
        forceencaps=yes
        authby=rsasig
        pfs=no
        rekey=no
        keyingtries=3
        narrowing=yes
        left=192.168.80.250
        leftprotoport=udp/l2tp
        leftcert=hope.belkin.home
        leftid=hope.belkin.home
        leftsendcert=always
        right=vpn.example.com.ar
        rightsubnet=vhost:%no,%priv
        rightid="CN=vpn.example.com.ar"
        rightprotoport=udp/%any
        auto=add


Remove narrowing=yes and keyingtries=3
Change left= to be left=%defaultroute
Change rightprotoport=udp/%any to rightprotoport=udp/l2tp
Remove rightsubnet=vhost:%no,%priv as that is a server-only option


abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: our client subnet 
returned doesn't match my proposal - us:192.168.80.250/32 vs 
them:INITIATOR_WAN_IP_ADDRESS/32
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing 
questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: peer client subnet 
returned doesn't match my proposal - us:SERVER_WAN_IP_ADDRESS/32 vs them:172.16.100.2/32
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: Allowing 
questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: STATE_QUICK_I2: sent 
QI2, IPsec SA established transport mode {ESP/NAT=>0x286adb70 <0xec3e0118 
xfrm=AES_128-HMAC_SHA1
NATOA=INITIATOR_WAN_IP_ADDRESS NATD=SERVER_WAN_IP_ADDRESS:4500 DPD=passive}
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: message ignored 
because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
abr 29 17:33:54 hope.belkin.home pluto[27935]: "windows" #3: sending encrypted 
notification INVALID_PAYLOAD_TYPE to SERVER_WAN_IP_ADDRESS:4500
abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: deleting state #2 
(STATE_QUICK_I2)
abr 29 17:34:54 hope.belkin.home pluto[27935]: "windows" #2: ESP traffic 
information: in=0B out=0B


I kinda forgot how to properly deal with the bad windows server
proposal, you can also try to add rightsubnet=172.16.100.2/32

If you get anything that works, please let us know so we can add it to
our wiki's example configs.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to