Hi all, I use strongSwan 5 as IPsec VPN server (IPsec + L2TP) and 4.4.0 or 4.6.4 as client:
When trying connect to the server I get the error - our client ID returned doesn't match my proposal. But Windows 7 and Mac OS clients connect without problems. How I can fix this? Server config: config setup uniqueids=no conn %default keyexchange=ikev1 keyingtries=3 rekey=no compress=no left=11.22.33.44 conn rw-cert type=transport authby=rsasig auth=esp leftid="O=strongSwan, CN=test.example.org, E=c...@test.org" leftrsasigkey=%cert leftcert=test_cert.pem leftprotoport=17/1701 left=11.22.33.44 right=%any rightca=%same rightrsasigkey=%cert rightprotoport=17/%any auto=add === Client: config setup plutodebug=none uniqueids=no strictcrlpolicy=no nat_traversal=yes charonstart=no plutostart=yes conn %default auth=esp keyexchange=ikev1 keyingtries=3 rekey=yes compress=no left=%defaultroute leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/1701 conn RW type=transport ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 pfs=no left=%defaultroute leftcert=client1.pem leftid="O=strongSwan, CN=client1, E=c...@test.org" right=rw-gw2.asstra.pl rightid="O=strongSwan, CN=test.example.org, E=c...@test.org" auto=start === Client - strongSwan 4.4.0 and 4.6.4: pluto[23285]: "RW" #7: initiating Main Mode pluto[23285]: "RW" #7: received Vendor ID payload [XAUTH] pluto[23285]: "RW" #7: received Vendor ID payload [Dead Peer Detection] pluto[23285]: "RW" #7: received Vendor ID payload [RFC 3947] pluto[23285]: "RW" #7: enabling possible NAT-traversal with method 3 pluto[23285]: "RW" #7: NAT-Traversal: Result using RFC 3947: i am NATed pluto[23285]: "RW" #7: we have a cert and are sending it upon request pluto[23285]: "RW" #7: Peer ID is ID_FQDN: 'test.example.org' pluto[23285]: "RW" #7: crl not found pluto[23285]: "RW" #7: certificate status unknown pluto[23285]: "RW" #7: ISAKMP SA established pluto[23285]: "RW" #8: initiating Quick Mode PUBKEY+ENCRYPT+PFS+UP {using isakmp#7} pluto[23285]: "RW" #8: our client ID returned doesn't match my proposal pluto[23285]: "RW" #8: sending encrypted notification INVALID_ID_INFORMATION to 11.22.33.44:4500 pluto[23285]: "RW" #7: ignoring informational payload, type INVALID_HASH_INFORMATION pluto[23285]: "RW": terminating SAs using this connection Server 5.0.3rc1 log - client strongSwan 4.6.4: charon: 16[NET] received packet: from 88.77.66.55[500] to 11.22.33.44[500] (288 bytes) charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ] charon: 16[IKE] received strongSwan vendor ID charon: 16[IKE] received Cisco Unity vendor ID charon: 16[IKE] received XAuth vendor ID charon: 16[IKE] received DPD vendor ID charon: 16[IKE] received NAT-T (RFC 3947) vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID charon: 16[IKE] 88.77.66.55 is initiating a Main Mode IKE_SA charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ] charon: 16[NET] sending packet: from 11.22.33.44[500] to 88.77.66.55[500] (136 bytes) charon: 12[NET] received packet: from 88.77.66.55[500] to 11.22.33.44[500] (356 bytes) charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] charon: 12[IKE] remote host is behind NAT charon: 12[IKE] sending cert request for "O=strongSwan, CN=strongSwan CA, E=c...@test.org" charon: 12[IKE] sending cert request for "C=PL, O=Asstra AG, CN=Asstra VPN CA" charon: 12[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ] charon: 12[NET] sending packet: from 11.22.33.44[500] to 88.77.66.55[500] (526 bytes) charon: 08[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (1484 bytes) charon: 08[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG ] charon: 08[IKE] ignoring certificate request without data charon: 08[IKE] received end entity cert "O=strongSwan, CN=client1, E=c...@test.org" charon: 08[CFG] looking for RSA signature peer configs matching 11.22.33.44...88.77.66.55[O=strongSwan, CN=client1, E=c...@test.org] charon: 08[CFG] selected peer config "rw-cert" charon: 08[CFG] using certificate "O=strongSwan, CN=client1, E=c...@test.org" charon: 08[CFG] using trusted ca certificate "O=strongSwan, CN=strongSwan CA, E=c...@test.org" charon: 08[CFG] checking certificate status of "O=strongSwan, CN=client1, E=c...@test.org" charon: 08[CFG] certificate status is not available charon: 08[CFG] reached self-signed root ca with a path length of 0 charon: 08[IKE] authentication of 'O=strongSwan, CN=client1, E=c...@test.org' with RSA successful charon: 08[IKE] authentication of 'test.example.org' (myself) successful charon: 08[IKE] IKE_SA rw-cert[2] established between 11.22.33.44[test.example.org]...88.77.66.55[O=strongSwan, CN=client1, E=c...@test.org] charon: 08[IKE] sending end entity cert "C=PL, ST=Poland, L=Warsaw, O=Asstra AG, CN=test.example.org, E=c...@asstra.by" charon: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ] charon: 08[NET] sending packet: from 11.22.33.44[4500] to 88.77.66.55[4500] (1420 bytes) charon: 09[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (460 bytes) charon: 09[ENC] parsed QUICK_MODE request 3402596381 [ HASH SA No KE ID ID NAT-OA ] charon: 09[IKE] received 1200s lifetime, configured 0s charon: 09[ENC] generating QUICK_MODE response 3402596381 [ HASH SA No KE ID ID NAT-OA NAT-OA ] charon: 09[NET] sending packet: from 11.22.33.44[4500] to 88.77.66.55[4500] (460 bytes) charon: 10[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (76 bytes) charon: 10[ENC] parsed INFORMATIONAL_V1 request 3411852570 [ HASH N(INVAL_ID) ] charon: 10[IKE] received INVALID_ID_INFORMATION error notify charon: 15[IKE] sending DPD request charon: 15[ENC] generating INFORMATIONAL_V1 request 2884054616 [ HASH N(DPD) ] charon: 15[NET] sending packet: from 11.22.33.44[4500] to 88.77.66.55[4500] (92 bytes) charon: 07[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (92 bytes) charon: 07[ENC] parsed INFORMATIONAL_V1 request 1180077473 [ HASH N(DPD_ACK) ] charon: 07[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (460 bytes) charon: 07[ENC] parsed QUICK_MODE request 3402596381 [ HASH SA No KE ID ID NAT-OA ] charon: 07[ENC] received HASH payload does not match charon: 07[IKE] integrity check failed charon: 07[ENC] generating INFORMATIONAL_V1 request 2511305358 [ HASH N(INVAL_HASH) ] charon: 07[NET] sending packet: from 11.22.33.44[4500] to 88.77.66.55[4500] (76 bytes) charon: 07[IKE] QUICK_MODE request with message ID 3402596381 processing failed charon: 12[NET] received packet: from 88.77.66.55[4500] to 11.22.33.44[4500] (92 bytes) charon: 12[ENC] parsed INFORMATIONAL_V1 request 1473394328 [ HASH D ] charon: 12[IKE] received DELETE for IKE_SA rw-cert[2] charon: 12[IKE] deleting IKE_SA rw-cert[2] between 11.22.33.44[test.example.org]...88.77.66.55[O=strongSwan, CN=client1, E=c...@test.org] Server 5.0.3rc1 log - client Windows 7: charon: 14[NET] received packet: from 55.11.22.33[500] to 11.22.33.44[500] (384 bytes) charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ] charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08 charon: 14[IKE] received NAT-T (RFC 3947) vendor ID charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3 charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 charon: 14[IKE] 55.11.22.33 is initiating a Main Mode IKE_SA charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ] charon: 14[NET] sending packet: from 11.22.33.44[500] to 55.11.22.33[500] (136 bytes) charon: 10[NET] received packet: from 55.11.22.33[500] to 11.22.33.44[500] (388 bytes) charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] charon: 10[IKE] remote host is behind NAT charon: 10[IKE] sending cert request for "O=strongSwan, CN=strongSwan CA, E=c...@test.org" charon: 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ] charon: 10[NET] sending packet: from 11.22.33.44[500] to 55.11.22.33[500] (526 bytes) charon: 12[NET] received packet: from 55.11.22.33[4500] to 11.22.33.44[4500] (1564 bytes) charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ] charon: 12[IKE] received cert request for 'O=strongSwan, CN=strongSwan CA, E=c...@test.org' charon: 12[IKE] received end entity cert "O=strongSwan, CN=client2, E=c...@test.org" charon: 12[CFG] looking for RSA signature peer configs matching 11.22.33.44...55.11.22.33[O=strongSwan, CN=client2, E=c...@test.org] charon: 12[CFG] selected peer config "rw-cert" charon: 12[CFG] using certificate "O=strongSwan, CN=client2, E=c...@test.org" charon: 12[CFG] using trusted ca certificate "O=strongSwan, CN=strongSwan CA, E=c...@test.org" charon: 12[CFG] checking certificate status of "O=strongSwan, CN=client2, E=c...@test.org" charon: 12[CFG] certificate status is not available charon: 12[CFG] reached self-signed root ca with a path length of 0 charon: 12[IKE] authentication of 'O=strongSwan, CN=client2, E=c...@test.org' with RSA successful charon: 12[IKE] authentication of 'O=strongSwan, CN=test.example.org, E=c...@test.org' (myself) successful charon: 12[IKE] IKE_SA rw-cert[2] established between 11.22.33.44[O=strongSwan, CN=test.example.org, E=c...@test.org]...55.11.22.33[O=strongSwan, CN=client2, E=c...@test.org] charon: 12[IKE] DPD not supported by peer, disabled charon: 12[IKE] sending end entity cert "O=strongSwan, CN=test.example.org, E=c...@test.org" charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ] charon: 12[NET] sending packet: from 11.22.33.44[4500] to 55.11.22.33[4500] (1532 bytes) charon: 16[NET] received packet: from 55.11.22.33[4500] to 11.22.33.44[4500] (380 bytes) charon: 16[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 16[IKE] received 3600s lifetime, configured 0s charon: 16[IKE] received 250000000 lifebytes, configured 0 charon: 16[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 16[NET] sending packet: from 11.22.33.44[4500] to 55.11.22.33[4500] (204 bytes) charon: 15[NET] received packet: from 55.11.22.33[4500] to 11.22.33.44[4500] (60 bytes) charon: 15[ENC] parsed QUICK_MODE request 1 [ HASH ] charon: 15[IKE] CHILD_SA rw-cert{2} established with SPIs cf23fee2_i 9d35dbc4_o and TS 11.22.33.44/32[udp/l2tp] === 55.11.22.33/32[udp/l2tp] Regards Pavel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users