Issue #715
Win XP client behind NAT can not connect to Strongswan, but can connect to SoftEther (l2tp/psk) !
Description
I have Xl2tpd and Strongswan 5.1.2 installed at Ubuntu 14.04 LTS from its repository as Vpn server.
There is Win XP client behind NAT on cell network (yota.ru cell and internet carrier) .
Configuration and log are following:
Ipsec.conf:
@config setup
charondebug="ike 3, chd 3 knl 3, net 3, asn 3, enc 3, lib 3, esp 3, cfg 0"
strictcrlpolicy=no
uniqueids = never #charondebug="cfg 2, chd 2"
conn %default
compress=yes
dpdaction=clear # tried dpdaction=restart
dpddelay=40
dpdtimeout=130
forceencaps=yes
ikelifetime=8h
keyingtries=10
keylife=10800
margintime=15m
conn ikev1_l2tp_psk
auto=add
esp=aes128-sha1,3des-sha1,des-sha1
ike=aes128-sha1-ecp256,aes256-sha1-ecp384,aes256-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp2048
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftprotoport=udp/1701
mobike=no
rekey=no
right=%any
rightprotoport=udp/%any
type=transport
leftauth=psk
rightauth=psk
conn l2tp_ipsec
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftprotoport=udp/%any
mobike=no
rekey=no
right=%any
rightauth=pubkey (also tried rsa)
rightsendcert=never
rightsubnet=0.0.0.0/0
type=transport@
Log (Win XP is connecting to) :04[KNL] 0: F8 00 00 00 19 00 05 00 83 02 00 00 F6 0A 00 00 .............................
04[KNL] 16: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
04[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
04[KNL] 48: 00 00 00 00 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
04[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
04[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
04[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
04[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
04[KNL] 176: 01 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
04[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
04[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
04[KNL] 240: FF FF FF FF FF FF FF FF ........
08[ENC] parsed ID_PROT request 0 [ SA V V V V ]
08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:04
08[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
08[IKE] 188.162.64.2 is initiating a Main Mode IKE_SA
08[IKE] IKE_SA (unnamed)[90] state change: CREATED => CONNECTING
04[KNL] policy 188.162.64.2/32 === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000) already exists, increasing refcount
04[KNL] updating policy 188.162.64.2/32 === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
08[IKE] sending strongSwan vendor ID
08[IKE] sending XAuth vendor ID
08[IKE] sending DPD vendor ID
04[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xb53fda5c.............
04[KNL] 0: F8 00 00 00 19 00 05 00 84 02 00 00 F6 0A 00 00 ................
04[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
04[KNL] 32: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
04[KNL] 48: 06 A5 FF FF 00 00 00 00 02 00 20 20 11 00 00 00 .......... ....
04[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
04[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
04[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
04[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
04[KNL] 176: 00 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
04[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
04[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
04[KNL] 240: FF FF FF FF FF FF FF FF ........
08[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
08[ENC] generating ID_PROT response 0 [ SA V V V V ]
04[IKE] CHILD_SA ikev1_l2tp_psk{1} established with SPIs cc2b81ba_i 056293a7_o and TS 95.24.95.95/32[udp/l2f] === 188.162.64.2/32
08[NET] sending packet: from 95.24.95.95500 to 188.162.64.261807 (152 bytes)
15[NET] received packet: from 188.162.64.261807 to 95.24.95.95500 (232 bytes)
15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
15[IKE] remote host is behind NAT
15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
15[NET] sending packet: from 95.24.95.95500 to 188.162.64.261807 (244 bytes)
13[NET] received packet: from 188.162.64.261808 to 95.24.95.954500 (68 bytes)
13[ENC] parsed ID_PROT request 0 [ ID HASH ]
13[CFG] looking for pre-shared key peer configs matching 95.24.95.95...188.162.64.2[Acer8]
13[CFG] selected peer config "ikev1_l2tp_psk"
13[IKE] IKE_SA ikev1_l2tp_psk90 established between 95.24.95.95[95.24.95.95]...188.162.64.2[Acer8]
13[IKE] IKE_SA ikev1_l2tp_psk90 state change: CONNECTING => ESTABLISHED
13[IKE] DPD not supported by peer, disabled
13[ENC] generating ID_PROT response 0 [ ID HASH ]
13[NET] sending packet: from 95.24.95.954500 to 188.162.64.261808 (68 bytes)
13[IKE] detected reauth of existing IKE_SA, adopting 88 children
13[IKE] IKE_SA ikev1_l2tp_psk89 state change: ESTABLISHED => DELETING
13[IKE] IKE_SA ikev1_l2tp_psk89 state change: DELETING => DESTROYING
16[NET] received packet: from 188.162.64.261808 to 95.24.95.954500 (300 bytes)
16[ENC] parsed QUICK_MODE request 329296771 [ HASH SA No ID ID NAT-OA ]
16[IKE] received 3600s lifetime, configured 0s
16[IKE] received 250000000 lifebytes, configured 0
16[IKE] detected rekeying of CHILD_SA ikev1_l2tp_psk{1}
16[KNL] getting SPI for reqid {1}
16[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes 0xaf3f1c5c.............
16[KNL] 0: F4 00 00 00 16 00 01 00 85 02 00 00 F6 0A 00 00 ................
16[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 64: 00 00 00 00 00 00 00 00 5E F2 09 5E 00 00 00 00 ........^..^....
16[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
16[KNL] 96: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
16[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16[KNL] 224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 00 C0 ................
16[KNL] 240: FF FF FF CF ....
16[KNL] got SPI cca476d4 for reqid {1}
16[ENC] generating QUICK_MODE response 329296771 [ HASH SA No ID ID NAT-OA NAT-OA ]
16[NET] sending packet: from 95.24.95.954500 to 188.162.64.261808 (204 bytes)
14[NET] received packet: from 188.162.64.261808 to 95.24.95.954500 (52 bytes)
14[ENC] parsed QUICK_MODE request 329296771 [ HASH ]
14[KNL] adding SAD entry with SPI cca476d4 and reqid {1} (mark 0/0x00000000)
14[KNL] using encryption algorithm 3DES_CBC with key size 192
14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
14[KNL] using replay window of 32 packets
14[KNL] sending XFRM_MSG_UPDSA: => 452 bytes 0xb03f3acc.............
14[KNL] 0: C4 01 00 00 1A 00 05 00 86 02 00 00 F6 0A 00 00 ................
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 32: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
14[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 00 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 5E F2 09 5E 00 00 00 00 ........^..^....
14[KNL] 80: 00 00 00 00 00 00 00 00 CC A4 76 D4 32 00 00 00 ..........v.2...
14[KNL] 96: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0xb03f3acc
14[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 224: 01 00 00 00 02 00 00 20 00 00 00 00 60 00 02 00 ....... ....`...
14[KNL] 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........
14[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 304: C0 00 00 00 AB 7A F9 A6 9A FF F8 DC 4B A6 B0 1A .....z......K...
14[KNL] 320: 4B 41 34 F3 4C 78 BA 3D 23 20 9D 2D 5C 00 01 00 KA4.Lx.=# .-\...
14[KNL] 336: 73 68 61 31 00 00 00 00 00 00 00 00 00 00 00 00 sha1............
14[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 400: A0 00 00 00 51 03 FE 77 78 8D F4 BF 85 6C 90 3D ....Q..wx....l.=
14[KNL] 416: 8F 48 D8 B8 9E 31 AA D1 1C 00 04 00 02 00 F1 70 .H...1.........p
14[KNL] 432: 11 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 448: 00 00 00 00 ....
14[KNL] adding SAD entry with SPI b6fe690e and reqid {1} (mark 0/0x00000000)
14[KNL] using encryption algorithm 3DES_CBC with key size 192
14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
14[KNL] using replay window of 32 packets
14[KNL] sending XFRM_MSG_NEWSA: => 452 bytes
14[KNL] 0: C4 01 00 00 10 00 05 00 87 02 00 00 F6 0A 00 00 ................
14[KNL] 16: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ....................
14[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 00 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 BC A2 40 02 00 00 00 00 ..........
14[KNL] 80: 00 00 00 00 00 00 00 00 B6 FE 69 0E 32 00 00 00 ..........i.2...
14[KNL] 96: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
14[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 224: 01 00 00 00 02 00 00 20 00 00 00 00 60 00 02 00 ....... ....`...
14[KNL] 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........
14[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 304: C0 00 00 00 D3 39 BC 8E 68 93 B5 2C B0 76 27 E0 .....9..h..,.v'.
14[KNL] 320: C3 78 1B B4 2A 4E F5 74 7A A5 9A 7C 5C 00 01 00 .x..*N.tz..|\...
14[KNL] 336: 73 68 61 31 00 00 00 00 00 00 00 00 00 00 00 00 sha1............
14[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 400: A0 00 00 00 BC B0 53 D8 C6 5B 1F 67 DE 83 E3 34 ......S..[.g...4
14[KNL] 416: B7 12 CC CD BE 43 7F B9 1C 00 04 00 02 00 11 94 .....C..........
14[KNL] 432: F1 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .p..............
14[KNL] 448: 00 00 00 00 ....
14[KNL] policy 95.24.95.95/32[udp/l2f] === 188.162.64.2/32 out (mark 0/0x00000000) already exists, increasing refcount
14[KNL] policy 188.162.64.2/32 === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000) already exists, increasing refcount
14[KNL] policy 95.24.95.95/32[udp/l2f] === 188.162.64.2/32 out (mark 0/0x00000000) already exists, increasing refcount
14[KNL] updating policy 95.24.95.95/32[udp/l2f] === 188.162.64.2/32 out (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xb03f3a5c.............
14[KNL] 0: F8 00 00 00 19 00 05 00 88 02 00 00 F6 0A 00 00 ................
14[KNL] 16: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
14[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
14[KNL] 48: 00 00 00 00 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
14[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
14[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
14[KNL] 176: 01 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
14[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
14[KNL] 240: FF FF FF FF FF FF FF FF ........
14[KNL] policy 188.162.64.2/32 === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000) already exists, increasing refcount
14[KNL] updating policy 188.162.64.2/32 === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xb03f3a5c.............
14[KNL] 0: F8 00 00 00 19 00 05 00 89 02 00 00 F6 0A 00 00 ................
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 32: BC A2 40 02 00 00 00 00 00 00 00 00 00 00 00 00 ..
14[KNL] 48: 06 A5 FF FF 00 00 00 00 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
14[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
14[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
14[KNL] 176: 00 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
14[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
14[KNL] 240: FF FF FF FF FF FF FF FF ........
14[IKE] CHILD_SA ikev1_l2tp_psk{1} established with SPIs cca476d4_i b6fe690e_o and TS 95.24.95.95/32[udp/l2f] === 188.162.64.2/32
07[NET] received packet: from 188.162.64.261807 to 95.24.95.95500 (312 bytes)
07[ENC] parsed ID_PROT request 0 [ SA V V V V ]
07[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:04
07[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
07[IKE] 188.162.64.2 is initiating a Main Mode IKE_SA
07[IKE] IKE_SA (unnamed)[91] state change: CREATED => CONNECTING
07[IKE] sending strongSwan vendor ID
07[IKE] sending XAuth vendor ID
07[IKE] sending DPD vendor ID
07[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
07[ENC] generating ID_PROT response 0 [ SA V V V V ]
07[NET] sending packet: from 95.24.95.95500 to 188.162.64.261807 (152 bytes)
04[NET] received packet: from 188.162.64.261807 to 95.24.95.95500 (232 bytes)
04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
04[IKE] remote host is behind NAT
04[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
04[NET] sending packet: from 95.24.95.95500 to 188.162.64.261807 (244 bytes)
10[NET] received packet: from 188.162.64.261808 to 95.24.95.954500 (68 bytes)
10[ENC] parsed ID_PROT request 0 [ ID HASH ]
10[CFG] looking for pre-shared key peer configs matching 95.24.95.95...188.162.64.2[Acer8]
10[CFG] selected peer config "ikev1_l2tp_psk"
10[IKE] IKE_SA ikev1_l2tp_psk91 established between 95.24.95.95[95.24.95.95]...188.162.64.2[Acer8]
10[IKE] IKE_SA ikev1_l2tp_psk91 state change: CONNECTING => ESTABLISHED
10[IKE] DPD not supported by peer, disabled
10[ENC] generating ID_PROT response 0 [ ID HASH ]
10[NET] sending packet: from 95.24.95.954500 to 188.162.64.261808 (68 bytes)
13[IKE] detected reauth of existing IKE_SA, adopting 89 children
13[IKE] IKE_SA ikev1_l2tp_psk90 state change: ESTABLISHED => DELETING
13[IKE] IKE_SA ikev1_l2tp_psk90 state change: DELETING => DESTROYING
14[NET] received packet: from 188.162.64.261808 to 95.24.95.954500 (84 bytes)
14[ENC] invalid HASH_V1 payload length, decryption failed?
14[ENC] could not decrypt payloads
14[IKE] message parsing failed
14[IKE] ignore malformed INFORMATIONAL request
14[IKE] INFORMATIONAL_V1 request with message ID 197694854 processing failed@
So, Win XP can not connect to the VPN server across l2tp/psk as l2tp/ipsec-cert.
I didn' t try Win 7 because there is not Win 7 behind this NAT.
But connection from this Win XP client is successful across l2tp/psk with SOftEther.
There was not be able to test l2tp/ipsec-cert with SoftEther, because as I saw it doesn' t support such mode.
Such situation is at 5.1.2 version and up to nightly build 5.2.1dr1 (5.1.2-~10879+53 in Ubuntu repository) downoaded on Sep, 24, 2014.
Related issues
History
#1 Updated by Tobias Brunner almost 11 years ago
- Related to Issue #744: I 'won' Strongswan 5.1.2, now Win XP works with l2tp/cert, Win7 works with l2tp/cert, ikev2/machine, ikev2/eap-mschapv2 with the same certificate ! added
#2 Updated by Tobias Brunner almost 11 years ago
- Status changed from New to Closed
#3 Updated by Tobias Brunner almost 11 years ago
- Category changed from windows to interoperability