l2tpd over IPSec NAT-D in Win7

L2TP over IPSec + NAT-D 在win7上似乎有問題

除了要注意，在quick mode的QI1中esp是用null encryption algo外，還有protocol 1701/17

1701是指L2TP 的port，17是指udp protocol.

先在xp client在nat下連openswan看來是ok的…如下


ipsec.conf如下

conn conn_pptp_ipsec
        auto=add
        type=transport
        left=172.21.33.8
        right=%any
        leftnexthop=172.21.32.254
        ike="3des-md5-modp1024,3des-md5-modp1024,3des-md5-modp1024,3des-md5-modp
        pfs=no
        esp="null-md5,null-sha1,3des-md5,3des-md5"
        authby=secret
        leftprotoport=17/1701
        rightprotoport=17/0




# cat /etc/ppp/l2tpd.conf
[global]

[lns default]
ip range = 192.168.0.230-192.168.0.240
local ip = 192.168.0.220
refuse chap = yes
require pap = yes
require authentication = yes
name = pptp_ipsec
ppp debug = yes
pppoptfile = /tmp/ppp/options.l2tpd
length bit = yes


# cat /etc/ppp/options.l2tpd
refuse-chap
refuse-mschap
refuse-mschap-v2
require-pap
ipparam l2tpd
novj
nobsdcomp
novjccomp
nologfd
idle 1800
mtu 1410
mru 1410
debug
dump
lock
proxyarp
ms-dns 172.21.1.1
ms-dns 172.21.1.2

openswan NAT-D in XP client (L2TP over IPSec) OK.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.03.30 18:29:23 =~=~=~=~=~=~=~=~=~=~=~=
killall syslogd
killall: syslogd: no process killed
# pluto[12392]: |
pluto[12392]: | *received 312 bytes from 172.21.33.79:500 on eth0
pluto[12392]: | **parse ISAKMP Message:
pluto[12392]: |    initiator cookie:
pluto[12392]: |   92 f2 33 30  40 d3 8d 3a
pluto[12392]: |    responder cookie:
pluto[12392]: |   00 00 00 00  00 00 00 00
pluto[12392]: |    next payload type: ISAKMP_NEXT_SA
pluto[12392]: |    ISAKMP version: ISAKMP Version 1.0
pluto[12392]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[12392]: |    flags: none
pluto[12392]: |    message ID:  00 00 00 00
pluto[12392]: |    length: 312
pluto[12392]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[12392]: | ***parse ISAKMP Security Association Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_VID
pluto[12392]: |    length: 200
pluto[12392]: |    DOI: ISAKMP_DOI_IPSEC
pluto[12392]: | ***parse ISAKMP Vendor ID Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_VID
pluto[12392]: |    length: 24
pluto[12392]: | ***parse ISAKMP Vendor ID Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_VID
pluto[12392]: |    length: 20
pluto[12392]: | ***parse ISAKMP Vendor ID Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_VID
pluto[12392]: |    length: 20
pluto[12392]: | ***parse ISAKMP Vendor ID Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 20
pluto[12392]: packet from 172.21.33.79:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[12392]: | VID:  1e 2b 51 69  05 99 1c 7d  7c 96 fc bf  b5 87 e4 61
pluto[12392]: |   00 00 00 04
pluto[12392]: packet from 172.21.33.79:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[12392]: | VID:  40 48 b7 d5  6e bc e8 85  25 e7 de 7f  00 d6 c2 d3
pluto[12392]: packet from 172.21.33.79:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[12392]: | VID:  90 cb 80 91  3e bb 69 6e  08 63 81 b5  ec 42 7b 1f
pluto[12392]: packet from 172.21.33.79:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
pluto[12392]: | VID:  26 24 4d 38  ed db 61 b3  17 2a 36 e3  d0 cf b8 19
pluto[12392]: | ****parse IPsec DOI SIT:
pluto[12392]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[12392]: | ****parse ISAKMP Proposal Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 188
pluto[12392]: |    proposal number: 1
pluto[12392]: |    protocol ID: PROTO_ISAKMP
pluto[12392]: |    SPI size: 0
pluto[12392]: |    number of transforms: 5
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 1
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 5
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 2
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 14
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 2
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 5
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 2
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 2
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 3
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 5
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 2
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 4
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 2
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 5
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: responding to Main Mode from unknown peer 172.21.33.79
pluto[12392]: | ****parse IPsec DOI SIT:
pluto[12392]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[12392]: | ****parse ISAKMP Proposal Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 188
pluto[12392]: |    proposal number: 1
pluto[12392]: |    protocol ID: PROTO_ISAKMP
pluto[12392]: |    SPI size: 0
pluto[12392]: |    number of transforms: 5
pluto[12392]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 36
pluto[12392]: |    transform number: 1
pluto[12392]: |    transform ID: KEY_IKE
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[12392]: |    length/value: 5
pluto[12392]: |    [5 is OAKLEY_3DES_CBC]
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[12392]: |    length/value: 2
pluto[12392]: |    [2 is OAKLEY_SHA]
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[12392]: |    length/value: 14
pluto[12392]: |    [14 is OAKLEY_GROUP_MODP2048]
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[12392]: |    length/value: 1
pluto[12392]: |    [1 is OAKLEY_PRESHARED_KEY]
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: |    [1 is OAKLEY_LIFE_SECONDS]
pluto[12392]: | ******parse ISAKMP Oakley attribute:
pluto[12392]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: |    long duration: 28800
pluto[12392]: | Oakley Transform 1 accepted
pluto[12392]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state (null) to state STATE_MAIN_R1
pluto[12392]: |
pluto[12392]: | *received 360 bytes from 172.21.33.79:500 on eth0
pluto[12392]: | **parse ISAKMP Message:
pluto[12392]: |    initiator cookie:
pluto[12392]: |   92 f2 33 30  40 d3 8d 3a
pluto[12392]: |    responder cookie:
pluto[12392]: |   b7 30 09 f8  0e 4a 6e c6
pluto[12392]: |    next payload type: ISAKMP_NEXT_KE
pluto[12392]: |    ISAKMP version: ISAKMP Version 1.0
pluto[12392]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[12392]: |    flags: none
pluto[12392]: |    message ID:  00 00 00 00
pluto[12392]: |    length: 360
pluto[12392]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[12392]: | ***parse ISAKMP Key Exchange Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONCE
pluto[12392]: |    length: 260
pluto[12392]: | ***parse ISAKMP Nonce Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NAT-D
pluto[12392]: |    length: 24
pluto[12392]: | ***parse ISAKMP NAT-D Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NAT-D
pluto[12392]: |    length: 24
pluto[12392]: | ***parse ISAKMP NAT-D Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 24
pluto[12392]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[12392]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[12392]: |
pluto[12392]: | *received 76 bytes from 172.21.33.79:4500 on eth0
pluto[12392]: | **parse ISAKMP Message:
pluto[12392]: |    initiator cookie:
pluto[12392]: |   92 f2 33 30  40 d3 8d 3a
pluto[12392]: |    responder cookie:
pluto[12392]: |   b7 30 09 f8  0e 4a 6e c6
pluto[12392]: |    next payload type: ISAKMP_NEXT_ID
pluto[12392]: |    ISAKMP version: ISAKMP Version 1.0
pluto[12392]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[12392]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[12392]: |    message ID:  00 00 00 00
pluto[12392]: |    length: 76
pluto[12392]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[12392]: | ***parse ISAKMP Identification Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_HASH
pluto[12392]: |    length: 23
pluto[12392]: |    ID type: ID_FQDN
pluto[12392]: |    DOI specific A: 0
pluto[12392]: |    DOI specific B: 0
pluto[12392]: | ***parse ISAKMP Hash Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 24
pluto[12392]: | removing 1 bytes of padding
pluto[12392]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: Main mode peer ID is ID_FQDN: '@test-55e98b2637'
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: deleting connection "conn_pptp_ipsec" instance with peer 172.21.33.79
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[12392]: | NAT-T: new mapping 172.21.33.79:500/4500)
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: sent MR3, ISAKMP SA established
pluto[12392]: |
pluto[12392]: | *received 228 bytes from 172.21.33.79:4500 on eth0
pluto[12392]: | **parse ISAKMP Message:
pluto[12392]: |    initiator cookie:
pluto[12392]: |   92 f2 33 30  40 d3 8d 3a
pluto[12392]: |    responder cookie:
pluto[12392]: |   b7 30 09 f8  0e 4a 6e c6
pluto[12392]: |    next payload type: ISAKMP_NEXT_HASH
pluto[12392]: |    ISAKMP version: ISAKMP Version 1.0
pluto[12392]: |    exchange type: ISAKMP_XCHG_QUICK
pluto[12392]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[12392]: |    message ID:  9d 06 2e 20
pluto[12392]: |    length: 228
pluto[12392]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[12392]: | ***parse ISAKMP Hash Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_SA
pluto[12392]: |    length: 24
pluto[12392]: | ***parse ISAKMP Security Association Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONCE
pluto[12392]: |    length: 104
pluto[12392]: |    DOI: ISAKMP_DOI_IPSEC
pluto[12392]: | ***parse ISAKMP Nonce Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_ID
pluto[12392]: |    length: 24
pluto[12392]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[12392]: |    next payload type: ISAKMP_NEXT_ID
pluto[12392]: |    length: 23
pluto[12392]: |    ID type: ID_FQDN
pluto[12392]: |    Protocol ID: 17
pluto[12392]: |    port: 1701
pluto[12392]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[12392]: |    next payload type: ISAKMP_NEXT_NAT-OA
pluto[12392]: |    length: 12
pluto[12392]: |    ID type: ID_IPV4_ADDR
pluto[12392]: |    Protocol ID: 17
pluto[12392]: |    port: 1701
pluto[12392]: | ***parse ISAKMP NAT-OA Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 12
pluto[12392]: |    ID type: ID_IPV4_ADDR
pluto[12392]: | removing 1 bytes of padding
pluto[12392]: | our client is 172.21.33.8/32
pluto[12392]: | our client protocol/port is 17/1701
pluto[12392]: | NAT-OA:  00 00 00 0c  01 00 00 00  c0 a8 0a 64
pluto[12392]: | ****parse IPsec DOI SIT:
pluto[12392]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[12392]: | ****parse ISAKMP Proposal Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 92
pluto[12392]: |    proposal number: 1
pluto[12392]: |    protocol ID: PROTO_IPSEC_ESP
pluto[12392]: |    SPI size: 4
pluto[12392]: |    number of transforms: 2
pluto[12392]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
pluto[12392]: | SPI  ca 19 61 99
pluto[12392]: | *****parse ISAKMP Transform Payload (ESP):
pluto[12392]: |    next payload type: ISAKMP_NEXT_T
pluto[12392]: |    length: 40
pluto[12392]: |    transform number: 1
pluto[12392]: |    transform ID: ESP_NULL
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: SA_LIFE_TYPE
pluto[12392]: |    length/value: 1
pluto[12392]: |    [1 is SA_LIFE_TYPE_SECONDS]
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: SA_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: |    long duration: 3600
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: SA_LIFE_TYPE
pluto[12392]: |    length/value: 2
pluto[12392]: |    [2 is SA_LIFE_TYPE_KBYTES]
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: SA_LIFE_DURATION (variable length)
pluto[12392]: |    length/value: 4
pluto[12392]: |    long duration: 250000
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: ENCAPSULATION_MODE
pluto[12392]: |    length/value: 61444
pluto[12392]: |    [61444 is ENCAPSULATION_MODE_UDP_TRANSPORT]
pluto[12392]: | ******parse ISAKMP IPsec DOI attribute:
pluto[12392]: |    af+type: AUTH_ALGORITHM
pluto[12392]: |    length/value: 2
pluto[12392]: |    [2 is AUTH_ALGORITHM_HMAC_SHA1]
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #2: You should NOT use insecure ESP algorithms [ESP_NULL (0)]!
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #2: responding to Quick Mode
pluto[12392]: | compute_proto_keymat:needed_len (after ESP enc)=0
pluto[12392]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
pluto[12392]: | compute_proto_keymat:needed_len (after ESP auth)=20
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #2: transition from state (null) to state STATE_QUICK_R1
pluto[12392]: |
pluto[12392]: | *received 52 bytes from 172.21.33.79:4500 on eth0
pluto[12392]: | **parse ISAKMP Message:
pluto[12392]: |    initiator cookie:
pluto[12392]: |   92 f2 33 30  40 d3 8d 3a
pluto[12392]: |    responder cookie:
pluto[12392]: |   b7 30 09 f8  0e 4a 6e c6
pluto[12392]: |    next payload type: ISAKMP_NEXT_HASH
pluto[12392]: |    ISAKMP version: ISAKMP Version 1.0
pluto[12392]: |    exchange type: ISAKMP_XCHG_QUICK
pluto[12392]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[12392]: |    message ID:  9d 06 2e 20
pluto[12392]: |    length: 52
pluto[12392]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[12392]: | ***parse ISAKMP Hash Payload:
pluto[12392]: |    next payload type: ISAKMP_NEXT_NONE
pluto[12392]: |    length: 24
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[12392]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #2: IPsec SA established

#
#

接下來我將client改成WIN7

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.03.30 18:42:39 =~=~=~=~=~=~=~=~=~=~=~=
pluto[13156]: |
pluto[13156]: | *received 384 bytes from 172.21.33.79:500 on eth0
pluto[13156]: | **parse ISAKMP Message:
pluto[13156]: |    initiator cookie:
pluto[13156]: |   c1 b5 e9 73  75 61 93 46
pluto[13156]: |    responder cookie:
pluto[13156]: |   00 00 00 00  00 00 00 00
pluto[13156]: |    next payload type: ISAKMP_NEXT_SA
pluto[13156]: |    ISAKMP version: ISAKMP Version 1.0
pluto[13156]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[13156]: |    flags: none
pluto[13156]: |    message ID:  00 00 00 00
pluto[13156]: |    length: 384
pluto[13156]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[13156]: | ***parse ISAKMP Security Association Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 212
pluto[13156]: |    DOI: ISAKMP_DOI_IPSEC
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 24
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 20
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 20
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 20
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 20
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_VID
pluto[13156]: |    length: 20
pluto[13156]: | ***parse ISAKMP Vendor ID Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 20
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
pluto[13156]: | VID:  1e 2b 51 69  05 99 1c 7d  7c 96 fc bf  b5 87 e4 61
pluto[13156]: |   00 00 00 08
pluto[13156]: packet from 172.21.33.79:500: received Vendor ID payload [RFC 3947]
pluto[13156]: | VID:  4a 13 1c 81  07 03 58 45  5c 57 28 f2  0e 95 45 2f
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[13156]: | VID:  90 cb 80 91  3e bb 69 6e  08 63 81 b5  ec 42 7b 1f
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[13156]: | VID:  40 48 b7 d5  6e bc e8 85  25 e7 de 7f  00 d6 c2 d3
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
pluto[13156]: | VID:  fb 1d e3 cd  f3 41 b7 ea  16 b7 e5 be  08 55 f1 20
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
pluto[13156]: | VID:  26 24 4d 38  ed db 61 b3  17 2a 36 e3  d0 cf b8 19
pluto[13156]: packet from 172.21.33.79:500: ignoring Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
pluto[13156]: | VID:  e3 a5 96 6a  76 37 9f e7  07 22 82 31  e5 ce 86 52
pluto[13156]: | ****parse IPsec DOI SIT:
pluto[13156]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[13156]: | ****parse ISAKMP Proposal Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 200
pluto[13156]: |    proposal number: 1
pluto[13156]: |    protocol ID: PROTO_ISAKMP
pluto[13156]: |    SPI size: 0
pluto[13156]: |    number of transforms: 5
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 1
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 256
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 20
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 2
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 128
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 19
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 3
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 256
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 14
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 36
pluto[13156]: |    transform number: 4
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 5
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 14
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 36
pluto[13156]: |    transform number: 5
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 5
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 2
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: responding to Main Mode from unknown peer 172.21.33.79
pluto[13156]: | ****parse IPsec DOI SIT:
pluto[13156]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[13156]: | ****parse ISAKMP Proposal Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 200
pluto[13156]: |    proposal number: 1
pluto[13156]: |    protocol ID: PROTO_ISAKMP
pluto[13156]: |    SPI size: 0
pluto[13156]: |    number of transforms: 5
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 1
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: |    [7 is OAKLEY_AES_CBC]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 256
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: enckey:256
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: |    [2 is OAKLEY_SHA]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 20
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: only OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 2
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: |    [7 is OAKLEY_AES_CBC]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 128
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: enckey:128
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: |    [2 is OAKLEY_SHA]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 19
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: only OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[13156]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[13156]: |    next payload type: ISAKMP_NEXT_T
pluto[13156]: |    length: 40
pluto[13156]: |    transform number: 3
pluto[13156]: |    transform ID: KEY_IKE
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[13156]: |    length/value: 7
pluto[13156]: |    [7 is OAKLEY_AES_CBC]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_KEY_LENGTH
pluto[13156]: |    length/value: 256
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: enckey:256
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_HASH_ALGORITHM
pluto[13156]: |    length/value: 2
pluto[13156]: |    [2 is OAKLEY_SHA]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_GROUP_DESCRIPTION
pluto[13156]: |    length/value: 14
pluto[13156]: |    [14 is OAKLEY_GROUP_MODP2048]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[13156]: |    length/value: 1
pluto[13156]: |    [1 is OAKLEY_PRESHARED_KEY]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_TYPE
pluto[13156]: |    length/value: 1
pluto[13156]: |    [1 is OAKLEY_LIFE_SECONDS]
pluto[13156]: | ******parse ISAKMP Oakley attribute:
pluto[13156]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[13156]: |    length/value: 4
pluto[13156]: |    long duration: 28800
pluto[13156]: | Oakley Transform 3 accepted
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state (null) to state STATE_MAIN_R1
pluto[13156]: |
pluto[13156]: | *received 388 bytes from 172.21.33.79:500 on eth0
pluto[13156]: | **parse ISAKMP Message:
pluto[13156]: |    initiator cookie:
pluto[13156]: |   c1 b5 e9 73  75 61 93 46
pluto[13156]: |    responder cookie:
pluto[13156]: |   f4 91 b1 f7  4b b0 5c 11
pluto[13156]: |    next payload type: ISAKMP_NEXT_KE
pluto[13156]: |    ISAKMP version: ISAKMP Version 1.0
pluto[13156]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[13156]: |    flags: none
pluto[13156]: |    message ID:  00 00 00 00
pluto[13156]: |    length: 388
pluto[13156]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[13156]: | ***parse ISAKMP Key Exchange Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONCE
pluto[13156]: |    length: 260
pluto[13156]: | ***parse ISAKMP Nonce Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NAT-D
pluto[13156]: |    length: 52
pluto[13156]: | ***parse ISAKMP NAT-D Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NAT-D
pluto[13156]: |    length: 24
pluto[13156]: | ***parse ISAKMP NAT-D Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 24
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[13156]: |
pluto[13156]: | *received 76 bytes from 172.21.33.79:4500 on eth0
pluto[13156]: | **parse ISAKMP Message:
pluto[13156]: |    initiator cookie:
pluto[13156]: |   c1 b5 e9 73  75 61 93 46
pluto[13156]: |    responder cookie:
pluto[13156]: |   f4 91 b1 f7  4b b0 5c 11
pluto[13156]: |    next payload type: ISAKMP_NEXT_ID
pluto[13156]: |    ISAKMP version: ISAKMP Version 1.0
pluto[13156]: |    exchange type: ISAKMP_XCHG_IDPROT
pluto[13156]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[13156]: |    message ID:  00 00 00 00
pluto[13156]: |    length: 76
pluto[13156]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[13156]: | ***parse ISAKMP Identification Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_HASH
pluto[13156]: |    length: 12
pluto[13156]: |    ID type: ID_IPV4_ADDR
pluto[13156]: |    DOI specific A: 0
pluto[13156]: |    DOI specific B: 0
pluto[13156]: | ***parse ISAKMP Hash Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 24
pluto[13156]: | removing 12 bytes of padding
pluto[13156]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.100'
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: deleting connection "conn_pptp_ipsec" instance with peer 172.21.33.79
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[13156]: | NAT-T: new mapping 172.21.33.79:500/4500)
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: sent MR3, ISAKMP SA established
pluto[13156]: |
pluto[13156]: | *received 220 bytes from 172.21.33.79:4500 on eth0
pluto[13156]: | **parse ISAKMP Message:
pluto[13156]: |    initiator cookie:
pluto[13156]: |   c1 b5 e9 73  75 61 93 46
pluto[13156]: |    responder cookie:
pluto[13156]: |   f4 91 b1 f7  4b b0 5c 11
pluto[13156]: |    next payload type: ISAKMP_NEXT_HASH
pluto[13156]: |    ISAKMP version: ISAKMP Version 1.0
pluto[13156]: |    exchange type: ISAKMP_XCHG_QUICK
pluto[13156]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[13156]: |    message ID:  00 00 00 01
pluto[13156]: |    length: 220
pluto[13156]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[13156]: | ***parse ISAKMP Hash Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_SA
pluto[13156]: |    length: 24
pluto[13156]: | ***parse ISAKMP Security Association Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONCE
pluto[13156]: |    length: 64
pluto[13156]: |    DOI: ISAKMP_DOI_IPSEC
pluto[13156]: | ***parse ISAKMP Nonce Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_ID
pluto[13156]: |    length: 52
pluto[13156]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[13156]: |    next payload type: ISAKMP_NEXT_ID
pluto[13156]: |    length: 12
pluto[13156]: |    ID type: ID_IPV4_ADDR
pluto[13156]: |    Protocol ID: 17
pluto[13156]: |    port: 1701
pluto[13156]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[13156]: |    next payload type: ISAKMP_NEXT_NAT-OA
pluto[13156]: |    length: 12
pluto[13156]: |    ID type: ID_IPV4_ADDR
pluto[13156]: |    Protocol ID: 17
pluto[13156]: |    port: 1701
pluto[13156]: | ***parse ISAKMP NAT-OA Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NAT-OA
pluto[13156]: |    length: 12
pluto[13156]: |    ID type: ID_IPV4_ADDR
pluto[13156]: | ***parse ISAKMP NAT-OA Payload:
pluto[13156]: |    next payload type: ISAKMP_NEXT_NONE
pluto[13156]: |    length: 12
pluto[13156]: |    ID type: ID_IPV4_ADDR
pluto[13156]: | removing 4 bytes of padding
pluto[13156]: | peer client is 192.168.10.100/32
pluto[13156]: | peer client protocol/port is 17/1701
pluto[13156]: | our client is 172.21.33.8/32
pluto[13156]: | our client protocol/port is 17/1701
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: cannot respond to IPsec SA request because no connection is known for 172.21.33.8:4500:17/1701...172.21.33.79:4500[192.168.10.100]:17/1701===192.168.10.100/32
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.21.33.79:4500
pluto[13156]: |
pluto[13156]: | *received 220 bytes from 172.21.33.79:4500 on eth0
pluto[13156]: | **parse ISAKMP Message:
pluto[13156]: |    initiator cookie:
pluto[13156]: |   c1 b5 e9 73  75 61 93 46
pluto[13156]: |    responder cookie:
pluto[13156]: |   f4 91 b1 f7  4b b0 5c 11
pluto[13156]: |    next payload type: ISAKMP_NEXT_HASH
pluto[13156]: |    ISAKMP version: ISAKMP Version 1.0
pluto[13156]: |    exchange type: ISAKMP_XCHG_QUICK
pluto[13156]: |    flags: ISAKMP_FLAG_ENCRYPTION
pluto[13156]: |    message ID:  00 00 00 01
pluto[13156]: |    length: 220
pluto[13156]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
pluto[13156]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 172.21.33.79:4500

trace code到了這裡 ipsec_doi.c

quick_inI1_outR1(struct msg_digest *md) ---> 
     quick_inI1_outR1_tail --->
          find_client_connection

static stf_status
quick_inI1_outR1_tail(struct msg_digest *md
, struct p2id *my, struct p2id *his
, unsigned int new_iv_len
, const u_char new_iv[MAX_DIGEST_LEN])
{
    struct state *const p1st = md->st;
    struct connection *c = p1st->st_connection;
    struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
    ip_subnet *our_net = &my->net
        , *his_net = &his->net;

    u_char      /* set by START_HASH_PAYLOAD: */
        *r_hashval,     /* where in reply to jam hash value */
        *r_hash_start;  /* from where to start hashing */

    /* Now that we have identities of client subnets, we must look for
     * a suitable connection (our current one only matches for hosts).
     */
    {
        struct connection *p = find_client_connection(c
            , our_net, his_net, my->proto, my->port, his->proto, his->port);

        if (p == NULL) //win 7 會等於null，xp不會…



看來是在這裡有問題: connections.c

struct connection *
find_client_connection(struct connection *c
, const ip_subnet *our_net, const ip_subnet *peer_net
, const u_int8_t our_protocol, const u_int16_t our_port
, const u_int8_t peer_protocol, const u_int16_t peer_port)
{

....

        if (samesubnet(&c->this.client, our_net)
        && samesubnet(&c->that.client, peer_net) //win7會fail
        && (c->this.protocol == our_protocol)
        && (!c->this.port || (c->this.port == our_port))
        && (c->that.protocol == peer_protocol)
    && (!c->that.port || (c->that.port == peer_port)))
        {
            passert(oriented(*c));
            if (routed(c->routing))
                return c;

            unrouted = c;//在nat-d下xp會找到connection，xp的QI1的id是fqdn，win7是ipv4…所以找不到connection
        }

        /* exact match? */
        d = fc_try(FALSE, c, c->host_pair, NULL, our_net, peer_net
            , our_protocol, our_port, peer_protocol, peer_port);

-----------------------------
再試一下xp和win7的nat-d

// WIN7 NAT-D
pluto[8303]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: enckey:256
pluto[8303]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state (null) to state STATE_MAIN_R1
pluto[8303]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
pluto[8303]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[8303]: "conn_pptp_ipsec"[1] 172.21.33.79 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.100'
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: deleting connection "conn_pptp_ipsec" instance with peer 172.21.33.79
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[8303]: | NAT-T: new mapping 172.21.33.79:500/4500)
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: sent MR3, ISAKMP SA established
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: find_client_connection:2431\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: that client:172.21.33.79/32\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: peer net:192.168.10.100/32\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: find_client_connection,2447\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: find_client_connection:2481: d:unroute\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: find_client_connection:2485\012
pluto[8303]: "conn_pptp_ipsec"[2] 172.21.33.79:4500 #1: find_client_connection:2517: d:unroute\012

//XP NAT-D
pluto[8303]: "conn_pptp_ipsec"[3] 172.21.33.79 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[8303]: "conn_pptp_ipsec"[3] 172.21.33.79 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[8303]: "conn_pptp_ipsec"[3] 172.21.33.79 #2: Main mode peer ID is ID_FQDN: '@cameo-80e9e70cd'
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79 #2: deleting connection "conn_pptp_ipsec" instance with peer 172.21.33.79
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[8303]: | NAT-T: new mapping 172.21.33.79:500/4500)
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79:4500 #2: sent MR3, ISAKMP SA established
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79:4500 #2: find_client_connection:2431\012
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79:4500 #2: that client:172.21.33.79/32\012
pluto[8303]: "conn_pptp_ipsec"[4] 172.21.33.79:4500 #2: peer net:172.21.33.79/32\012


看來真的是xp和win7的id_doi的問題…但還不能下定論…
而以下的文章應該和我猜的沒錯…
重點是說…vista基於nat-d 的security考量，而沒有辦法和openswan的nat-d連線

http://www.jacco2.dds.nl/networking/vista-openswan.html



7.1.1 Issue with Windows Vista and server-side NAT
Windows Vista has the same issue as Windows XP with ServicePack 2. This issue was discovered by George Ou.  Vista does not support establishing IPsec connections to servers behind NAT. Apparently Microsoft considers this a security risk because of an (uncommon) scenario which is described here. Microsoft even says that a VPN server behind NAT is "not recommended" (see also KB Q885348), although the NAT-T RFC describes it as a normal setup that should be supported. The problem occurs with both Windows Server 2003 and Openswan, so it is an issue in Vista, not Openswan.


7.1.2 PSK and NAT-T in Vista
In most (production) cases you will want to use certificate authentication instead of a Preshared Key (PSK). Certificates provide better security and work better when NAT is involved. However, in some cases you may be forced to use a PSK.
Windows Vista is very similar to the L2TP/IPsec client included with Windows XP/2003, but there is an additional requirement when a PSK is used and NAT is involved. You have to add this line to your L2TP-PSK section:
  rightsubnet=vhost:%no,%priv
Windows XP/2003 support PSKs and NAT-T but they are based on draft-02 of the NAT-T standard ("draft-ietf-ipsec-nat-t-ike-02"). Vista also supports this draft-02 but when connecting to recent versions of Openswan it prefers RFC 3947 over draft-02. Apparently these implementations use different identifiers when NAT is involved: when a Windows XP/2003 client connects, Openswan reports the following:
  Main mode peer ID is ID_FQDN: '@blabla.example.com' 
But when a Vista client connects (or probably any other RFC 3947 compliant client), the following is reported:
  Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
(Where x.x.x.x is the IP address that the client has on the NATed network).

這是ms的說法…但我沒去看…呼~~~希望我不用fix這個bug
http://technet.microsoft.com/zh-tw/library/bb878119(en-us).aspx#ECAA


我再回頭看M1的vendor ID好像是真的沒錯…

: packet from 172.21.33.79:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [FRAGMENTATION]
: packet from 172.21.33.79:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]

: packet from 172.21.33.79:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
: packet from 172.21.33.79:500: received Vendor ID payload [RFC 3947]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [FRAGMENTATION]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
: packet from 172.21.33.79:500: ignoring Vendor ID payload [e3a5966a76379fe707228231e5ce8652]

RNDIS

RNDIS definition:http://www.microsoft.com/whdc/device/network/ndis/rmndis.mspx

network devices on dynamic Plug and Play I/O buses such as USB
It includes two components:
      1. a bus-independent message set
      2. a description of how this message set is conveyed across a specific I/O bus on which it is supported.


RNDIS MINIPORT in Linux: http://lwn.net/Articles/11101/

這三個module是usb net device的重要device
cdc_ether.c  rndis_host.c  usbnet.c
cdc是指USB communications device class (or USB CDC)
http://en.wikipedia.org/wiki/USB_communications_device_class


linux-usb
http://www.linux-usb.org/usbnet/

gdb commands

list:
        #list symbols
        (gdb)list


debug multi-process:
        http://www.ibm.com/developerworks/cn/linux/l-cn-gdbmp/index.html
        set follow-fork-mode
        show follow-fork-mode
        http://www.delorie.com/gnu/docs/gdb/gdb_26.html
        set detach-on-fork [on|off]
where

print
        file::variable
        function::variable
        #print x in file f2.c
        (gdb) p 'f2.c'::x

802.1X raidus + EAP(TLS)

RADIUS protocol http://www.untruth.org/~josh/security/radius/radius-auth.html

802.1X in linux http://tldp.org/HOWTO/html_single/8021X-HOWTO/

PPP EAP TLS Authentication Protocol: http://www.ietf.org/rfc/rfc2716.txt

RADIUS (Remote Authentication Dial In User Service)
Support For Extensible Authentication Protocol (EAP)

http://www.ietf.org/rfc/rfc3579.txt

----------------------------------------------------------------------------------

Authenticating Peer     Authenticator
   -------------------     -------------
                           <- PPP LCP Request-EAP
                           auth
   PPP LCP ACK-EAP
   auth ->
                           <- PPP EAP-Request/
                           Identity
   PPP EAP-Response/
   Identity (MyID) ->
                           <- PPP EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS Start)
   PPP EAP-Response/
   EAP-Type=EAP-TLS
   (TLS client_hello)->
                           <- PPP EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS server_hello,
                            TLS certificate,
                    [TLS server_key_exchange,]
                    [TLS certificate_request,]
                        TLS server_hello_done)
   PPP EAP-Response/
   EAP-Type=EAP-TLS
   (TLS certificate,
    TLS client_key_exchange,
   [TLS certificate_verify,]
    TLS change_cipher_spec,
    TLS finished) ->
                           <- PPP EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS change_cipher_spec,
                            TLS finished)
   PPP EAP-Response/
   EAP-Type=EAP-TLS ->
                           <- PPP EAP-Success
   PPP Authentication
   Phase complete,
   NCP Phase starts

----------------

FreeRadius + EAP with 802.1X wireless WPA.

[peter@localhost certs]$ pwd
/pub/rootfs/etc/raddb/certs
[peter@localhost certs]$ ls
01.pem      ca.key      index.txt       random      server.cnf  server.p12
bootstrap*  ca.pem      index.txt.attr  README      server.crt  server.pem
ca.cnf      client.cnf  index.txt.old   serial      server.csr  xpextensions
ca.der      dh          Makefile        serial.old  server.key

1. install ca.pem and server.pem to windows.(rename as *.cer in windows).
    for more info of x509, see README for HOWTO EAP...
2. load ca.pem and server.pem. into windows.
3. start freeradius by #radius -X

freeradius是由radius 支援 各種module(包含eap)

[peter@localhost main]$ ls ../modules/
lib/               rlm_copy_packet/      rlm_exec/        rlm_logintime/      rlm_protocol_filter/  rlm_sql_log/
Makefile           rlm_counter/          rlm_expiration/  rlm_mschap/         rlm_python/           rlm_unix/
rlm_acctlog/       rlm_cram/             rlm_expr/        rlm_opendirectory/  rlm_radutmp/          rlm_wimax/
rlm_acct_unique/   rlm_dbm/              rlm_fastusers/   rlm_otp/            rlm_realm/            rules.mak
rlm_always/        rlm_detail/           rlm_files/       rlm_pam/            rlm_sim_files/        stable
rlm_attr_filter/   rlm_digest/           rlm_ippool/      rlm_pap/            rlm_smb/
rlm_attr_rewrite/  rlm_dynamic_clients/  rlm_jradius/     rlm_passwd/         rlm_sql/
rlm_caching/       rlm_eap/              rlm_krb5/        rlm_perl/           rlm_sqlcounter/
rlm_chap/          rlm_eap2/             rlm_ldap/        rlm_policy/         rlm_sqlhpwippool/
rlm_checkval/      rlm_example/          rlm_linelog/     rlm_preprocess/     rlm_sqlippool/


其中我要try的是eap+tls，也就是wifi的wpa enterprise
而eap也只是個protocol的frame，tls就是包在eap。


trace code:
freeradus是以module來plugin各種module。(eap也是個module)
例如: freeradius-server-2.1.1/src/modules/rlm_example/rlm_example.c


    218 module_t rlm_example = {
    219         RLM_MODULE_INIT,
    220         "example",
    221         RLM_TYPE_THREAD_SAFE,           /* type */
    222         example_instantiate,            /* instantiation */
    223         example_detach,                 /* detach */
    224         {
    225                 example_authenticate,   /* authentication */
    226                 example_authorize,      /* authorization */
    227                 example_preacct,        /* preaccounting */
    228                 example_accounting,     /* accounting */
    229                 example_checksimul,     /* checksimul */
    230                 NULL,                   /* pre-proxy */
    231                 NULL,                   /* post-proxy */
    232                 NULL                    /* post-auth */
    233         },
    234 };

整個架構是以一個status machine來design，所以trace起來還滿吃力的…


modules/rlm_eap/eap.c                  #EAP module from RADIUS.
modules/rlm_eap/rlm_eap.c          #

EAP module from RADIUS, loadable module.

modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c     #TLS module plug by EAP module.
modules/rlm_eap/libeap/eap_tls.c   #library TLS for TLS, TTLS, PEAP ...


討厭的是，TLS module for EAP也只是frame，它完全只是由openssl來implementation。
所以radius的eap+tls要由openssl的support.


先了解openssl的架構，openssl library是由ssl protocol和cipher組成
而SSL_xxx是protocol的部分，它包含了BIO_xxx，BIO_xxx是用來hook protocol的I/O stream。
BIO_read/BIO_write是我tracecode的重點。


我在

modules/rlm_eap/libeap/tls.c找到了

BIO_read在 

int tls_handshake_recv(tls_session_t *ssn)和

       int tls_handshake_send(tls_session_t *ssn)

BIO_write 在int tls_handshake_recv(tls_session_t *ssn)和
  [

modules/rlm_eap/libeap/eap_tls.c ] eaptls_status_t eaptls_process(EAP_HANDLER *handler)

再來要看這些functions是如何cowork的