Sziasztok!

Megcsináltam a freeswan+l2tp konfigurációt windows és linux között. Az
asztalomon szépen működött is, de ahogyan berakom a klienst egy NAT-os
GW mögé, rögtön elkezd szarakodni.

A konfiguráció:
Szerver: linux2.4.27, super-freeswan-1.99.8, l2tpd, pppd, ...
külső kártya: 192.168.111.2
belső kártya: 192.168.110.1 (habár ez csak az l2tpd-hez kellett)
NAT-gw: 192.168.111.252 (külsö) és 192.168.112.1 (belső)
Kliens: 192.168.112.2, WinXP SP1

sfreeswan hibaüzenet:
Nov 21 19:55:32 tomi pluto[2679]: packet from 192.168.111.252:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Nov 21 19:55:32 tomi pluto[2679]: "test"[7] 192.168.111.252 #7:
responding to Main Mode from unknown peer 192.168.111.252
Nov 21 19:55:32 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: Main
mode peer ID is ID_IPV4_ADDR: '192.168.112.2'
Nov 21 19:55:32 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: no
suitable connection for peer '192.168.112.2'
Nov 21 19:55:32 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: sending
notification INVALID_ID_INFORMATION to 192.168.111.252:500
Nov 21 19:55:33 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: Main
mode peer ID is ID_IPV4_ADDR: '192.168.112.2'
Nov 21 19:55:33 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: no
suitable connection for peer '192.168.112.2'
Nov 21 19:55:33 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: sending
notification INVALID_ID_INFORMATION to 192.168.111.252:500
Nov 21 19:55:35 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: Main
mode peer ID is ID_IPV4_ADDR: '192.168.112.2'
Nov 21 19:55:35 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: no
suitable connection for peer '192.168.112.2'
Nov 21 19:55:35 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: sending
notification INVALID_ID_INFORMATION to 192.168.111.252:500
Nov 21 19:56:12 tomi pluto[2679]: "test"[7] 192.168.111.252 #7:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Nov 21 19:56:42 tomi pluto[2679]: "test"[7] 192.168.111.252 #7: max
number of retransmissions (2) reached STATE_MAIN_R2
Nov 21 19:56:42 tomi pluto[2679]: "test"[7] 192.168.111.252: deleting
connection "test" instance with peer 192.168.111.252

ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand

conn test
authby=secret
pfs=no
left=192.168.111.2
leftprotoport=17/0
right=%any
rightprotoport=17/1701
auto=start
keyingtries=3

tomi:~# ipsec whack --status
000 interface ipsec0/eth0 192.168.111.2
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "test"[8]: 192.168.111.2:17/0...192.168.111.252:17/1701
000 "test"[8]: CAs: '%any'...'%any'
000 "test"[8]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtri
000 "test"[8]: policy: PSK+ENCRYPT+TUNNEL; interface: eth0; unrouted
000 "test"[8]: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "test"[8]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000- s=-strict
000 "test"[8]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5 8-1, 5_192-2_160-1,
000 "test"[8]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "test"[8]: ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "test": 192.168.111.2:17/0...%any:17/1701
000 "test": CAs: '%any'...'%any'
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries:
000 "test": policy: PSK+ENCRYPT+TUNNEL; interface: eth0; unrouted
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "test": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1 strict
000 "test": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_19 , 5_192-2_160-1,
000 "test": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "test": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000 #8: "test"[8] 192.168.111.252 STATE_MAIN_R2 (sent MR2, expecting
MI3); EVENT_RETRANSMIT in 8s
000

És itt megáll. Nem jut tovább rajta.
Ha valaki már csinált ilyet vagy más VPN-t windowsos kliensekkel, akkor
kérem, hogy segítsen.