I am trying to get connections working from Windows Mobile 5 clients and
XP clients on laptops (with ability to use NAT if required) to a server
running ipsec-tools. I am using openl2tp to provide the L2TP part of the
The issue is that XP works fine but that WM5 clients fail with a problem
in the phase2 negotiation. I have attached a log with -ddd debugging on,
and if you look between lines 776-817, that's where the problem seems to
happen - eg "notification message 18:INVALID-ID-INFORMATION, doi=1
proto_id=3 spi=00000000(size=4)" at line 812.
I am using the same X509 cert (converted to pkcs12 and imported) on both
machines from the same network.
Whether this is a bug in IPSEC on WM5 clients or something that racoon
does not yet deal with, I'm not sure. From 'Jacco's notes on OpenSWAN
(although he was using a WM5 emulator, but still behind NAT) I believe
he got it working.
The reason for using racoon rather than OpenSWAN is that with the
appropriate patches, ipsec-tools and openl2tpd are able to solve a
significant problem - that of having multiple clients behind the same
(or same configuration/hardware) NAT device. This is obviously of
importance if we wish to deploy this functionality to a large number of
roaming WM devices.
I can also provide a packet capture of the session if required.