I'm suspicious of those
INVALID_ID_INFORMATION responses. I don't know IPSec well enough to diagnose this, but I'd be looking at the logs on the other side as well as this one. It superficially looks to me like this client sent a certificate but that the other side didn't like it. I don't expect the response message to be an "informational payload" to be "ignored," but ... I
do know that the IPSec stack (Raccoon and all its other
rabid furry-friends) is an infernal state-machine from hell.
Also noticed on the web:
I see references to people
asking for a state-diagram of the IPSec connection negotiations, but I never yet found that anyone
found one.
Anyway: IPSec is evil ook. OpenVPN is not.