From Rainer.Blaes at astrium.eads.net Tue Feb 1 04:09:15 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 11:09:15 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47DBCB.3070504@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log.zip Type: application/zip Size: 4842 bytes Desc: not available URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 05:40:06 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 12:40:06 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47F116.6060407@astrium.eads.net> Sorry, I have forgotten to show you the Client configuration. So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 192.168.11.1.vpn URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 03:52:30 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 10:52:30 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47D7DE.8030603@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log Type: text/x-log Size: 64846 bytes Desc: not available URL: From uracs.tamas at peetandcook.hu Tue Feb 1 09:51:59 2011 From: uracs.tamas at peetandcook.hu (=?iso-8859-2?Q?Uracs_Tam=E1s?=) Date: Tue, 1 Feb 2011 15:51:59 +0000 Subject: [vpn-help] please help with SRX220 Message-ID: Hi Matthew, Could You please help me a little bit? I stuck creating Dialup VPN with SRX220 cluster. Phase 1 and 2 goes fine, and after a few successful SA key change the connection broken. It seems that our Shrew client tries to reauthenticate the already logged in user and loses the SA after that. See the log from SRX220 below. Do You have any thoughts about this? Thank You and best, Tamas Uracs 1.1.1.1: Shrew 2.1.7 2.2.2.2: SRX 220 cluster Feb 1 15:29:53 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:29:53 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f0f7631, remote = 1.1.1.1:2726 Feb 1 15:29:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:29:56 ike_retransmit_callback: Start, retransmit SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_retransmit_callback: Isakmp SA has been marked as deleted Feb 1 15:29:56 2.2.2.2:0 (Initiator) <-> 1.1.1.1:2726 { e745b337 b7895475 - 8ede6b29 1a2b4c81 [2] / 0x3b22e311 } CFG; Error = Timeout (8197) Feb 1 15:29:56 ike_send_notify: Private notification, do not send notification Feb 1 15:29:56 ike_delete_negotiation: Start, SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_free_negotiation_cfg: Start, nego = 2 Feb 1 15:29:56 ike_free_negotiation: Start, nego = 2 Feb 1 15:30:04 ike_state_restart_packet: Start, restart packet SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_st_o_qm_done: Quick Mode negotiation done Feb 1 15:30:04 ike_send_notify: Connected, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_delete_negotiation: Start, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_free_negotiation_qm: Start, nego = 1 Feb 1 15:30:04 ike_free_negotiation: Start, nego = 1 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:08 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:08 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:12 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:12 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:15 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:15 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:16 ike_state_restart_packet: Start, restart packet SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_st_o_cfg_done: CFG negotiation done Feb 1 15:30:16 ike_send_notify: Connected, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_delete_negotiation: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_free_negotiation_cfg: Start, nego = 0 Feb 1 15:30:16 ike_free_negotiation: Start, nego = 0 Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the peer hash table Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the dynamic sa spi hash table Feb 1 15:30:17 jnp_ike_connect_delete: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: No isakmp sa found and connect flags require it Feb 1 15:30:17 Not route based VPN. Not deleting NHTB entry Feb 1 15:30:17 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 133955647;SPI-In = 894670796 Feb 1 15:30:17 Deleted SA pair for tunnel = 133955647 with SPI-In = 894670796 to kernel -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Blaes at astrium.eads.net Wed Feb 2 06:56:05 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Wed, 02 Feb 2011 13:56:05 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <4D47F116.6060407@astrium.eads.net> References: <4D47F116.6060407@astrium.eads.net> Message-ID: <4D495465.50401@astrium.eads.net> I got it!!!!! After analyzing the SHREW Client's Phase 2 values I changed the proposal not to use PFS (nopfs) and now everything is working just fine! So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From marco.zevering at eo.nl Thu Feb 3 02:17:58 2011 From: marco.zevering at eo.nl (Marco Zevering) Date: Thu, 03 Feb 2011 09:17:58 +0100 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? Message-ID: <4D4A64B6.2060307@eo.nl> Does anybody got a working situation using Shrew VPN Client on Mac OS X ? If yes, how did you do that. I got a working situation on Windows XP and used the same configuration, but this doesn't work with Mac OS X. Please help. Kind regards, Marco From deejay at jay-mail.de Thu Feb 3 03:35:03 2011 From: deejay at jay-mail.de (Jay) Date: Thu, 03 Feb 2011 10:35:03 +0100 Subject: [vpn-help] virtual network adapter cannot be created Message-ID: <4D4A76C7.50109@jay-mail.de> Hello, I?m new to this list and I hope you can help me. First, I want to apologize my bad english. I do my best to write as good as possible. The client worked fine until but now the virtual adapter dosn?t become created by the ShrewSoft vpn client. I found out that there are problems if a adapter called "Microsoft Virtual WiFi Miniport Adapter" exists. There?s no adapter excepting the hardware devices (lan, wifi, firewire). Do you have any idea? Best regards, Jay From tony.silveston at hp.com Wed Feb 2 16:01:16 2011 From: tony.silveston at hp.com (Silveston, Tony) Date: Wed, 2 Feb 2011 22:01:16 +0000 Subject: [vpn-help] Other VPN software stops Shrew Working Message-ID: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Hi I am running Windows XP on a specilaized HP build laptop. It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ This works fine although I cannot configure it to allow access to other VPN sites apart from HP. Therfore I have also installed SHREW v2.1.7. I want this to connect to a Cisco VPN gateway that is nothing to do with HP. If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. I get a "negotiation timeout ocurred"... Any ideas how to get them both working together? Thanks Tony From rfling at estand.com Thu Feb 3 18:01:03 2011 From: rfling at estand.com (Russ Fling) Date: Thu, 03 Feb 2011 18:01:03 -0600 Subject: [vpn-help] Help using NetGear FSV318v3 Message-ID: <4D4B41BF.60503@estand.com> I am having problems connecting to the NetGear FSV318v3. NetGear FSV318v3 firmware 0_28 (latest) Shrew client versions 2.1.7 and 2.2.0 beta 1 Client OS Windows 7 Home Premium 64 bit (I've also tried Ubuntu and Mac clients, same issue) NetGear LAN 192.168.8.0/24 NetGear WAN connected directly to internet at xxx.xxx.xxx.xxx (obscured for now) Windows client LAN 192.168.3.0/24 client has a DCHP address of 192.168.3.139 The Shrew FAQ's deal with the 338 not the 318 which has a different interface for users. I am not using the XAuth feature at this time, just Mutual PSK. In Policy tab, Policy Generation Level is auto, 192.168.8.0 / 255.255.255.0 has been added to topology. Maintain Persistent Security Associations is check (but also tried unchecked). When connecting, the tunnel is enabled but security associations fail 10-20 seconds later. iked.log contains the following lines when it fails. ii : fragmented packet to 1514 bytes ( MTU 1500 bytes ) ii : fragmented packet to 70 bytes ( MTU 1500 bytes ) -> : resend 1 phase2 packet(s) [2/2] 192.168.3.139:500 -> xxx.xxx.xxx.xxx:500 ii : resend limit exceeded for phase2 exchange Different Phase 1 settings will cause it to fail sooner so I think these and Authentication settings are OK. Phase 2 settings seem to have no effect (but I think they are configured properly) and it appears that the 318 is not responding to phase2 requests (or they are being blocked somewhere). Is is a packet fragmentation issue? Firewall issue? I saw on some blog that the 338 may need WAN ping enabled, this is currently off. Any suggestions? Thanks in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: rfling.vcf Type: text/x-vcard Size: 382 bytes Desc: not available URL: From alexis.lagoutte at gmail.com Fri Feb 4 02:00:01 2011 From: alexis.lagoutte at gmail.com (Alexis La Goutte) Date: Fri, 4 Feb 2011 09:00:01 +0100 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: Hi, On Fri, Feb 4, 2011 at 1:01 AM, Russ Fling wrote: > [...] > > In Policy tab, *Policy Generation Level is auto*, 192.168.8.0 / > 255.255.255.0 has been added to topology. Maintain Persistent Security > Associations is check (but also tried unchecked). > > [...] > > Any suggestions? > > Thanks in advance. > > Set *Unique* for Policy Generation Level and i should work Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.borges at skitter.tv Fri Feb 4 08:32:43 2011 From: david.borges at skitter.tv (David Borges) Date: Fri, 04 Feb 2011 09:32:43 -0500 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: <1296829963.2260.2.camel@dborges-ThinkPad-R400> Russ, Would you consider using xauth? I have a FVS338 and it works great phase 2 with xauth. Thanks, On Thu, 2011-02-03 at 18:01 -0600, Russ Fling wrote: > is enabled but security associations fail > 10-20 seconds later. > > -- David Borges Director of Network Administration www.skitter.tv From galvarez3d at gmail.com Fri Feb 4 09:41:34 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 16:41:34 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) Message-ID: Hi I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am doing on my Windows XP 32 bits machine. I have exported the configuration from XP and imported it on Mac, but there are some data which does not get copied. This is what happens when I try to connect with the Mac: config loaded for site 'XXX_XXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... invalid message from gateway tunnel disabled detached from key daemon ... Any hints? -- Gerardo ?lvarez -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.harrold at eosemi.com Fri Feb 4 12:25:08 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Fri, 04 Feb 2011 18:25:08 +0000 Subject: [vpn-help] ike-2.2.0-beta-1 make errors Message-ID: <4D4C4484.6040603@eosemi.com> An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Fri Feb 4 12:32:39 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 19:32:39 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> References: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> Message-ID: Hi Russ Just curious, why Netgear? It seems we get a bit further now: config loaded for site 'XXXX_XXXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled attached to key daemon ... detached from key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... El 4 de febrero de 2011 19:00, Russ Fling escribi?: > Geraldo, > > Check shrew soft support on netgear for more info. > > General > Existing adapter > > Make sure all Authenication tab settings match netgear settings. > > I'm using mutual-psk now but am having problems at phase2 so may need to > use mutual-psk xauth. > > Phase 1 > Aggressive > Group 2 > 3des > Sha1 > > Phase2 > esp-3des > Sha1 > > Policy > Unique > Add your remote local lan > > > -----Original message----- > > *From: *"Gerardo ?lvarez" * > To: *vpn-help at lists.shrew.net* > Sent: *Fri, Feb 4, 2011 15:41:34 GMT+00:00* > Subject: *[vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) > > -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sander.liebert at gmail.com Sat Feb 5 13:07:00 2011 From: sander.liebert at gmail.com (Sander Liebert) Date: Sat, 5 Feb 2011 13:07:00 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP Message-ID: I have the shrew client loaded on several pc's. The XP seems to work fine and I can ping on the remote network. On my Win7 pc's I can connect, but cannot ping, or browse the network. I upgraded the Win7 pc's to 2.20 to rule out the possible virtual wifi adapter problem. Can anyone tell me what I should troubleshoot next? Thanks, Sander -------------- next part -------------- An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Sun Feb 6 10:17:55 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 17:17:55 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not Message-ID: I have given up trying to connect from Mac OS X 10.6.6 by now. I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, copying the configuration exported from XP 32 bit at the studio, differente ADSL routers but equivalente network topology and setup. The XP 32 bit connects fine: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... network device configured tunnel enabled However the W7 64 bits does not: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... I see that the W7 is not able to configure the network device, maybe because I wasn?t able to install the software in W7 64 bits because it got stuck forever at "installing Network Adapter", until I rebooted into Safe Mode with Network, that way I could install it. Maybe it is not properly installed? -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Sun Feb 6 10:50:33 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 10:50:33 -0600 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> Message-ID: <4D4ED159.1080208@shrew.net> On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: > Hello > > we tested today to update VPN which worked flawlessly from > 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always > ask for user/passwort and if ignoring it the VPN claims to be connected > but no traffic passes the VPN. > > Client is Windows XP-SP3 > VPN is PSK against a BinTEC VPN Gateway > > Any idea what is going wrong? > Is this still happening with the beta1 build? If so, please forward me the debug level output in a private email. http://www.shrew.net/support/wiki/BugReportVpnWindows Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:17:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:17:25 -0600 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? In-Reply-To: <4D4A64B6.2060307@eo.nl> References: <4D4A64B6.2060307@eo.nl> Message-ID: <4D4ED7A5.8050209@shrew.net> On 2/3/2011 2:17 AM, Marco Zevering wrote: > Does anybody got a working situation using Shrew VPN Client on Mac OS X ? > If yes, how did you do that. > > I got a working situation on Windows XP and used the same configuration, > but this doesn't work with Mac OS X. > Marco, I just built a new package using the latest source code. Please give it a try and see if the same issue occurs. http://www.shrew.net/download/vpn/vpn-client-install.dmg Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:22:51 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:22:51 -0600 Subject: [vpn-help] Adtran 908e In-Reply-To: <001501cbbf3c$a49544e0$edbfcea0$@com> References: <001501cbbf3c$a49544e0$edbfcea0$@com> Message-ID: <4D4ED8EB.50608@shrew.net> On 1/28/2011 4:42 PM, Danny Lloyd wrote: > I am not sure how to reply to the original thread. I have updated > information regarding my problem with connecting with the adtran 908e. I > appreciate any assistance. > > Here is the debug information from the adtran. I see ?Invalid > Authentication type which is not supported?. I don?t know how to address > that error. > Yes. Your gateway is rejecting the client Authentication due to an Authentication type mismatch. Check the settings under the authentication tab in your site configuration and make sure they match the type configured on the gateway. -Matthew From mgrooms at shrew.net Sun Feb 6 11:26:22 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:26:22 -0600 Subject: [vpn-help] shrew VPN client Ver. 2.1.7 In-Reply-To: <268875.87898.qm@web36506.mail.mud.yahoo.com> References: <268875.87898.qm@web36506.mail.mud.yahoo.com> Message-ID: <4D4ED9BE.40606@shrew.net> On 1/30/2011 6:58 AM, Wasiu Adebowale Fagbemi wrote: > I had installed shrew VPN client version 2.1.7 on my windows 7 PC. I can > successfully make connection to the remote network but I can not ping or > do RDC to any of the remote network resources. > > All these I can do very well with shrew VPN. client Version 2.1.5. > > My VPN gateway is cisco ASA5520 > Have you looked at the debug level output to see if it shows any issues? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 11:34:01 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:34:01 -0600 Subject: [vpn-help] VPN Tunnel disconnected by gateway after successful authentication In-Reply-To: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D4EDB89.9080302@shrew.net> On 1/28/2011 5:45 PM, Brian Harmer wrote: > Don wrote: >> I am hoping the community can help me with this. > >> I am using a Windows 7 64bit OS on my laptop and have used the NCP >> applcation (trial) in the successfully in the past. However, with >> Shrew's client, I can authenticate, but right after the >> splashscreen that tells me to behave myself on he corporate >> network, I get a disconnect by gateway. I have no idea what is >> happening that the gateway disconnects me after an appearent >> successful negotiation and authentication. Anyone seen this before >> and have any ideas? > > >> bringing up tunnel ... network device configured tunnel enabled >> session terminated by gateway tunnel disabled detached from key >> daemon ... > > I have a similiar experience. I can add to that the fact that in the > box which shrinks to the task bar on the "apparently" successful > connection, there are two tabs, one labelled connect, and the other > labelled network. If I watch the newtork tab while the system is > thinking about finally connecting, I can see that the client tells me > that security associations failed .... 9 times ... is that 9 > associations or 9 tries? As a VPN novice despearate to connect, I > have no idea what this means. Any insights gratefully received. > This is the typical result when the VPN client connects to a Cisco gateway and phase2 negotiation is failing for some reason. Check the log output on both the client and gateway to find clues as to what the issue could be. You will likely need to modify either a phase2 tab or a policy tab parameter in your site configuration. -Matthew From mgrooms at shrew.net Sun Feb 6 11:42:53 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:42:53 -0600 Subject: [vpn-help] ike-2.2.0-beta-1 make errors In-Reply-To: <4D4C4484.6040603@eosemi.com> References: <4D4C4484.6040603@eosemi.com> Message-ID: <4D4EDD9D.8050508@shrew.net> On 2/4/2011 12:25 PM, Steve Harrold wrote: > Hi all, > I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is > based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am > getting errors and warnings when I run "make". > I just fixed the build issues. Please pull down a copy from svn and give it another try. svn export svn://svn.shrew.net/ike/head -Matthew From zkosn at zkosn.com Sun Feb 6 11:44:54 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 10:44:54 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 12:52:14 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 12:52:14 -0600 Subject: [vpn-help] Can I just installed iked it keeps wanting to install 2.1.7 Shrew Message-ID: Matt, List, I am getting Failure to attach to Key daemon on Shrew 2.2.0-beta-1 latest build checked out of SVN. If I go to install iked it wants to install the 2.1.7 client. I just want to install Iked. Advise? JT On Sun, Feb 6, 2011 at 11:42 AM, Matthew Grooms wrote: > On 2/4/2011 12:25 PM, Steve Harrold wrote: > >> Hi all, >> I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is >> based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am >> getting errors and warnings when I run "make". >> >> > I just fixed the build issues. Please pull down a copy from svn and give it > another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 13:07:08 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 13:07:08 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon Message-ID: Matthew, I am having a problem of having the latest bulid client stay connected to the Ike daemon. It actually kills it on Ubuntu 10.10. Here is what I am getting: config loaded for site 'test33.dyndns.org' attached to key daemon ... peer config failed detached from key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon Advice? Nothing in the iked log but this: 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lst_hoe02 at kwsoft.de Sun Feb 6 14:02:00 2011 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Sun, 06 Feb 2011 21:02:00 +0100 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <4D4ED159.1080208@shrew.net> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> <4D4ED159.1080208@shrew.net> Message-ID: <20110206210200.61878wd5jqbsoytc@webmail.kwsoft.de> Zitat von Matthew Grooms : > On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: >> Hello >> >> we tested today to update VPN which worked flawlessly from >> 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always >> ask for user/passwort and if ignoring it the VPN claims to be connected >> but no traffic passes the VPN. >> >> Client is Windows XP-SP3 >> VPN is PSK against a BinTEC VPN Gateway >> >> Any idea what is going wrong? >> > > Is this still happening with the beta1 build? If so, please forward > me the debug level output in a private email. > > http://www.shrew.net/support/wiki/BugReportVpnWindows Beta1 is working again. Many Thanks. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature URL: From paul at athosconsulting.com Sun Feb 6 14:42:07 2011 From: paul at athosconsulting.com (Paul Papasavas) Date: Sun, 6 Feb 2011 20:42:07 +0000 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: <006601cbb25a$8d28e760$a77ab620$@com> Message-ID: Matthew, FYI the issue was resolved simply by using a virtual adapter and assigning am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 Paul On 1/12/11 8:13 AM, "Darren Nye" wrote: >Hi Matthew, > >I'm absolutely sure that using NCP and Green Bow, resolves the issues. > >I'm not sure how to setup a Virtual Adapter - everything was setup by the >consultant we hired. Are there instructions somewhere of how to try a >virtual adapter? > >I don't know if it matters but the consultant was able to get the free IP >Securitas to work fine also - which runs on Macs (half of our clients are >Macs). > >I did try stepping through the alternate configuration found here: >http://www.shrew.net/support/wiki/HowtoJuniperSsg > >But I couldn't get a tunnel connection at all with the above. Maybe it's >because some of the SSG pages were a bit different, with the updated >firmware. And one field, IKE ID Type, was not sticking on AUTO but was >being >changed to something starting with an F (not currently connected to >router). > >To answer your other question, the user is not stopping the service. As >per >the pictures what is happening, is I start copying using Windows Explorer >from the server to my notebook, and the copy stops and produces the >Windows >error as per the pics - and it seems the halt happens at that time. But >the >user never touches the servers from a technical standpoint. > >I will try your latest alpha version and report back: >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > > > >-----Original Message----- >From: Matthew Grooms [mailto:mgrooms at shrew.net] >Sent: Wednesday, January 12, 2011 2:21 AM >To: Darren Nye >Cc: vpn-help at lists.shrew.net >Subject: Re: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue > >On 1/7/2011 1:11 PM, Darren Nye wrote: >> Hi all, >> > >Hi Darren, > >> VPN Client: ShrewSoft 2.1.7 and 2.2 Alpha 9. >> >> Windows: 7 64bit and Vista 64bit >> >> Gateway: Juniper SSG5 >> >> Gateway Hardware Version: 710(0) >> >> Gateway Firmware Version: 6.3.0r5.0 (also tried firmware 6.0 with same >> issue). >> >> Five people in different locations, have been able to duplicate this >> problem, with the ShrewSoft 2.1.7 and 2.2 Alpha 9 clients. >> >> However when we use NCP Client or Green Bow VPN Client, we do not have >> this issue and everything seems fine. So this points to either a >> configuration issue with ShrewSoft or a bug. I hope someone can help? >> > >Are you absolutely sure that this problem can be resolved by installing >the NCP or Greenbow clients? I'm not to proud to admit when the Shrew >Soft client has a bug that needs to be fixed. From looking at your log >output, it would appear that you are not using virtual adapter configs >which can cause problems related to MTU issues. Some carriers will drop >packet fragments or large UDP packets for no good reason. When using a >virtual adapter, a custom MTU can be set to avoid these issues. > >> We can connect to the Juniper with ShrewSoft and also connect to our >> network file servers, and perform short tasks such as copy small files >> up/down or use remote desktop. >> >> However, when we try to use Windows Explorer to connect to a Linux/Samba >> (v3.1) file server (ie: \\192.168.66.1\printfileserver >> ) and copy a folder with a large >> number of files (100mb or more) - by dragging and dropping from the >> server to the desktop - it seems that Windows thinks the connection to >> the server is lost - although the tunnel itself in ShrewSoft doesn't >> show that it disconnected. But the log file seem to show a "halt" >> command around the same time the issue is probably happening. >> > >The halt should only show up in the log when someone stops the service. >It's the normal shutdown procedure. I see the halt in your logs about >four minutes into the connection. Is that a user stopping the service or >do you mean that its stopping itself? > >> See attached: >> >> Windows-preparing-copy.jpg = the beginning of the file copy - things >> going normal so far >> >> Windows-copy-start.jpg = after windows is finished preparing (I believe >> figuring out how much and what it's going to copy) - it then tries to >> start the copy - but never seems to start >> >> Windows-failure.jpg = a short time after the windows-copy-start above, >> windows will display a failure. It's at this point that shrewsoft >> perhaps is getting the halt. >> >> The Shrew trace and other log/dump files are attached. 1.1.1.1 is a >> changed IP address but represents our internal IP address of the Juniper >> router. >> >> These particular logs were when connecting via ATT and my cell phone. >> However we've had these issues remotely from homes on Comcast and >> Optimum cable modems. >> >> I've been told by our Juniper tech rep that our internal servers are >> sending a RST (reset) although I don't see that in any of the logs I'm >> looking at. >> >> But we don't experience these odd issues when using the NCP client or >> Green Bow. But I'd rather not license every single one of our users. >> >> Any suggestions, please let me know. >> > >There is a feature included in modern network adapters called TCP Large >Segment Offload. Up until the last 2.2.0 alpha release, the client had a >bug that caused problems similar to the one you describe when TCP LSO >was enable and virtual adapters were not in use. The Alpha 9 version of >the client that you tested with does not have the fix for this bug. Not >that I can imagine TCP LSO would be implemented by an AT&T cell phone >dongle driver, but it could certainly be effecting your home users. If >you want to try a version of the client that has been tested a bit more >than the latest alpha, you can have a user try this version ... > >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > >-Matthew > From mgrooms at shrew.net Sun Feb 6 15:55:26 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 15:55:26 -0600 Subject: [vpn-help] Other VPN software stops Shrew Working In-Reply-To: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> References: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Message-ID: <4D4F18CE.2010000@shrew.net> On 2/2/2011 4:01 PM, Silveston, Tony wrote: > Hi > > I am running Windows XP on a specilaized HP build laptop. > > It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. > http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ > > This works fine although I cannot configure it to allow access to other VPN sites apart from HP. > > Therfore I have also installed SHREW v2.1.7. > > I want this to connect to a Cisco VPN gateway that is nothing to do with HP. > > If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. > > If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. > > I get a "negotiation timeout ocurred"... > > Any ideas how to get them both working together? > Tony, No, unfortunately I don't. We have made every attempt to create a VPN client that is as friendly to other installed software as possible. We use very specialized rules to only accept and process traffic that is unique to a VPN session established by our VPN client. We don't touch any other traffic, even if it is IPsec related. That means that it is _possible_ to use the Shrew Soft client along with other VPN clients. But possible doesn't mean it will work. In fact, in most cases it will probably break in one way or another unless the following are true ... 1) The other VPN client software was written with the same care as the Shrew Soft client. That means, not making assumptions about being the only IPsec client installed on the machine and blindly eating IKE or IPsec packets that may belong to other software. 2) Your IPsec policies don't overlap. If one client is configured to send all traffic down its tunnel, then a second VPN client would fail to establish its tunnel ( negotiation traffic is sent down the first VPN connections tunnel ). 3) In most cases, only one client will _win_ when it comes to custom DNS settings, with the latter overwriting the former connections settings. So to summarize: Yes, its possible to do what you want but the chance of two tunnels working correctly without them being designed to do so is just about nil. From what I have seen from other VPN client vendors, they just don't seem to care much to co-exist with other IPsec client software. This leads to a lot of head scratching and questions like, "Am I running into a configuration conflict that can be fixed, or are the software components stepping on each others toes"? Sorry I can't be more help, -Matthew From mgrooms at shrew.net Sun Feb 6 16:08:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:08:45 -0600 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: References: Message-ID: <4D4F1BED.9070807@shrew.net> On 2/4/2011 9:41 AM, Gerardo ?lvarez wrote: > Hi > I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am > doing on my Windows XP 32 bits machine. > I have exported the configuration from XP and imported it on Mac, but > there are some data which does not get copied. > This is what happens when I try to connect with the Mac: > I just uploaded a new build to the website. The OSX support is still very preliminary but I have fixed a few bugs recently. One of them was related to configuration mismatches between different platforms ... http://www.shrew.net/download/vpn/vpn-client-install.dmg -Matthew From mgrooms at shrew.net Sun Feb 6 16:10:18 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:10:18 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP In-Reply-To: References: Message-ID: <4D4F1C4A.9070007@shrew.net> On 2/5/2011 1:07 PM, Sander Liebert wrote: > I have the shrew client loaded on several pc's. The XP seems to work > fine and I can ping on the remote network. On my Win7 pc's I can > connect, but cannot ping, or browse the network. I upgraded the Win7 > pc's to 2.20 to rule out the possible virtual wifi adapter problem. > Can anyone tell me what I should troubleshoot next? Are you using the beta-1 or a previous version? Have you looked at the debug output to see if it displays any useful information? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 16:12:00 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:12:00 -0600 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: References: Message-ID: <4D4F1CB0.10603@shrew.net> On 2/6/2011 10:17 AM, Gerardo ?lvarez wrote: > I have given up trying to connect from Mac OS X 10.6.6 by now. > I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, > copying the configuration exported from XP 32 bit at the studio, > differente ADSL routers but equivalente network topology and setup. > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... http://www.shrew.net/support/wiki/FrequentlyAskedQuestions -Matthew From mgrooms at shrew.net Sun Feb 6 16:14:39 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:14:39 -0600 Subject: [vpn-help] 2.2 b1 miniport adapter In-Reply-To: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> References: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> Message-ID: <4D4F1D4F.3030608@shrew.net> On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From mgrooms at shrew.net Sun Feb 6 16:16:23 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:16:23 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon In-Reply-To: References: Message-ID: <4D4F1DB7.7060308@shrew.net> On 2/6/2011 1:07 PM, JT Edwards wrote: > Matthew, > > I am having a problem of having the latest bulid client stay connected > to the Ike daemon. It actually kills it on Ubuntu 10.10. > > Here is what I am getting: > > config loaded for site 'test33.dyndns.org ' > > ... > Advice? Nothing in the iked log but this: > > 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 > 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. > 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 > 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) > Uninstall the 2.1.5 version, then re-install the 2.2.0 version. The two versions of the client have different components that are incompatible with one another. -Matthew From mgrooms at shrew.net Sun Feb 6 16:19:19 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:19:19 -0600 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: References: Message-ID: <4D4F1E67.5030103@shrew.net> On 2/6/2011 2:42 PM, Paul Papasavas wrote: > Matthew, > > FYI the issue was resolved simply by using a virtual adapter and assigning > am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 > Hi Paul, Thanks for the feedback. If I can reproduce the non-virtual network adapter style connection issues I'll try to get it resolved. However, its not going to bubble up to the top of my todo list any time soon. But in the long run, I'm pretty sure you would be happier with the virtual adapter style connections anyway. Thanks again, -Matthew From galvarez3d at gmail.com Sun Feb 6 16:28:32 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 23:28:32 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: <4D4F1CB0.10603@shrew.net> References: <4D4F1CB0.10603@shrew.net> Message-ID: <-7856785405170327861@unknownmsgid> No , none of the machine uses WIFI, only ethernet. Gerardo Alvarez Le?n galvarez3d at gmail.com El 06/02/2011, a las 23:12, Matthew Grooms escribi?: > On 2/6/2011 10:17 AM, Gerardo ???lvarez wrote: >> I have given up trying to connect from Mac OS X 10.6.6 by now. >> I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, >> copying the configuration exported from XP 32 bit at the studio, >> differente ADSL routers but equivalente network topology and setup. >> > > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... > > http://www.shrew.net/support/wiki/FrequentlyAskedQuestions > > -Matthew From zkosn at zkosn.com Sun Feb 6 20:06:01 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 19:06:01 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206190601.35cc758f207e5a82ede39c4fdf64e9e5.dbcdb8e51b.wbe@email01.secureserver.net> I'm only using infrastructure networks, however I have used ad-hocs in the past. If I disable the Virtual Miniport adapter, either the entire adapter or just the shrewsoft filter component, 2.2.0 will then immediately connect fine. I can even re-enable the Miniport adapter/filter and still I'm able to connect. However, if I reboot and the Virtual Miniport adapter is enabled, it cannot connect again until I disable it again. If I leave it disabled, all is good. Thanks! -------- Original Message -------- Subject: Re: [vpn-help] 2.2 b1 miniport adapter From: Matthew Grooms Date: Sun, February 06, 2011 4:14 pm To: zkosn at zkosn.com Cc: vpn-help at lists.shrew.net On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From paul at anastrophe.com Sun Feb 6 23:01:57 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Sun, 06 Feb 2011 21:01:57 -0800 Subject: [vpn-help] new windows login credentials? Message-ID: <4D4F7CC5.1030206@anastrophe.com> having recently installed 2.2.0 beta 1 for windows 7 64bit, when my machine comes out of 'sleep', i'm now presented with a shrew vpn credentials login page by default, rather than my normal fingerprint sensor credentials login page. i can hit the 'log in as another user' button and then use my fingerprint - but, uh, what the heck is this? i went into the windows 'user accounts' control panel and there's nothing there for me to modify, and i can't figure out how to get rid of this...? thanks in advance. -- Paul Theodoropoulos From mgrooms at shrew.net Mon Feb 7 00:47:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 00:47:45 -0600 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F7CC5.1030206@anastrophe.com> References: <4D4F7CC5.1030206@anastrophe.com> Message-ID: <4D4F9591.6070805@shrew.net> On 2/6/2011 11:01 PM, Paul Theodoropoulos wrote: > having recently installed 2.2.0 beta 1 for windows 7 64bit, when my > machine comes out of 'sleep', i'm now presented with a shrew vpn > credentials login page by default, rather than my normal fingerprint > sensor credentials login page. i can hit the 'log in as another user' > button and then use my fingerprint - but, uh, what the heck is this? i > went into the windows 'user accounts' control panel and there's nothing > there for me to modify, and i can't figure out how to get rid of this...? > > thanks in advance. > The 2.2.0 version includes an option for Secure Domain Login support. This is accomplished by installing a windows credentials provider on Windows Vista/7. If you don't want that option, you can re-install the client and uncheck the credentials provider to prevent the component from being installed. I'm not sure why its being presented by default if you didn't manually select during the Login process. I'll have a look at that before we do the next beta release. -Matthew From paul at anastrophe.com Mon Feb 7 12:20:56 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:20:56 -0800 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F9591.6070805@shrew.net> References: <4D4F7CC5.1030206@anastrophe.com> <4D4F9591.6070805@shrew.net> Message-ID: <4D503808.9060504@anastrophe.com> On 2/6/2011 10:47 PM, Matthew Grooms wrote: > The 2.2.0 version includes an option for Secure Domain Login support. > This is accomplished by installing a windows credentials provider on > Windows Vista/7. If you don't want that option, you can re-install the > client and uncheck the credentials provider to prevent the component > from being installed. I'm not sure why its being presented by default > if you didn't manually select during the Login process. I'll have a > look at that before we do the next beta release. > > -Matthew thanks matthew. i payed closer attention during the reinstall and indeed i see the credentials provider option. it was pre-selected, which is why i didn't notice it before. this brings up another issue pertaining to installs - but i'll start a separate thread for that since it's unrelated. -- Paul Theodoropoulos From paul at anastrophe.com Mon Feb 7 12:27:05 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:27:05 -0800 Subject: [vpn-help] reinstall problems Message-ID: <4D503979.2000607@anastrophe.com> i've had this problem with all 2.2.0 versions - whenever i attempt a reinstall, my system bluescreens while the previous version is being removed. win7 64bit, realtek ethernet hardware/drivers. i have no wireless on this system. curiously, on my work laptop that does have wireless, reinstall does not bluescreen. one might ask why i reinstall sometimes. well, also with the 2.2.0 versions, if i've used the vpn previously, and later my PC has gone into sleep mode, after coming out of sleep, i can no longer use the vpn. i either get 'failed to attach to key daemon' - or it'll go through the full sequence of reconnecting to the vpn apparently successfully - but i'll be unable to actually use the connection - my ssh sessions just time out. on my work laptop, all i need do is run a reinstall, and then the vpn will work again. but on my PC, as above, the reinstall bluescreens. -- Paul Theodoropoulos -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Mon Feb 7 12:48:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 12:48:25 -0600 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503979.2000607@anastrophe.com> References: <4D503979.2000607@anastrophe.com> Message-ID: <4D503E79.9080402@shrew.net> On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > i've had this problem with all 2.2.0 versions - whenever i attempt a > reinstall, my system bluescreens while the previous version is being > removed. win7 64bit, realtek ethernet hardware/drivers. i have no > wireless on this system. curiously, on my work laptop that does have > wireless, reinstall does not bluescreen. > I have seen Realtek device drivers cause problems many times before. Have you updated them to use the the latest revision for your chipset? There were very minor changes to the Shrew Soft drivers between 2.1.7 and 2.2.0. In fact, I just submit them to WinQual yesterday for final certification and they passed with no issues. That means these driver binaries will be the version included in the 2.2.0 release, just with the additional Microsoft signatures. > one might ask why i reinstall sometimes. well, also with the 2.2.0 > versions, if i've used the vpn previously, and later my PC has gone into > sleep mode, after coming out of sleep, i can no longer use the vpn. i > either get 'failed to attach to key daemon' - or it'll go through the > full sequence of reconnecting to the vpn apparently successfully - but > i'll be unable to actually use the connection - my ssh sessions just > time out. on my work laptop, all i need do is run a reinstall, and then > the vpn will work again. but on my PC, as above, the reinstall bluescreens. > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue or are you forced to re-install the software? It would also be helpful to see debug level output for this scenario if possible. -Matthew From nss at compu-skill.com Mon Feb 7 16:34:52 2011 From: nss at compu-skill.com (Noach Sumner) Date: Tue, 8 Feb 2011 00:34:52 +0200 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: I have the same problem where after my computer sleeps I can't connect unless I restart (IFF I was connected when it went into sleep mode). I am almost always connected Wirelessly with an Intel 3945ABG, on Windows 7 32 bit. On Mon, Feb 7, 2011 at 8:48 PM, Matthew Grooms wrote: > On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > >> i've had this problem with all 2.2.0 versions - whenever i attempt a >> reinstall, my system bluescreens while the previous version is being >> removed. win7 64bit, realtek ethernet hardware/drivers. i have no >> wireless on this system. curiously, on my work laptop that does have >> wireless, reinstall does not bluescreen. >> >> > I have seen Realtek device drivers cause problems many times before. Have > you updated them to use the the latest revision for your chipset? > > There were very minor changes to the Shrew Soft drivers between 2.1.7 and > 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with the > additional Microsoft signatures. > > > one might ask why i reinstall sometimes. well, also with the 2.2.0 >> versions, if i've used the vpn previously, and later my PC has gone into >> sleep mode, after coming out of sleep, i can no longer use the vpn. i >> either get 'failed to attach to key daemon' - or it'll go through the >> full sequence of reconnecting to the vpn apparently successfully - but >> i'll be unable to actually use the connection - my ssh sessions just >> time out. on my work laptop, all i need do is run a reinstall, and then >> the vpn will work again. but on my PC, as above, the reinstall >> bluescreens. >> >> > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue > or are you forced to re-install the software? It would also be helpful to > see debug level output for this scenario if possible. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Mon Feb 7 17:55:21 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Mon, 7 Feb 2011 15:55:21 -0800 (PST) Subject: [vpn-help] Juniper SSG-20/Shrew VPN client- Message-ID: <336660.74735.qm@web46306.mail.sp1.yahoo.com> I continually get this error message when configuring VPN users on the Juniper SSG-20 gateway. Rejected an IKE packet on ethernet0/0 from 9.9.9.2:500 to 9.9.9.1:500 with cookies cbf74b95a72b9d43 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway. Juniper won't support me unless I pay the $88/NCP vpn client. Thats bs. I connect my laptop to the outside interface of the SSG-20 and change my ip address to 9.9.9.2/24 and I can ping the interface of the SSG 9.9.9.1/24. The VPN client tunnel negotiation fails with no possible solution. The Shrew client configuration is attached. Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Shrew_VPN_Client_Error_Plus_Screenshots_of_Configured_Tabs.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 127800 bytes Desc: not available URL: From paul at anastrophe.com Tue Feb 8 00:50:20 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 22:50:20 -0800 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: <4D50E7AC.9080808@anastrophe.com> On 2/7/2011 10:48 AM, Matthew Grooms wrote: > I have seen Realtek device drivers cause problems many times before. > Have you updated them to use the the latest revision for your chipset? it's a pretty recent revision (checking)...7.31.1025.2010, which apparently has only recently been superceded. > There were very minor changes to the Shrew Soft drivers between 2.1.7 > and 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with > the additional Microsoft signatures. i also have openVPN adapter installed, though i haven't used it in ages. i wonder if uninstalling that might have any effect. i've kept it in place just in case an old client ever needed assistance again - but i can always reinstall... > Does stopping/starting the Shrew Soft ike/ipsec services resolve this > issue or are you forced to re-install the software? It would also be > helpful to see debug level output for this scenario if possible. haven't tried stop/start of the ike/ipsec services, will give it a try. thanks for your excellent support! -- Paul Theodoropoulos From steve.harrold at eosemi.com Tue Feb 8 07:15:54 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Tue, 08 Feb 2011 13:15:54 +0000 Subject: [vpn-help] Netgear336 connection problems Message-ID: <4D51420A.5070206@eosemi.com> An HTML attachment was scrubbed... URL: From glen_di_persio at hotmail.com Tue Feb 8 07:36:05 2011 From: glen_di_persio at hotmail.com (Glen Di Persio) Date: Tue, 8 Feb 2011 09:36:05 -0400 Subject: [vpn-help] Nortel Contivity VPN Message-ID: I'm trying to connect to a Contivity VPN using Shrewsoft. The Contivity client connects with Diffie-Hellman group 8 (EC2N), while the Shrewsoft client only supports groups 1/2/5/14/15. The Contivity server will not respond to my initial ISAKMP packet from Shrewsoft. Is DH Group 8 a proprietary Nortel transform, or is it more widely used? thanks, Glen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:47 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:47 -0800 (PST) Subject: [vpn-help] LDAP Display Will Authenticate Users but Not the Userid Message-ID: <801845.53887.qm@web46304.mail.sp1.yahoo.com> By the way, I was just on the phone with the Juniper TAC for 2 hours. We got LDAP to work with the SSG-20 but you have to enter the display name and not the userid into the Shrew VPN client? John H. Doe instead of doej. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:57 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:57 -0800 (PST) Subject: [vpn-help] Tailor the VPN Client with My Company Logo? Message-ID: <94651.89316.qm@web46302.mail.sp1.yahoo.com> Is there a way to tailor the client with my company logo? Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From pabouk at centrum.cz Mon Feb 14 17:43:59 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 00:43:59 +0100 Subject: [vpn-help] no traffic passing through tunnel (Windows Vista SP2 32bit) Message-ID: <20110214234359.B09A4100FDB64@mail1001.cent> Hello, I am testing Shrew Soft VPN Client 2.1.7 on Windows Vista SP2 32 bit. The VPN gateway is some Cisco device. It introduces itself as Cisco Systems, Inc ASA5520-K8. The IKE negotiation completes successfully and successful keep-alive packet exchange follows. Unfortunately no traffic passes the established VPN tunnel. It looks like there is an ARP or routing problem. ------ here is the virtual interface: Ethernet adapter Local Area Connection* 42: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Shrew Soft Virtual Adapter Physical Address. . . . . . . . . : AA-AA-AA-46-BC-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1fa:d425:d0c9:2bc4%134(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.94.48(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : -1968526678 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-70-91-69-00-1A-4B-61-1C-D2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled ------ relevant routes from the routing table: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.147.254 192.168.147.101 266 ... 192.168.94.0 255.255.255.0 On-link 192.168.94.48 286 192.168.94.48 255.255.255.255 On-link 192.168.94.48 286 192.168.94.255 255.255.255.255 On-link 192.168.94.48 286 192.168.95.0 255.255.255.0 On-link 192.168.94.48 31 192.168.95.255 255.255.255.255 On-link 192.168.94.48 286 192.168.94.0/24 - is the subnet for VPN client addresses 192.168.95.0/24 - is the remote subnet behind the VPN gateway I want to access Notice that the routing table is set as if the remote subnet was connected directly to a local interface (there is no gateway set) so Windows need to receive a reply to ARP when sending a packet to the remote subnet. Is the routing table supposed to be like this? ------ Unfortunately when I ping a remote address Windows receive no reply to ARP request resulting in "destination unreachable" message: C:Windowssystem32>ping 192.168.95.184 Pinging 192.168.95.184 with 32 bytes of data: Reply from 192.168.94.48: Destination host unreachable. Request timed out. ------ the ARP request captured using Wireshark (no reply was ever seen): 1 0.000000000 aa:aa:aa:46:3c:00 Broadcast ARP 42 Who has 192.168.95.184? Tell 192.168.94.48 What is strange: IPSEC service logs other ARP requests but not this one which does not get reply. ------ this message sequence continuously repeats twice per second in the IPSEC service log: 11/02/14 23:28:33 K< : recv GET UNSPEC pfkey message 11/02/14 23:28:33 DB : sa found 11/02/14 23:28:33 DB : sa ref increment ( ref count = 3, sa count = 2 ) 11/02/14 23:28:33 DB : sa ref decrement ( ref count = 2, sa count = 2 ) ------ message describing unrelated ARP request to local network: 11/02/14 23:28:44 ii : inspecting ARP request ... 11/02/14 23:28:44 DB : policy not found 11/02/14 23:28:44 ii : ignoring ARP request for 192.168.147.254, no policy found ------ message related to a request of other LAN machine asking for address of my Windows machine: 11/02/14 23:29:23 ii : inspecting ARP request ... 11/02/14 23:29:23 !! : ARP packet has invalid header (In fact the ARP request is does not look wrong and is correctly replied to by my Windows machine.) ARP request sent from the Shrew Soft Virtual Adapter does not appear in the log at all! It seems that the VPN client does not see the ARP request. Also the "transferred" counters of the IPsec Security Associations stay at 0 all the time. I tried a different internet connection (dialup over GPRS) too - no success. Am I missing something in the VPN client or Windows configuration or could this be a bug in the VPN client? Thank you in advance for your help. Pabouk From Rainer.Blaes at astrium.eads.net Tue Feb 15 08:02:07 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 15 Feb 2011 15:02:07 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates Message-ID: <4D5A875F.7090608@astrium.eads.net> Hi everybody, 2 weeks ago we setup a SHREW Dial Up VPN Client 2.1.7 connection to our SSG 350 device and the connection is working fine. Now we got a SSG 320 out of the box and imported the running SSG 350 configuration into it. Unfortunately the tunnel isn't coming up again it seems to us that something is wrong within Phase 1. But what? Pls see here the iked.log entries: 11/02/15 12:04:20 ## : IKE Daemon, ver 2.1.7 11/02/15 12:04:20 ## : Copyright 2010 Shrew Soft Inc. 11/02/15 12:04:20 ## : This product linked OpenSSL 0.9.8h 28 May 2008 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client\debug\iked.log' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap' 11/02/15 12:04:20 ii : rebuilding vnet device list ... 11/02/15 12:04:20 ii : device ROOT\VNET\0000 disabled 11/02/15 12:04:20 ii : network process thread begin ... 11/02/15 12:04:20 ii : pfkey process thread begin ... 11/02/15 12:04:20 ii : ipc server process thread begin ... 11/02/15 12:07:44 ii : ipc client process thread begin ... 11/02/15 12:07:44 192.168.11.1:500 11/02/15 12:07:46 DB : fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 DB : phase1 added ( obj count = 1 ) 11/02/15 12:07:46 >> : security association payload 11/02/15 12:07:46 >> : - proposal #1 payload 11/02/15 12:07:46 >> : -- transform #1 payload 11/02/15 12:07:46 >> : -- transform #2 payload 11/02/15 12:07:46 >> : -- transform #3 payload 11/02/15 12:07:46 >> : -- transform #4 payload 11/02/15 12:07:46 >> : -- transform #5 payload 11/02/15 12:07:46 >> : -- transform #6 payload 11/02/15 12:07:46 >> : -- transform #7 payload 11/02/15 12:07:46 >> : -- transform #8 payload 11/02/15 12:07:46 >> : -- transform #9 payload 11/02/15 12:07:46 >> : -- transform #10 payload 11/02/15 12:07:46 >> : -- transform #11 payload 11/02/15 12:07:46 >> : -- transform #12 payload 11/02/15 12:07:46 >> : -- transform #13 payload 11/02/15 12:07:46 >> : -- transform #14 payload 11/02/15 12:07:46 >> : -- transform #15 payload 11/02/15 12:07:46 >> : -- transform #16 payload 11/02/15 12:07:46 >> : -- transform #17 payload 11/02/15 12:07:46 >> : -- transform #18 payload 11/02/15 12:07:46 >> : key exchange payload 11/02/15 12:07:46 >> : nonce payload 11/02/15 12:07:46 >> : cert request payload 11/02/15 12:07:46 >> : identification payload 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports XAUTH 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v00 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v01 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v02 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v03 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( rfc ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports FRAGMENTATION 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports DPDv1 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SHREW SOFT compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is NETSCREEN compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SIDEWINDER compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is CISCO UNITY compatible 11/02/15 12:07:46 >= : cookies fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 >= : message 00000000 11/02/15 12:07:46 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 1245 bytes ) 11/02/15 12:07:46 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:07:51 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:07:56 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:01 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:06 ii : resend limit exceeded for phase1 exchange 11/02/15 12:08:06 ii : phase1 removal before expire time 11/02/15 12:08:06 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:08:06 DB : removing tunnel config references 11/02/15 12:08:06 DB : removing tunnel phase2 references 11/02/15 12:08:06 DB : removing tunnel phase1 references 11/02/15 12:08:06 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : removing all peer tunnel refrences 11/02/15 12:08:06 DB : peer deleted ( obj count = 0 ) 11/02/15 12:08:06 ii : ipc client process thread exit ... 11/02/15 12:11:51 ii : ipc client process thread begin ... 11/02/15 12:11:51 192.168.11.1:500 11/02/15 12:11:59 DB : 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 DB : phase1 added ( obj count = 1 ) 11/02/15 12:11:59 >> : security association payload 11/02/15 12:11:59 >> : - proposal #1 payload 11/02/15 12:11:59 >> : -- transform #1 payload 11/02/15 12:11:59 >> : key exchange payload 11/02/15 12:11:59 >> : nonce payload 11/02/15 12:11:59 >> : cert request payload 11/02/15 12:11:59 >> : identification payload 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports XAUTH 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v00 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v01 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v02 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v03 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( rfc ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports FRAGMENTATION 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports DPDv1 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SHREW SOFT compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is NETSCREEN compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SIDEWINDER compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is CISCO UNITY compatible 11/02/15 12:11:59 >= : cookies 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 >= : message 00000000 11/02/15 12:11:59 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 585 bytes ) 11/02/15 12:11:59 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:11:59 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:11:59 DB : phase1 found 11/02/15 12:11:59 ii : processing informational packet ( 64 bytes ) 11/02/15 12:11:59 =< : cookies 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 =< : message 00000000 11/02/15 12:11:59 << : notification payload 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:11:59 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:11:59 ii : - isakmp spi = 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 ii : - data size 8 11/02/15 12:12:04 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:04 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:04 DB : phase1 found 11/02/15 12:12:04 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:04 =< : cookies 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 =< : message 00000000 11/02/15 12:12:04 << : notification payload 11/02/15 12:12:04 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:04 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:04 ii : - isakmp spi = 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 ii : - data size 8 11/02/15 12:12:09 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:09 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:09 DB : phase1 found 11/02/15 12:12:09 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:09 =< : cookies 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 =< : message 00000000 11/02/15 12:12:09 << : notification payload 11/02/15 12:12:09 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:09 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:09 ii : - isakmp spi = 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 ii : - data size 8 11/02/15 12:12:14 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:14 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:14 DB : phase1 found 11/02/15 12:12:14 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:14 =< : cookies 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 =< : message 00000000 11/02/15 12:12:14 << : notification payload 11/02/15 12:12:14 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:14 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:14 ii : - isakmp spi = 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 ii : - data size 8 11/02/15 12:12:19 ii : resend limit exceeded for phase1 exchange 11/02/15 12:12:19 ii : phase1 removal before expire time 11/02/15 12:12:19 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:12:19 DB : removing tunnel config references 11/02/15 12:12:19 DB : removing tunnel phase2 references 11/02/15 12:12:19 DB : removing tunnel phase1 references 11/02/15 12:12:19 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : removing all peer tunnel refrences 11/02/15 12:12:19 DB : peer deleted ( obj count = 0 ) 11/02/15 12:12:19 ii : ipc client process thread exit ... Many thanks in advance! Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From pabouk at centrum.cz Tue Feb 15 08:57:34 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 15:57:34 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates In-Reply-To: <4D5A875F.7090608@astrium.eads.net> References: <4D5A875F.7090608@astrium.eads.net> Message-ID: <20110215145734.5F3396000A969@mail1014.cent> Hi Rainer, from the gateway you receive the message NO-PROPOSAL-CHOSEN: 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification This means that the gateway does not accept your proposals for phase 1. Check if the phase 1 configuration match on both client and gateway match. Probably you can see more detailed information in the gateway logs because for security reasons the gateway does not send detailed reason for not accepting a proposal of your client. Strange is that it seems that to the first client attempt the gateway does not respond at all. Regards, Vaclav From martin.kreutzer at iis.fraunhofer.de Fri Feb 18 06:43:03 2011 From: martin.kreutzer at iis.fraunhofer.de (Martin Kreutzer) Date: Fri, 18 Feb 2011 13:43:03 +0100 Subject: [vpn-help] VPN Connection does not show up in network connections Message-ID: <4D5E6957.1050008@iis.fraunhofer.de> Hi, I have the shrew client 2.1.7 installed on a Windows 7 Enterprise 64bit. It works fine, but I do not get a connection icon in the "network connections" windows (I hope that this is the english name for it, in german it's "Netzwerkverbindungen" - the windows which lists your network adapters). "ipconfig /all" shows it with the name "LAN-Verbindung* 2". Any suggestions where to look for it? Regards Martin -- Martin Kreutzer [Martin.Kreutzer at iis.fraunhofer.de] IT Services Fraunhofer IIS [www.iis.fraunhofer.de] Am Wolfsmantel 33 91058 Erlangen Germany Tel.: +49 9131 776 2776 Fax.: +49 9131 776 2799 From shrew64 at gmail.com Fri Feb 18 10:20:05 2011 From: shrew64 at gmail.com (Da Da) Date: Fri, 18 Feb 2011 17:20:05 +0100 Subject: [vpn-help] DPD parameters Message-ID: Hi, First of all, thank you for this great piece of software. I'm currently testing the VPN client on Windows x64 with a WWAN access. I've been testing the version 2.2b1 but I rolled back to v2.1.7 due to stability issues of the IKED service (I can't reproduce these issues yet). So I'm back in v2.1.7 and it works fine except one thing : the DPD feature disconnects the client very quickly if a gateway isn't reachable (about 10 seconds). As I create the VPN tunnel over a native mobile broadband connection, it's too short. Sometimes, I'm in the train or moving and the WWAN connection is lost for a few seconds, and Windows recovers it without problem. But Shrewsoft VPN already disconnected the tunnel... If I disable the DPD feature, it works. When the WWAN connection goes up again, the SA is maintained and I received packets again. However, this create session timeout issues on the facing gateway. A nice solution would be to increase the number of DPD retries, for it to be less aggressive. Is there a way to do it easily ? /David -------------- next part -------------- An HTML attachment was scrubbed... URL: From w2kfs1 at googlemail.com Mon Feb 21 09:13:56 2011 From: w2kfs1 at googlemail.com (w2kfs1) Date: Mon, 21 Feb 2011 16:13:56 +0100 Subject: [vpn-help] Manual ShrewVPN to ZyXEL USG-Series Message-ID: Dear Shrew, i have make a Manual to Connect our Client to ZyWALL USG-Series. It would be good if you insert this Manual to your Website under Support. Please Note in the Reference to "old" ZyWALL Series is a mistake, because if you choose "Enable Multiple Proposals" in Phase1&2, you can connect with wrong Phase1&2 Encyption settings, its a leak! Attached the new Manual for USG-Series. If u need an Access for check, please send me an Email with your PublicIP. Best Regards Christian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Confidentiality note This message (including any attachments) contains confidential information intended for a specific individual or entity as the intended recipient. If you are not the intended recipient, you are hereby notified that any distribution, any copying of this message in part or in whole, or any taking of action based on it, is strictly prohibited by law and may cause liability. In case you have received this message due to an error in transmission, we ask you to notify the sender immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ShrewVPN Client to ZyWALL USGx Series.pdf Type: application/pdf Size: 1416828 bytes Desc: not available URL: From darrenn at jkdesign.com Tue Feb 22 09:20:32 2011 From: darrenn at jkdesign.com (Darren Nye) Date: Tue, 22 Feb 2011 10:20:32 -0500 Subject: [vpn-help] unsubscribe Message-ID: <00c401cbd2a4$0d106980$27313c80$@com> unsubscribe -- Darren L. Nye VP Interactive & I.T. JK Design 465 Amwell Road Hillsborough, NJ 08844 P: 908 428 4700 Ext.12 F: 908 428 4701 E: darrenn at jkdesign.com www.jkdesign.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From huw at hermesmedical.com Thu Feb 24 06:19:06 2011 From: huw at hermesmedical.com (=?windows-1252?Q?Huw_Thomas?=) Date: Thu, 24 Feb 2011 12:19:06 +0000 Subject: [vpn-help] Help with config Message-ID: Dear all, ? I have a Shrewsoft configuration that connects to my NVS318g Netgear router no problem (using Mode Config) from my Windows 7 ultimate system. I successfully get assigned an IP address from the Mode Config range and can see devices on the remote network. ? However, when I install the exact same Shrewsoft ?configuration on a Windows Home Premium laptop, it connects fine but doesn?t get assigned an IP address from the Mode Config range so I can?t see the remote network. ? Can you please help? I am using Shrew 2.1.7 ? Thanks, Huw -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Fri Feb 25 05:23:23 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Fri, 25 Feb 2011 12:23:23 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW Message-ID: <4D67912B.1020302@cubewerk.de> Hi folks, i associated a tunnel between shrew (winxp) and ipcop (swan). according to the logs on both sides, tunnel is active but no packages comes back to the RW. here is a tcpdump on the server - my rw is 192.168.10.30 ipcop.localdomain is 172.20.0.1: IP 192.168.10.30 > ipcop.localdomain: ICMP echo request, id 1536, seq 1024, length 40 IP ipcop.localdomain > 192.168.10.30: ICMP echo reply, id 1536, seq 1024, length 40 I checked if the answers packages might get masqueraded, but i added an exception for the RW-network: Chain POSTROUTING (1 references) pkts bytes target prot opt in out source destination 17 1316 MASQUERADE all -- * ppp0 0.0.0.0/0 !192.168.10.0/24 Still, i see no answer traffic on my roadwarrior windows pc (sniffing traffic with libpcap / windump). Some debug/infos here: http://www.plzk.de/ipsec.log Ideas are greatly appreciated. thanks stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From stefan.bauer at cubewerk.de Sun Feb 27 14:09:52 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:09:52 +0100 Subject: [vpn-help] bugreport: gui + pkcs12 file import Message-ID: <4D6AAF90.3040700@cubewerk.de> Hi Matthew, this is a bugreport against the latest beta version for windows. I guess i found 2 bugs. One in the gui of the trace utility and one at using my pkcs12 file. The pkcs12 file was working fine with the stable version. I just switched to beta because i had problems like stated in "[vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW" Please see the demonstration of both bugs here: (turn speakers on) http://www.youtube.com/watch?v=3fGrxS3MULg thanks in advance stefan From stefan.bauer at cubewerk.de Sun Feb 27 14:47:09 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:47:09 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW In-Reply-To: <4D67912B.1020302@cubewerk.de> References: <4D67912B.1020302@cubewerk.de> Message-ID: <4D6AB84D.1050408@cubewerk.de> Am 25.02.2011 12:23, schrieb Stefan Bauer: > Hi folks, > > i associated a tunnel between shrew (winxp) and ipcop (swan). > > according to the logs on both sides, tunnel is active but no > packages comes back to the RW. After some network analysis - the packages even came back to the client but did not get used by the client. I had a virtual additonal ip-address setup at the ethernet-interface on client side in windows xp. after removing this ip address, the packages were used by shrew client. Matthew - is that a bug? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From akmangalick at gmail.com Sun Feb 27 15:18:48 2011 From: akmangalick at gmail.com (A. Kumar Mangalick) Date: Sun, 27 Feb 2011 13:18:48 -0800 Subject: [vpn-help] cannot install in Windows 7 64-bit Message-ID: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> I'm unable to install the client software. Every time I've tried, the installer sits forever at the step indicating that drvcfg.exe is being executed. The CPU is at about 50% the entire time and I have had to kill the process after nearly 15 minutes. Then the software is listed among the installed programs, so I've tried to uninstall it. However, the same thing happens at the step that involves drvcfg.exe. Now I cannot uninstall. Kumar -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Sun Feb 27 16:15:03 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 23:15:03 +0100 Subject: [vpn-help] cannot install in Windows 7 64-bit In-Reply-To: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> References: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> Message-ID: <4D6ACCE7.7060904@cubewerk.de> Am 27.02.2011 22:18, schrieb A. Kumar Mangalick: > I'm unable to install the client software. Every time I've tried, the > installer sits forever at the step indicating that drvcfg.exe is being > executed. The CPU is at about 50% the entire time and I have had to kill > the process after nearly 15 minutes. Then the software is listed among the > installed programs, so I've tried to uninstall it. However, the same thing > happens at the step that involves drvcfg.exe. Now I cannot uninstall. give it a try in the windows safe mode? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From florian.beckmann at camunda.com Mon Feb 28 06:50:39 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 13:50:39 +0100 Subject: [vpn-help] timeout for svn repos Message-ID: <201102281350.40013.florian.beckmann@camunda.com> Hi Matthew, I had the same build error as described in "ike-2.2.0-beta-1 make errors" by Steve. I tried to fetch HEAD from svn://svn.shrew.net/ike/head but the repository seems to be down. Did it move? Cheers Florian From florian.beckmann at camunda.com Mon Feb 28 05:09:02 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 11:09:02 +0000 (UTC) Subject: [vpn-help] ike-2.2.0-beta-1 make errors References: <4D4C4484.6040603@eosemi.com> <4D4EDD9D.8050508@shrew.net> Message-ID: Matthew Grooms writes: > I just fixed the build issues. Please pull down a copy from svn and give > it another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew Hi Matthew, i have the same problem as described above but right now I'm unable to reach the subversion repository (timeout) to try the head build. cheers Florian From t.steffen at gmx.de Sun Feb 27 08:50:11 2011 From: t.steffen at gmx.de (Thorsten Steffen) Date: Sun, 27 Feb 2011 15:50:11 +0100 Subject: [vpn-help] Problems using shrew to connect to ns5gt Message-ID: Hi guys, I'm trying to connect to Juniper NS5GT (Hardware Version: 1010, Firmware Version:6.2.0r2.0 Firewall+VPN) with Shrew VPN Client 2.1.7 (running on Win7 64bit) without success. I used http://www.shrew.net/support/wiki/HowtoJuniperSsg to configure both sides. Messages in shrew client window are === config loaded for site '222.61.123.22' configuring client settings... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... user authentication error tunnel disabled detached from key daemon ... === Error Messages on juniper are === 2011-02-27 15:27:29 info IKE 62.143.130.124: XAuth login failed for gateway vpnclient_gateway, username thorsten, retry: 0, timeout: 1. 2011-02-27 15:27:29 info Rejected an IKE packet on ethernet3 from 62.143.130.124:4500 to 222.61.123.22:4500 with cookies e11944da1f039872 and b6cc949745492852 because A Phase 2 packet arrived while XAuth was still pending. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed for user client.jersa.de. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the remote device. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the local device. 2011-02-27 15:27:29 info IKE 62.143.130.124 phase 1:The symmetric crypto key has been generated successfully. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Responder starts AGGRESSIVE mode negotiations. === The pw for user thorsten is correct, I already tried to connect with a wrong pw and got a different error message. Shrew Configuration is === n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 n:phase2-keylen:0 s:network-host:222.61.123.22 s:client-auto-mode:push s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:client.jersa.de s:ident-server-data:vpngw.jersa.de b:auth-mutual-psk:dGVzdDJURVNU s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-level:auto s:policy-list-include:10.1.1.0 / 255.255.255.0 === Shrew Debug log is === 11/02/27 15:15:44 ii : ipc client process thread begin ... 11/02/27 15:15:44 222.61.123.22:500 11/02/27 15:15:44 DB : e11944da1f039872:0000000000000000 11/02/27 15:15:44 DB : phase1 added ( obj count = 1 ) 11/02/27 15:15:44 >> : security association payload 11/02/27 15:15:44 >> : - proposal #1 payload 11/02/27 15:15:44 >> : -- transform #1 payload 11/02/27 15:15:44 >> : -- transform #2 payload 11/02/27 15:15:44 >> : -- transform #3 payload 11/02/27 15:15:44 >> : -- transform #4 payload 11/02/27 15:15:44 >> : -- transform #5 payload 11/02/27 15:15:44 >> : -- transform #6 payload 11/02/27 15:15:44 >> : -- transform #7 payload 11/02/27 15:15:44 >> : -- transform #8 payload 11/02/27 15:15:44 >> : -- transform #9 payload 11/02/27 15:15:44 >> : -- transform #10 payload 11/02/27 15:15:44 >> : -- transform #11 payload 11/02/27 15:15:44 >> : -- transform #12 payload 11/02/27 15:15:44 >> : -- transform #13 payload 11/02/27 15:15:44 >> : -- transform #14 payload 11/02/27 15:15:44 >> : -- transform #15 payload 11/02/27 15:15:44 >> : -- transform #16 payload 11/02/27 15:15:44 >> : -- transform #17 payload 11/02/27 15:15:44 >> : -- transform #18 payload 11/02/27 15:15:44 >> : key exchange payload 11/02/27 15:15:44 >> : nonce payload 11/02/27 15:15:44 >> : identification payload 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports XAUTH 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v00 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v01 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v02 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v03 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( rfc ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports FRAGMENTATION 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports DPDv1 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SHREW SOFT compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is NETSCREEN compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SIDEWINDER compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is CISCO UNITY compatible 11/02/27 15:15:44 >= : cookies e11944da1f039872:0000000000000000 11/02/27 15:15:44 >= : message 00000000 11/02/27 15:15:44 -> : send IKE packet 10.0.0.100:500 -> 222.61.123.22:500 ( 1191 bytes ) 11/02/27 15:15:44 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv IKE packet 222.61.123.22:500 -> 10.0.0.100:500 ( 446 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing phase1 packet ( 446 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 00000000 11/02/27 15:15:45 << : security association payload 11/02/27 15:15:45 << : - propsal #1 payload 11/02/27 15:15:45 << : -- transform #1 payload 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 !! : peer violates RFC, transform number mismatch ( 1 != 5 ) 11/02/27 15:15:45 ii : matched isakmp proposal #1 transform #1 11/02/27 15:15:45 ii : - transform = ike 11/02/27 15:15:45 ii : - cipher type = aes 11/02/27 15:15:45 ii : - key length = 128 bits 11/02/27 15:15:45 ii : - hash type = md5 11/02/27 15:15:45 ii : - dh group = modp-1024 11/02/27 15:15:45 ii : - auth type = xauth-initiator-psk 11/02/27 15:15:45 ii : - life seconds = 86400 11/02/27 15:15:45 ii : - life kbytes = 0 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : unknown vendor id ( 28 bytes ) 11/02/27 15:15:45 0x : 71957fc3 620a4219 70709668 132e871a 332378fc 0000000b 00000614 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports XAUTH 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports DPDv1 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports HEARTBEAT-NOTIFY 11/02/27 15:15:45 << : key exchange payload 11/02/27 15:15:45 << : nonce payload 11/02/27 15:15:45 << : identification payload 11/02/27 15:15:45 ii : phase1 id match 11/02/27 15:15:45 ii : received = fqdn vpngw.jersa.de 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports nat-t ( draft v02 ) 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 ii : nat discovery - local address is translated 11/02/27 15:15:45 ii : switching to src nat-t udp port 4500 11/02/27 15:15:45 ii : switching to dst nat-t udp port 4500 11/02/27 15:15:45 == : DH shared secret ( 128 bytes ) 11/02/27 15:15:45 == : SETKEYID ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_d ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_a ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_e ( 16 bytes ) 11/02/27 15:15:45 == : cipher key ( 16 bytes ) 11/02/27 15:15:45 == : cipher iv ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 00000000 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 88 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : phase1 resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( received ) ( 16 bytes ) 11/02/27 15:15:45 ii : phase1 sa established 11/02/27 15:15:45 ii : 222.61.123.22:4500 <-> 10.0.0.100:4500 11/02/27 15:15:45 ii : e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : sending peer INITIAL-CONTACT notification 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : notification payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a0c38ba0 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : phase2 not found 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config not found 11/02/27 15:15:45 DB : config added ( obj count = 1 ) 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 55466abc 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 8 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : - xauth authentication type 11/02/27 15:15:45 ii : - xauth username 11/02/27 15:15:45 ii : - xauth password 11/02/27 15:15:45 ii : received basic xauth request - 11/02/27 15:15:45 ii : - standard xauth username 11/02/27 15:15:45 ii : - standard xauth password 11/02/27 15:15:45 ii : sending xauth response for thorsten 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 55466abc 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 84 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 92 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 577a08a9 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 92 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 12 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received config push request 11/02/27 15:15:45 ii : - IP4 Address 11/02/27 15:15:45 ii : - IP4 Netmask 11/02/27 15:15:45 ii : - IP4 DNS Server = 10.1.1.1 11/02/27 15:15:45 ii : building config attribute list 11/02/27 15:15:45 ii : - IP4 DNS Server 11/02/27 15:15:45 ii : sending config push acknowledge 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 577a08a9 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 60 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 84591a7f 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 16 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received xauth result - 11/02/27 15:15:45 !! : user thorsten authentication failed 11/02/27 15:15:45 DB : phase1 soft event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : phase1 hard event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : phase1 dead event canceled ( ref count = 1 ) 11/02/27 15:15:45 ii : sending peer DELETE message 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : delete payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a29a73fe 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : config deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : phase1 removal before expire time 11/02/27 15:15:45 DB : phase1 deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : tunnel dpd event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : tunnel natt event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : removing tunnel config references 11/02/27 15:15:45 DB : removing tunnel phase2 references 11/02/27 15:15:45 DB : removing tunnel phase1 references 11/02/27 15:15:45 DB : tunnel deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : removing all peer tunnel refrences 11/02/27 15:15:45 DB : peer deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : ipc client process thread exit ... === I think "user thorsten authentication failed" is the relevant message Juniper Debug log (debug ike detail) is === ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 1191, action 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 1163 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 1163 bytes. src port 500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 1163, nxp 1[SA], exch 4[AG], flag 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : valid id checking, id type:FQDN, len:23. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > Validate (1135): SA/716 KE/132 NONCE/24 ID/23 VID/12 VID/20 VID/20 VID/20 VID/20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Receive Id in AG mode, id-type=2, id=client.jersa.de, idlen = 15 ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Found peer entry (vpnclient_gateway) from 62.143.130.124. ## 2011-02-27 15:34:06 : responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : init p1sa, pidt = 0x0 ## 2011-02-27 15:34:06 : change peer identity for p1 sa, pidt = 0x0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > create peer identity 0x622a4c0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2011-02-27 15:34:06 : peer identity 622a4c0 created. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > EDIPI disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getProfileFromP1Proposal-> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[1]=<00000005 00000001 00000001 00000002> for p1 proposal (id 4), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[2]=<00000007 00000002 00000001 00000002> for p1 proposal (id 7), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[3]=<00000007 00000001 00000001 00000002> for p1 proposal (id 6), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Responder starts AGGRESSIVE mode negotiations. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_NOSTATE. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 09 00 26 89 df d6 b7 12 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv XAUTH v6.0 vid ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 2011-02-27 15:34:06 : 80 00 00 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 ## 2011-02-27 15:34:06 : d0 fd 84 51 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [SA]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 proposal [3] selected. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA Life Type = seconds ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA lifetime (TLV) = 86400 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DH_BG_consume OK. p1 resp ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [KE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing ISA_KE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NONCE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing NONCE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [ID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID received: type=ID_FQDN, FQDN = client.jersa.de, port=0, protocol=0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> process_id need to update peer entry, cur . ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Dynamic peer IP addr, search peer by identity. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> peer gateway entry has no peer id configured ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID processed. return 0. sa->p1_state = 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 AG Responder constructing 2nd message. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [SA] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> lifetime/lifesize (86400/0) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NetScreen [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [KE] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NONCE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid: returning 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [ID] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=18, type=2, pro=17, port=500, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NAT-T [VID]: draft 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder psk ag mode: natt vid constructed. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing remote NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing local NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit : [SA] [VID] [VID] [VID] [VID] [KE] [NONCE] [ID] [HASH] ## 2011-02-27 15:34:06 : [VID] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 1 packet (len=446) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<5/91180f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 4[AG], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > extract payload (64): ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_INIT_EXCH. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [HASH]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=19, type=2, pro=0, port=0, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> completing Phase 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> sa_pidt = 622a4c0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> adjusting phase 1 hash ## 2011-02-27 15:34:06 : IKE<62.143.130.124> found existing peer identity 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed for ip <62.143.130.124>, user ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed Aggressive mode negotiation with a <28800>-second lifetime. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth is started: server, p1responder, aggr mode. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth(): as:0 ac:-1 enable:1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val empty string, type <16521> added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val empty string, type <16522> added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 22199719) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 20, type 1, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 0, valstr empty string, type <16521> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 0, valstr empty string, type <16522> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 68) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 22199719, len: 68, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NOTIF] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Need to pass XAUTH first. Silently Discard packet. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 22199719, msgtype 2, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 36, type 2, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got type: 16520 v<0> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16521 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16522 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_auth_pap: authing locally: uname thorsten, passwd *** SUCCESS ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Get config for client(local auth) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user remote setting ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user IP from pool ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Don't do xauth RADIUS accounting. Send cfg to client directly. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg: ip 10.1.2.1, v4mask 255.255.255.255 dns1 10.1.1.1, dns2 0.0.0.0, win1 0.0.0.0, win2 0.0.0.0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: id ::, prefix ::/0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: dns1 ::, dns2 ::, win1 ::, win2 :: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 1, val 10.1.2.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 2, val 255.255.255.255 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 10.1.1.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 85594f12) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 32, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 1, vallen 4, valstr 10.1.2.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 2, vallen 4, valstr 255.255.255.255 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 4, valstr 10.1.1.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 80) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=92) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 85594f12, len: 80, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 92, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 64 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 64 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 60, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 32) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 85594f12, msgtype 4, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 4, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 0, valstr 64.137.0.8 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 0.0.0.0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 90. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: -1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16527, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new e5ce2681) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16527, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 60) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid e5ce2681, len: 60, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_failed() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth login FAILED. gw , username , retry: 0, timeout: 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE Xauth: release prefix route, ret=<-2>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> XAUTH-failed: clear p2sa for p1sa(0x22b2268). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [DELETE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [DELETE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DELETE payload received, deleting Phase-1 SA ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:07 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:08 : reap_db. deleting p1sa 22b2268 ## 2011-02-27 15:34:08 : terminate_SA: trying to delete SA cause: 0 cond: 2 ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(e5ce2681) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(85594f12) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(22199719) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Done cleaning up IKE Phase 1 SA ## 2011-02-27 15:34:08 : peer_identity_unregister_p1_sa. ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > delete peer identity 0x622a4c0 ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2011-02-27 15:34:08 : peer_idt.c peer_identity_unregister_p1_sa 682: pidt deleted. === I think "xauth login FAILED. gw , username , retry: 0, timeout: 1" is the relevant message. Timestamps don't match because I took the debugs at different points of time. Configuration of juniper is === unset key protection enable set clock ntp set clock timezone 1 set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set service "Videoserver TCP 9999" protocol tcp src-port 0-65535 dst-port 9999-9999 set service "pcanywhere" protocol tcp src-port 0-65535 dst-port 5631-5631 set service "pcanywhere" + udp src-port 0-65535 dst-port 5632-5632 set service "POP3s" protocol tcp src-port 0-65535 dst-port 995-995 set service "SMTPs" protocol tcp src-port 0-65535 dst-port 465-465 set alg appleichat enable unset alg appleichat re-assembly enable unset alg p2p enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "untrust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 100 "vpn" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst unset zone "V1-Trust" tcp-rst unset zone "V1-Untrust" tcp-rst unset zone "VLAN" tcp-rst unset zone "vpn" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet1" zone "Trust" set interface "ethernet2" zone "DMZ" set interface "ethernet3" zone "Untrust" set interface ethernet1 ip 10.1.1.1/24 set interface ethernet1 nat set interface ethernet2 ip 10.99.99.1/24 set interface ethernet2 nat set interface ethernet3 ip 222.61.123.22/30 set interface ethernet3 route unset interface vlan1 ip set interface ethernet1 proxy dns unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1 ip manageable unset interface ethernet2 ip manageable set interface ethernet3 ip manageable unset interface ethernet1 manage telnet unset interface ethernet1 manage snmp set interface ethernet3 manage ssh set interface ethernet3 manage ssl set interface ethernet3 vip interface-ip 9999 "HTTP" 10.99.99.99 unset interface ethernet1 dhcp server config next-server-ip unset interface ethernet1 dhcp server config updatable set flow tcp-mss unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set console page 0 set hostname nsjs set dbuf usb filesize 0 set pki authority default scep mode "auto" set pki x509 default cert-path partial set dns host dns3 0.0.0.0 set dns host name ns-5gt-205 10.1.1.1 set dns proxy set dns proxy enable set dns server-select domain * outgoing-interface ethernet3 primary-server 212.202.215.1 secondary-server 212.202.215.2 tertiary-server 194.8.194.60 set address "Trust" "10.1.1.0/24" 10.1.1.0 255.255.255.0 set address "DMZ" "10.255.255.0/24" 10.255.255.0 255.255.255.0 set address "DMZ" "10.99.99.0/24" 10.99.99.0 255.255.255.0 set ippool "vpnclient" 10.1.2.1 10.1.2.10 set user "thorsten" uid 2 set user "thorsten" type xauth set user "thorsten" remote ippool "vpnclient" set user "thorsten" password "***" unset user "thorsten" type auth set user "thorsten" "enable" set user "vpnclient_ph1id" uid 1 set user "vpnclient_ph1id" ike-id fqdn "client.jersa.de" share-limit 2 set user "vpnclient_ph1id" type ike set user "vpnclient_ph1id" "enable" set user-group "vpnclient_group" id 1 set user-group "vpnclient_group" user "vpnclient_ph1id" set crypto-policy exit set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.jersa.de" outgoing-interface "ethernet3" preshare "***" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" set ike gateway "vpnclient_gateway" dpd-liveness interval 30 unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "vpnclient" set xauth default dns1 10.1.1.1 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set vpn "vpnclient_tunnel" monitor set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 11 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 11 disable set policy id 11 exit set policy id 1 from "Trust" to "Untrust" "10.1.1.0/24" "Any" "DNS" permit log set policy id 1 set service "FTP" set service "HTTP" set service "HTTPS" set service "NTP" set service "pcanywhere" set service "PING" set service "POP3" set service "POP3s" set service "SMTP" set service "SMTPs" set service "TRACEROUTE" set service "Videoserver TCP 9999" exit set policy id 4 from "Trust" to "Untrust" "Any" "Any" "UDP-ANY" deny log set policy id 4 exit set policy id 12 from "Untrust" to "DMZ" "Any" "Any" "ANY" permit log set policy id 12 disable set policy id 12 exit set policy id 2 from "Untrust" to "DMZ" "Any" "VIP(ethernet3)" "HTTP" permit log set policy id 2 set service "HTTPS" set service "Videoserver TCP 9999" exit set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log set policy id 3 exit set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 5 exit set policy id 6 from "Trust" to "DMZ" "10.1.1.0/24" "10.99.99.0/24" "HTTP" permit log set policy id 6 set service "HTTPS" set service "PING" exit set policy id 7 from "Trust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 7 exit set policy id 16 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set policy id 16 disable set policy id 16 exit set policy id 15 name "vpnclient_inbound" from "Untrust" to "Trust" "Dial-Up VPN" "10.1.1.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 log set policy id 15 exit set policy id 8 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log set policy id 8 exit set policy id 13 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log set policy id 13 disable set policy id 13 exit set policy id 9 from "DMZ" to "Trust" "Any" "Any" "ANY" deny log set policy id 9 exit set policy id 14 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit log set policy id 14 disable set policy id 14 exit set policy id 10 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny log set policy id 10 exit set log cli enable set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set ssh enable set config lock timeout 5 unset license-key auto-update set ssl port 23143 set ntp server "192.53.103.103" set ntp server backup1 "192.53.103.104" set ntp server backup2 "192.53.103.108" set ntp interval 1440 set modem speed 115200 set modem retry 3 set modem interval 10 set modem idle-time 10 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" set route 0.0.0.0/0 interface ethernet3 gateway *** permanent set route 10.1.1.0/24 vrouter "trust-vr" preference 20 metric 1 set route 10.99.99.0/24 vrouter "trust-vr" preference 20 metric 1 exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit === Does anybody have an idea what's going wrong? Many thanks in advance Thorsten -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at bbarker.co.uk Mon Feb 28 16:07:48 2011 From: ben at bbarker.co.uk (Ben Barker) Date: Mon, 28 Feb 2011 22:07:48 +0000 Subject: [vpn-help] VPN up, but no traffic to any destination Message-ID: Hello, I am running shrewsoft 2.1.7 on Ubunto 10.1 x64 All seems fine - I can open my VPN succesfully according to the client However, when it is open, I loose all connectivity to the internet and local LAN, but do not get any access to my remote network. Before my VPN is up, I have my routing tabel as: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 link-local * 255.255.0.0 U 1000 0 0 eth0 default O2wirelessbox.l 0.0.0.0 UG 0 0 0 eth0 After, I have: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 81.134.112.110 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 *192.168.13.0 192.168.14.51 255.255.255.0 UG 0 0 0 tap0* link-local * 255.255.0.0 U 1000 0 0 eth0 default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 Where the IP address allocated to my virtual adapter is on the 192.168.14.x subnet, and my destination is the 192.168.13.x subnet Any ideas what I am doing that is causing the VPN to apparently be brought up, but then causing no traffic at all to be routable? Cheers, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 04:09:15 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 11:09:15 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47DBCB.3070504@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log.zip Type: application/zip Size: 4842 bytes Desc: not available URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 05:40:06 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 12:40:06 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47F116.6060407@astrium.eads.net> Sorry, I have forgotten to show you the Client configuration. So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 192.168.11.1.vpn URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 03:52:30 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 10:52:30 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47D7DE.8030603@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log Type: text/x-log Size: 64846 bytes Desc: not available URL: From uracs.tamas at peetandcook.hu Tue Feb 1 09:51:59 2011 From: uracs.tamas at peetandcook.hu (=?iso-8859-2?Q?Uracs_Tam=E1s?=) Date: Tue, 1 Feb 2011 15:51:59 +0000 Subject: [vpn-help] please help with SRX220 Message-ID: Hi Matthew, Could You please help me a little bit? I stuck creating Dialup VPN with SRX220 cluster. Phase 1 and 2 goes fine, and after a few successful SA key change the connection broken. It seems that our Shrew client tries to reauthenticate the already logged in user and loses the SA after that. See the log from SRX220 below. Do You have any thoughts about this? Thank You and best, Tamas Uracs 1.1.1.1: Shrew 2.1.7 2.2.2.2: SRX 220 cluster Feb 1 15:29:53 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:29:53 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f0f7631, remote = 1.1.1.1:2726 Feb 1 15:29:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:29:56 ike_retransmit_callback: Start, retransmit SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_retransmit_callback: Isakmp SA has been marked as deleted Feb 1 15:29:56 2.2.2.2:0 (Initiator) <-> 1.1.1.1:2726 { e745b337 b7895475 - 8ede6b29 1a2b4c81 [2] / 0x3b22e311 } CFG; Error = Timeout (8197) Feb 1 15:29:56 ike_send_notify: Private notification, do not send notification Feb 1 15:29:56 ike_delete_negotiation: Start, SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_free_negotiation_cfg: Start, nego = 2 Feb 1 15:29:56 ike_free_negotiation: Start, nego = 2 Feb 1 15:30:04 ike_state_restart_packet: Start, restart packet SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_st_o_qm_done: Quick Mode negotiation done Feb 1 15:30:04 ike_send_notify: Connected, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_delete_negotiation: Start, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_free_negotiation_qm: Start, nego = 1 Feb 1 15:30:04 ike_free_negotiation: Start, nego = 1 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:08 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:08 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:12 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:12 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:15 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:15 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:16 ike_state_restart_packet: Start, restart packet SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_st_o_cfg_done: CFG negotiation done Feb 1 15:30:16 ike_send_notify: Connected, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_delete_negotiation: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_free_negotiation_cfg: Start, nego = 0 Feb 1 15:30:16 ike_free_negotiation: Start, nego = 0 Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the peer hash table Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the dynamic sa spi hash table Feb 1 15:30:17 jnp_ike_connect_delete: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: No isakmp sa found and connect flags require it Feb 1 15:30:17 Not route based VPN. Not deleting NHTB entry Feb 1 15:30:17 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 133955647;SPI-In = 894670796 Feb 1 15:30:17 Deleted SA pair for tunnel = 133955647 with SPI-In = 894670796 to kernel -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Blaes at astrium.eads.net Wed Feb 2 06:56:05 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Wed, 02 Feb 2011 13:56:05 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <4D47F116.6060407@astrium.eads.net> References: <4D47F116.6060407@astrium.eads.net> Message-ID: <4D495465.50401@astrium.eads.net> I got it!!!!! After analyzing the SHREW Client's Phase 2 values I changed the proposal not to use PFS (nopfs) and now everything is working just fine! So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From marco.zevering at eo.nl Thu Feb 3 02:17:58 2011 From: marco.zevering at eo.nl (Marco Zevering) Date: Thu, 03 Feb 2011 09:17:58 +0100 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? Message-ID: <4D4A64B6.2060307@eo.nl> Does anybody got a working situation using Shrew VPN Client on Mac OS X ? If yes, how did you do that. I got a working situation on Windows XP and used the same configuration, but this doesn't work with Mac OS X. Please help. Kind regards, Marco From deejay at jay-mail.de Thu Feb 3 03:35:03 2011 From: deejay at jay-mail.de (Jay) Date: Thu, 03 Feb 2011 10:35:03 +0100 Subject: [vpn-help] virtual network adapter cannot be created Message-ID: <4D4A76C7.50109@jay-mail.de> Hello, I?m new to this list and I hope you can help me. First, I want to apologize my bad english. I do my best to write as good as possible. The client worked fine until but now the virtual adapter dosn?t become created by the ShrewSoft vpn client. I found out that there are problems if a adapter called "Microsoft Virtual WiFi Miniport Adapter" exists. There?s no adapter excepting the hardware devices (lan, wifi, firewire). Do you have any idea? Best regards, Jay From tony.silveston at hp.com Wed Feb 2 16:01:16 2011 From: tony.silveston at hp.com (Silveston, Tony) Date: Wed, 2 Feb 2011 22:01:16 +0000 Subject: [vpn-help] Other VPN software stops Shrew Working Message-ID: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Hi I am running Windows XP on a specilaized HP build laptop. It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ This works fine although I cannot configure it to allow access to other VPN sites apart from HP. Therfore I have also installed SHREW v2.1.7. I want this to connect to a Cisco VPN gateway that is nothing to do with HP. If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. I get a "negotiation timeout ocurred"... Any ideas how to get them both working together? Thanks Tony From rfling at estand.com Thu Feb 3 18:01:03 2011 From: rfling at estand.com (Russ Fling) Date: Thu, 03 Feb 2011 18:01:03 -0600 Subject: [vpn-help] Help using NetGear FSV318v3 Message-ID: <4D4B41BF.60503@estand.com> I am having problems connecting to the NetGear FSV318v3. NetGear FSV318v3 firmware 0_28 (latest) Shrew client versions 2.1.7 and 2.2.0 beta 1 Client OS Windows 7 Home Premium 64 bit (I've also tried Ubuntu and Mac clients, same issue) NetGear LAN 192.168.8.0/24 NetGear WAN connected directly to internet at xxx.xxx.xxx.xxx (obscured for now) Windows client LAN 192.168.3.0/24 client has a DCHP address of 192.168.3.139 The Shrew FAQ's deal with the 338 not the 318 which has a different interface for users. I am not using the XAuth feature at this time, just Mutual PSK. In Policy tab, Policy Generation Level is auto, 192.168.8.0 / 255.255.255.0 has been added to topology. Maintain Persistent Security Associations is check (but also tried unchecked). When connecting, the tunnel is enabled but security associations fail 10-20 seconds later. iked.log contains the following lines when it fails. ii : fragmented packet to 1514 bytes ( MTU 1500 bytes ) ii : fragmented packet to 70 bytes ( MTU 1500 bytes ) -> : resend 1 phase2 packet(s) [2/2] 192.168.3.139:500 -> xxx.xxx.xxx.xxx:500 ii : resend limit exceeded for phase2 exchange Different Phase 1 settings will cause it to fail sooner so I think these and Authentication settings are OK. Phase 2 settings seem to have no effect (but I think they are configured properly) and it appears that the 318 is not responding to phase2 requests (or they are being blocked somewhere). Is is a packet fragmentation issue? Firewall issue? I saw on some blog that the 338 may need WAN ping enabled, this is currently off. Any suggestions? Thanks in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: rfling.vcf Type: text/x-vcard Size: 382 bytes Desc: not available URL: From alexis.lagoutte at gmail.com Fri Feb 4 02:00:01 2011 From: alexis.lagoutte at gmail.com (Alexis La Goutte) Date: Fri, 4 Feb 2011 09:00:01 +0100 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: Hi, On Fri, Feb 4, 2011 at 1:01 AM, Russ Fling wrote: > [...] > > In Policy tab, *Policy Generation Level is auto*, 192.168.8.0 / > 255.255.255.0 has been added to topology. Maintain Persistent Security > Associations is check (but also tried unchecked). > > [...] > > Any suggestions? > > Thanks in advance. > > Set *Unique* for Policy Generation Level and i should work Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.borges at skitter.tv Fri Feb 4 08:32:43 2011 From: david.borges at skitter.tv (David Borges) Date: Fri, 04 Feb 2011 09:32:43 -0500 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: <1296829963.2260.2.camel@dborges-ThinkPad-R400> Russ, Would you consider using xauth? I have a FVS338 and it works great phase 2 with xauth. Thanks, On Thu, 2011-02-03 at 18:01 -0600, Russ Fling wrote: > is enabled but security associations fail > 10-20 seconds later. > > -- David Borges Director of Network Administration www.skitter.tv From galvarez3d at gmail.com Fri Feb 4 09:41:34 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 16:41:34 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) Message-ID: Hi I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am doing on my Windows XP 32 bits machine. I have exported the configuration from XP and imported it on Mac, but there are some data which does not get copied. This is what happens when I try to connect with the Mac: config loaded for site 'XXX_XXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... invalid message from gateway tunnel disabled detached from key daemon ... Any hints? -- Gerardo ?lvarez -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.harrold at eosemi.com Fri Feb 4 12:25:08 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Fri, 04 Feb 2011 18:25:08 +0000 Subject: [vpn-help] ike-2.2.0-beta-1 make errors Message-ID: <4D4C4484.6040603@eosemi.com> An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Fri Feb 4 12:32:39 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 19:32:39 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> References: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> Message-ID: Hi Russ Just curious, why Netgear? It seems we get a bit further now: config loaded for site 'XXXX_XXXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled attached to key daemon ... detached from key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... El 4 de febrero de 2011 19:00, Russ Fling escribi?: > Geraldo, > > Check shrew soft support on netgear for more info. > > General > Existing adapter > > Make sure all Authenication tab settings match netgear settings. > > I'm using mutual-psk now but am having problems at phase2 so may need to > use mutual-psk xauth. > > Phase 1 > Aggressive > Group 2 > 3des > Sha1 > > Phase2 > esp-3des > Sha1 > > Policy > Unique > Add your remote local lan > > > -----Original message----- > > *From: *"Gerardo ?lvarez" * > To: *vpn-help at lists.shrew.net* > Sent: *Fri, Feb 4, 2011 15:41:34 GMT+00:00* > Subject: *[vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) > > -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sander.liebert at gmail.com Sat Feb 5 13:07:00 2011 From: sander.liebert at gmail.com (Sander Liebert) Date: Sat, 5 Feb 2011 13:07:00 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP Message-ID: I have the shrew client loaded on several pc's. The XP seems to work fine and I can ping on the remote network. On my Win7 pc's I can connect, but cannot ping, or browse the network. I upgraded the Win7 pc's to 2.20 to rule out the possible virtual wifi adapter problem. Can anyone tell me what I should troubleshoot next? Thanks, Sander -------------- next part -------------- An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Sun Feb 6 10:17:55 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 17:17:55 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not Message-ID: I have given up trying to connect from Mac OS X 10.6.6 by now. I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, copying the configuration exported from XP 32 bit at the studio, differente ADSL routers but equivalente network topology and setup. The XP 32 bit connects fine: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... network device configured tunnel enabled However the W7 64 bits does not: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... I see that the W7 is not able to configure the network device, maybe because I wasn?t able to install the software in W7 64 bits because it got stuck forever at "installing Network Adapter", until I rebooted into Safe Mode with Network, that way I could install it. Maybe it is not properly installed? -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Sun Feb 6 10:50:33 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 10:50:33 -0600 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> Message-ID: <4D4ED159.1080208@shrew.net> On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: > Hello > > we tested today to update VPN which worked flawlessly from > 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always > ask for user/passwort and if ignoring it the VPN claims to be connected > but no traffic passes the VPN. > > Client is Windows XP-SP3 > VPN is PSK against a BinTEC VPN Gateway > > Any idea what is going wrong? > Is this still happening with the beta1 build? If so, please forward me the debug level output in a private email. http://www.shrew.net/support/wiki/BugReportVpnWindows Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:17:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:17:25 -0600 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? In-Reply-To: <4D4A64B6.2060307@eo.nl> References: <4D4A64B6.2060307@eo.nl> Message-ID: <4D4ED7A5.8050209@shrew.net> On 2/3/2011 2:17 AM, Marco Zevering wrote: > Does anybody got a working situation using Shrew VPN Client on Mac OS X ? > If yes, how did you do that. > > I got a working situation on Windows XP and used the same configuration, > but this doesn't work with Mac OS X. > Marco, I just built a new package using the latest source code. Please give it a try and see if the same issue occurs. http://www.shrew.net/download/vpn/vpn-client-install.dmg Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:22:51 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:22:51 -0600 Subject: [vpn-help] Adtran 908e In-Reply-To: <001501cbbf3c$a49544e0$edbfcea0$@com> References: <001501cbbf3c$a49544e0$edbfcea0$@com> Message-ID: <4D4ED8EB.50608@shrew.net> On 1/28/2011 4:42 PM, Danny Lloyd wrote: > I am not sure how to reply to the original thread. I have updated > information regarding my problem with connecting with the adtran 908e. I > appreciate any assistance. > > Here is the debug information from the adtran. I see ?Invalid > Authentication type which is not supported?. I don?t know how to address > that error. > Yes. Your gateway is rejecting the client Authentication due to an Authentication type mismatch. Check the settings under the authentication tab in your site configuration and make sure they match the type configured on the gateway. -Matthew From mgrooms at shrew.net Sun Feb 6 11:26:22 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:26:22 -0600 Subject: [vpn-help] shrew VPN client Ver. 2.1.7 In-Reply-To: <268875.87898.qm@web36506.mail.mud.yahoo.com> References: <268875.87898.qm@web36506.mail.mud.yahoo.com> Message-ID: <4D4ED9BE.40606@shrew.net> On 1/30/2011 6:58 AM, Wasiu Adebowale Fagbemi wrote: > I had installed shrew VPN client version 2.1.7 on my windows 7 PC. I can > successfully make connection to the remote network but I can not ping or > do RDC to any of the remote network resources. > > All these I can do very well with shrew VPN. client Version 2.1.5. > > My VPN gateway is cisco ASA5520 > Have you looked at the debug level output to see if it shows any issues? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 11:34:01 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:34:01 -0600 Subject: [vpn-help] VPN Tunnel disconnected by gateway after successful authentication In-Reply-To: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D4EDB89.9080302@shrew.net> On 1/28/2011 5:45 PM, Brian Harmer wrote: > Don wrote: >> I am hoping the community can help me with this. > >> I am using a Windows 7 64bit OS on my laptop and have used the NCP >> applcation (trial) in the successfully in the past. However, with >> Shrew's client, I can authenticate, but right after the >> splashscreen that tells me to behave myself on he corporate >> network, I get a disconnect by gateway. I have no idea what is >> happening that the gateway disconnects me after an appearent >> successful negotiation and authentication. Anyone seen this before >> and have any ideas? > > >> bringing up tunnel ... network device configured tunnel enabled >> session terminated by gateway tunnel disabled detached from key >> daemon ... > > I have a similiar experience. I can add to that the fact that in the > box which shrinks to the task bar on the "apparently" successful > connection, there are two tabs, one labelled connect, and the other > labelled network. If I watch the newtork tab while the system is > thinking about finally connecting, I can see that the client tells me > that security associations failed .... 9 times ... is that 9 > associations or 9 tries? As a VPN novice despearate to connect, I > have no idea what this means. Any insights gratefully received. > This is the typical result when the VPN client connects to a Cisco gateway and phase2 negotiation is failing for some reason. Check the log output on both the client and gateway to find clues as to what the issue could be. You will likely need to modify either a phase2 tab or a policy tab parameter in your site configuration. -Matthew From mgrooms at shrew.net Sun Feb 6 11:42:53 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:42:53 -0600 Subject: [vpn-help] ike-2.2.0-beta-1 make errors In-Reply-To: <4D4C4484.6040603@eosemi.com> References: <4D4C4484.6040603@eosemi.com> Message-ID: <4D4EDD9D.8050508@shrew.net> On 2/4/2011 12:25 PM, Steve Harrold wrote: > Hi all, > I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is > based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am > getting errors and warnings when I run "make". > I just fixed the build issues. Please pull down a copy from svn and give it another try. svn export svn://svn.shrew.net/ike/head -Matthew From zkosn at zkosn.com Sun Feb 6 11:44:54 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 10:44:54 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 12:52:14 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 12:52:14 -0600 Subject: [vpn-help] Can I just installed iked it keeps wanting to install 2.1.7 Shrew Message-ID: Matt, List, I am getting Failure to attach to Key daemon on Shrew 2.2.0-beta-1 latest build checked out of SVN. If I go to install iked it wants to install the 2.1.7 client. I just want to install Iked. Advise? JT On Sun, Feb 6, 2011 at 11:42 AM, Matthew Grooms wrote: > On 2/4/2011 12:25 PM, Steve Harrold wrote: > >> Hi all, >> I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is >> based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am >> getting errors and warnings when I run "make". >> >> > I just fixed the build issues. Please pull down a copy from svn and give it > another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 13:07:08 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 13:07:08 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon Message-ID: Matthew, I am having a problem of having the latest bulid client stay connected to the Ike daemon. It actually kills it on Ubuntu 10.10. Here is what I am getting: config loaded for site 'test33.dyndns.org' attached to key daemon ... peer config failed detached from key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon Advice? Nothing in the iked log but this: 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lst_hoe02 at kwsoft.de Sun Feb 6 14:02:00 2011 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Sun, 06 Feb 2011 21:02:00 +0100 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <4D4ED159.1080208@shrew.net> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> <4D4ED159.1080208@shrew.net> Message-ID: <20110206210200.61878wd5jqbsoytc@webmail.kwsoft.de> Zitat von Matthew Grooms : > On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: >> Hello >> >> we tested today to update VPN which worked flawlessly from >> 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always >> ask for user/passwort and if ignoring it the VPN claims to be connected >> but no traffic passes the VPN. >> >> Client is Windows XP-SP3 >> VPN is PSK against a BinTEC VPN Gateway >> >> Any idea what is going wrong? >> > > Is this still happening with the beta1 build? If so, please forward > me the debug level output in a private email. > > http://www.shrew.net/support/wiki/BugReportVpnWindows Beta1 is working again. Many Thanks. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature URL: From paul at athosconsulting.com Sun Feb 6 14:42:07 2011 From: paul at athosconsulting.com (Paul Papasavas) Date: Sun, 6 Feb 2011 20:42:07 +0000 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: <006601cbb25a$8d28e760$a77ab620$@com> Message-ID: Matthew, FYI the issue was resolved simply by using a virtual adapter and assigning am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 Paul On 1/12/11 8:13 AM, "Darren Nye" wrote: >Hi Matthew, > >I'm absolutely sure that using NCP and Green Bow, resolves the issues. > >I'm not sure how to setup a Virtual Adapter - everything was setup by the >consultant we hired. Are there instructions somewhere of how to try a >virtual adapter? > >I don't know if it matters but the consultant was able to get the free IP >Securitas to work fine also - which runs on Macs (half of our clients are >Macs). > >I did try stepping through the alternate configuration found here: >http://www.shrew.net/support/wiki/HowtoJuniperSsg > >But I couldn't get a tunnel connection at all with the above. Maybe it's >because some of the SSG pages were a bit different, with the updated >firmware. And one field, IKE ID Type, was not sticking on AUTO but was >being >changed to something starting with an F (not currently connected to >router). > >To answer your other question, the user is not stopping the service. As >per >the pictures what is happening, is I start copying using Windows Explorer >from the server to my notebook, and the copy stops and produces the >Windows >error as per the pics - and it seems the halt happens at that time. But >the >user never touches the servers from a technical standpoint. > >I will try your latest alpha version and report back: >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > > > >-----Original Message----- >From: Matthew Grooms [mailto:mgrooms at shrew.net] >Sent: Wednesday, January 12, 2011 2:21 AM >To: Darren Nye >Cc: vpn-help at lists.shrew.net >Subject: Re: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue > >On 1/7/2011 1:11 PM, Darren Nye wrote: >> Hi all, >> > >Hi Darren, > >> VPN Client: ShrewSoft 2.1.7 and 2.2 Alpha 9. >> >> Windows: 7 64bit and Vista 64bit >> >> Gateway: Juniper SSG5 >> >> Gateway Hardware Version: 710(0) >> >> Gateway Firmware Version: 6.3.0r5.0 (also tried firmware 6.0 with same >> issue). >> >> Five people in different locations, have been able to duplicate this >> problem, with the ShrewSoft 2.1.7 and 2.2 Alpha 9 clients. >> >> However when we use NCP Client or Green Bow VPN Client, we do not have >> this issue and everything seems fine. So this points to either a >> configuration issue with ShrewSoft or a bug. I hope someone can help? >> > >Are you absolutely sure that this problem can be resolved by installing >the NCP or Greenbow clients? I'm not to proud to admit when the Shrew >Soft client has a bug that needs to be fixed. From looking at your log >output, it would appear that you are not using virtual adapter configs >which can cause problems related to MTU issues. Some carriers will drop >packet fragments or large UDP packets for no good reason. When using a >virtual adapter, a custom MTU can be set to avoid these issues. > >> We can connect to the Juniper with ShrewSoft and also connect to our >> network file servers, and perform short tasks such as copy small files >> up/down or use remote desktop. >> >> However, when we try to use Windows Explorer to connect to a Linux/Samba >> (v3.1) file server (ie: \\192.168.66.1\printfileserver >> ) and copy a folder with a large >> number of files (100mb or more) - by dragging and dropping from the >> server to the desktop - it seems that Windows thinks the connection to >> the server is lost - although the tunnel itself in ShrewSoft doesn't >> show that it disconnected. But the log file seem to show a "halt" >> command around the same time the issue is probably happening. >> > >The halt should only show up in the log when someone stops the service. >It's the normal shutdown procedure. I see the halt in your logs about >four minutes into the connection. Is that a user stopping the service or >do you mean that its stopping itself? > >> See attached: >> >> Windows-preparing-copy.jpg = the beginning of the file copy - things >> going normal so far >> >> Windows-copy-start.jpg = after windows is finished preparing (I believe >> figuring out how much and what it's going to copy) - it then tries to >> start the copy - but never seems to start >> >> Windows-failure.jpg = a short time after the windows-copy-start above, >> windows will display a failure. It's at this point that shrewsoft >> perhaps is getting the halt. >> >> The Shrew trace and other log/dump files are attached. 1.1.1.1 is a >> changed IP address but represents our internal IP address of the Juniper >> router. >> >> These particular logs were when connecting via ATT and my cell phone. >> However we've had these issues remotely from homes on Comcast and >> Optimum cable modems. >> >> I've been told by our Juniper tech rep that our internal servers are >> sending a RST (reset) although I don't see that in any of the logs I'm >> looking at. >> >> But we don't experience these odd issues when using the NCP client or >> Green Bow. But I'd rather not license every single one of our users. >> >> Any suggestions, please let me know. >> > >There is a feature included in modern network adapters called TCP Large >Segment Offload. Up until the last 2.2.0 alpha release, the client had a >bug that caused problems similar to the one you describe when TCP LSO >was enable and virtual adapters were not in use. The Alpha 9 version of >the client that you tested with does not have the fix for this bug. Not >that I can imagine TCP LSO would be implemented by an AT&T cell phone >dongle driver, but it could certainly be effecting your home users. If >you want to try a version of the client that has been tested a bit more >than the latest alpha, you can have a user try this version ... > >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > >-Matthew > From mgrooms at shrew.net Sun Feb 6 15:55:26 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 15:55:26 -0600 Subject: [vpn-help] Other VPN software stops Shrew Working In-Reply-To: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> References: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Message-ID: <4D4F18CE.2010000@shrew.net> On 2/2/2011 4:01 PM, Silveston, Tony wrote: > Hi > > I am running Windows XP on a specilaized HP build laptop. > > It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. > http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ > > This works fine although I cannot configure it to allow access to other VPN sites apart from HP. > > Therfore I have also installed SHREW v2.1.7. > > I want this to connect to a Cisco VPN gateway that is nothing to do with HP. > > If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. > > If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. > > I get a "negotiation timeout ocurred"... > > Any ideas how to get them both working together? > Tony, No, unfortunately I don't. We have made every attempt to create a VPN client that is as friendly to other installed software as possible. We use very specialized rules to only accept and process traffic that is unique to a VPN session established by our VPN client. We don't touch any other traffic, even if it is IPsec related. That means that it is _possible_ to use the Shrew Soft client along with other VPN clients. But possible doesn't mean it will work. In fact, in most cases it will probably break in one way or another unless the following are true ... 1) The other VPN client software was written with the same care as the Shrew Soft client. That means, not making assumptions about being the only IPsec client installed on the machine and blindly eating IKE or IPsec packets that may belong to other software. 2) Your IPsec policies don't overlap. If one client is configured to send all traffic down its tunnel, then a second VPN client would fail to establish its tunnel ( negotiation traffic is sent down the first VPN connections tunnel ). 3) In most cases, only one client will _win_ when it comes to custom DNS settings, with the latter overwriting the former connections settings. So to summarize: Yes, its possible to do what you want but the chance of two tunnels working correctly without them being designed to do so is just about nil. From what I have seen from other VPN client vendors, they just don't seem to care much to co-exist with other IPsec client software. This leads to a lot of head scratching and questions like, "Am I running into a configuration conflict that can be fixed, or are the software components stepping on each others toes"? Sorry I can't be more help, -Matthew From mgrooms at shrew.net Sun Feb 6 16:08:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:08:45 -0600 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: References: Message-ID: <4D4F1BED.9070807@shrew.net> On 2/4/2011 9:41 AM, Gerardo ?lvarez wrote: > Hi > I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am > doing on my Windows XP 32 bits machine. > I have exported the configuration from XP and imported it on Mac, but > there are some data which does not get copied. > This is what happens when I try to connect with the Mac: > I just uploaded a new build to the website. The OSX support is still very preliminary but I have fixed a few bugs recently. One of them was related to configuration mismatches between different platforms ... http://www.shrew.net/download/vpn/vpn-client-install.dmg -Matthew From mgrooms at shrew.net Sun Feb 6 16:10:18 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:10:18 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP In-Reply-To: References: Message-ID: <4D4F1C4A.9070007@shrew.net> On 2/5/2011 1:07 PM, Sander Liebert wrote: > I have the shrew client loaded on several pc's. The XP seems to work > fine and I can ping on the remote network. On my Win7 pc's I can > connect, but cannot ping, or browse the network. I upgraded the Win7 > pc's to 2.20 to rule out the possible virtual wifi adapter problem. > Can anyone tell me what I should troubleshoot next? Are you using the beta-1 or a previous version? Have you looked at the debug output to see if it displays any useful information? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 16:12:00 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:12:00 -0600 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: References: Message-ID: <4D4F1CB0.10603@shrew.net> On 2/6/2011 10:17 AM, Gerardo ?lvarez wrote: > I have given up trying to connect from Mac OS X 10.6.6 by now. > I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, > copying the configuration exported from XP 32 bit at the studio, > differente ADSL routers but equivalente network topology and setup. > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... http://www.shrew.net/support/wiki/FrequentlyAskedQuestions -Matthew From mgrooms at shrew.net Sun Feb 6 16:14:39 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:14:39 -0600 Subject: [vpn-help] 2.2 b1 miniport adapter In-Reply-To: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> References: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> Message-ID: <4D4F1D4F.3030608@shrew.net> On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From mgrooms at shrew.net Sun Feb 6 16:16:23 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:16:23 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon In-Reply-To: References: Message-ID: <4D4F1DB7.7060308@shrew.net> On 2/6/2011 1:07 PM, JT Edwards wrote: > Matthew, > > I am having a problem of having the latest bulid client stay connected > to the Ike daemon. It actually kills it on Ubuntu 10.10. > > Here is what I am getting: > > config loaded for site 'test33.dyndns.org ' > > ... > Advice? Nothing in the iked log but this: > > 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 > 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. > 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 > 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) > Uninstall the 2.1.5 version, then re-install the 2.2.0 version. The two versions of the client have different components that are incompatible with one another. -Matthew From mgrooms at shrew.net Sun Feb 6 16:19:19 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:19:19 -0600 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: References: Message-ID: <4D4F1E67.5030103@shrew.net> On 2/6/2011 2:42 PM, Paul Papasavas wrote: > Matthew, > > FYI the issue was resolved simply by using a virtual adapter and assigning > am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 > Hi Paul, Thanks for the feedback. If I can reproduce the non-virtual network adapter style connection issues I'll try to get it resolved. However, its not going to bubble up to the top of my todo list any time soon. But in the long run, I'm pretty sure you would be happier with the virtual adapter style connections anyway. Thanks again, -Matthew From galvarez3d at gmail.com Sun Feb 6 16:28:32 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 23:28:32 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: <4D4F1CB0.10603@shrew.net> References: <4D4F1CB0.10603@shrew.net> Message-ID: <-7856785405170327861@unknownmsgid> No , none of the machine uses WIFI, only ethernet. Gerardo Alvarez Le?n galvarez3d at gmail.com El 06/02/2011, a las 23:12, Matthew Grooms escribi?: > On 2/6/2011 10:17 AM, Gerardo ???lvarez wrote: >> I have given up trying to connect from Mac OS X 10.6.6 by now. >> I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, >> copying the configuration exported from XP 32 bit at the studio, >> differente ADSL routers but equivalente network topology and setup. >> > > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... > > http://www.shrew.net/support/wiki/FrequentlyAskedQuestions > > -Matthew From zkosn at zkosn.com Sun Feb 6 20:06:01 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 19:06:01 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206190601.35cc758f207e5a82ede39c4fdf64e9e5.dbcdb8e51b.wbe@email01.secureserver.net> I'm only using infrastructure networks, however I have used ad-hocs in the past. If I disable the Virtual Miniport adapter, either the entire adapter or just the shrewsoft filter component, 2.2.0 will then immediately connect fine. I can even re-enable the Miniport adapter/filter and still I'm able to connect. However, if I reboot and the Virtual Miniport adapter is enabled, it cannot connect again until I disable it again. If I leave it disabled, all is good. Thanks! -------- Original Message -------- Subject: Re: [vpn-help] 2.2 b1 miniport adapter From: Matthew Grooms Date: Sun, February 06, 2011 4:14 pm To: zkosn at zkosn.com Cc: vpn-help at lists.shrew.net On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From paul at anastrophe.com Sun Feb 6 23:01:57 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Sun, 06 Feb 2011 21:01:57 -0800 Subject: [vpn-help] new windows login credentials? Message-ID: <4D4F7CC5.1030206@anastrophe.com> having recently installed 2.2.0 beta 1 for windows 7 64bit, when my machine comes out of 'sleep', i'm now presented with a shrew vpn credentials login page by default, rather than my normal fingerprint sensor credentials login page. i can hit the 'log in as another user' button and then use my fingerprint - but, uh, what the heck is this? i went into the windows 'user accounts' control panel and there's nothing there for me to modify, and i can't figure out how to get rid of this...? thanks in advance. -- Paul Theodoropoulos From mgrooms at shrew.net Mon Feb 7 00:47:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 00:47:45 -0600 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F7CC5.1030206@anastrophe.com> References: <4D4F7CC5.1030206@anastrophe.com> Message-ID: <4D4F9591.6070805@shrew.net> On 2/6/2011 11:01 PM, Paul Theodoropoulos wrote: > having recently installed 2.2.0 beta 1 for windows 7 64bit, when my > machine comes out of 'sleep', i'm now presented with a shrew vpn > credentials login page by default, rather than my normal fingerprint > sensor credentials login page. i can hit the 'log in as another user' > button and then use my fingerprint - but, uh, what the heck is this? i > went into the windows 'user accounts' control panel and there's nothing > there for me to modify, and i can't figure out how to get rid of this...? > > thanks in advance. > The 2.2.0 version includes an option for Secure Domain Login support. This is accomplished by installing a windows credentials provider on Windows Vista/7. If you don't want that option, you can re-install the client and uncheck the credentials provider to prevent the component from being installed. I'm not sure why its being presented by default if you didn't manually select during the Login process. I'll have a look at that before we do the next beta release. -Matthew From paul at anastrophe.com Mon Feb 7 12:20:56 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:20:56 -0800 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F9591.6070805@shrew.net> References: <4D4F7CC5.1030206@anastrophe.com> <4D4F9591.6070805@shrew.net> Message-ID: <4D503808.9060504@anastrophe.com> On 2/6/2011 10:47 PM, Matthew Grooms wrote: > The 2.2.0 version includes an option for Secure Domain Login support. > This is accomplished by installing a windows credentials provider on > Windows Vista/7. If you don't want that option, you can re-install the > client and uncheck the credentials provider to prevent the component > from being installed. I'm not sure why its being presented by default > if you didn't manually select during the Login process. I'll have a > look at that before we do the next beta release. > > -Matthew thanks matthew. i payed closer attention during the reinstall and indeed i see the credentials provider option. it was pre-selected, which is why i didn't notice it before. this brings up another issue pertaining to installs - but i'll start a separate thread for that since it's unrelated. -- Paul Theodoropoulos From paul at anastrophe.com Mon Feb 7 12:27:05 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:27:05 -0800 Subject: [vpn-help] reinstall problems Message-ID: <4D503979.2000607@anastrophe.com> i've had this problem with all 2.2.0 versions - whenever i attempt a reinstall, my system bluescreens while the previous version is being removed. win7 64bit, realtek ethernet hardware/drivers. i have no wireless on this system. curiously, on my work laptop that does have wireless, reinstall does not bluescreen. one might ask why i reinstall sometimes. well, also with the 2.2.0 versions, if i've used the vpn previously, and later my PC has gone into sleep mode, after coming out of sleep, i can no longer use the vpn. i either get 'failed to attach to key daemon' - or it'll go through the full sequence of reconnecting to the vpn apparently successfully - but i'll be unable to actually use the connection - my ssh sessions just time out. on my work laptop, all i need do is run a reinstall, and then the vpn will work again. but on my PC, as above, the reinstall bluescreens. -- Paul Theodoropoulos -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Mon Feb 7 12:48:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 12:48:25 -0600 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503979.2000607@anastrophe.com> References: <4D503979.2000607@anastrophe.com> Message-ID: <4D503E79.9080402@shrew.net> On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > i've had this problem with all 2.2.0 versions - whenever i attempt a > reinstall, my system bluescreens while the previous version is being > removed. win7 64bit, realtek ethernet hardware/drivers. i have no > wireless on this system. curiously, on my work laptop that does have > wireless, reinstall does not bluescreen. > I have seen Realtek device drivers cause problems many times before. Have you updated them to use the the latest revision for your chipset? There were very minor changes to the Shrew Soft drivers between 2.1.7 and 2.2.0. In fact, I just submit them to WinQual yesterday for final certification and they passed with no issues. That means these driver binaries will be the version included in the 2.2.0 release, just with the additional Microsoft signatures. > one might ask why i reinstall sometimes. well, also with the 2.2.0 > versions, if i've used the vpn previously, and later my PC has gone into > sleep mode, after coming out of sleep, i can no longer use the vpn. i > either get 'failed to attach to key daemon' - or it'll go through the > full sequence of reconnecting to the vpn apparently successfully - but > i'll be unable to actually use the connection - my ssh sessions just > time out. on my work laptop, all i need do is run a reinstall, and then > the vpn will work again. but on my PC, as above, the reinstall bluescreens. > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue or are you forced to re-install the software? It would also be helpful to see debug level output for this scenario if possible. -Matthew From nss at compu-skill.com Mon Feb 7 16:34:52 2011 From: nss at compu-skill.com (Noach Sumner) Date: Tue, 8 Feb 2011 00:34:52 +0200 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: I have the same problem where after my computer sleeps I can't connect unless I restart (IFF I was connected when it went into sleep mode). I am almost always connected Wirelessly with an Intel 3945ABG, on Windows 7 32 bit. On Mon, Feb 7, 2011 at 8:48 PM, Matthew Grooms wrote: > On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > >> i've had this problem with all 2.2.0 versions - whenever i attempt a >> reinstall, my system bluescreens while the previous version is being >> removed. win7 64bit, realtek ethernet hardware/drivers. i have no >> wireless on this system. curiously, on my work laptop that does have >> wireless, reinstall does not bluescreen. >> >> > I have seen Realtek device drivers cause problems many times before. Have > you updated them to use the the latest revision for your chipset? > > There were very minor changes to the Shrew Soft drivers between 2.1.7 and > 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with the > additional Microsoft signatures. > > > one might ask why i reinstall sometimes. well, also with the 2.2.0 >> versions, if i've used the vpn previously, and later my PC has gone into >> sleep mode, after coming out of sleep, i can no longer use the vpn. i >> either get 'failed to attach to key daemon' - or it'll go through the >> full sequence of reconnecting to the vpn apparently successfully - but >> i'll be unable to actually use the connection - my ssh sessions just >> time out. on my work laptop, all i need do is run a reinstall, and then >> the vpn will work again. but on my PC, as above, the reinstall >> bluescreens. >> >> > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue > or are you forced to re-install the software? It would also be helpful to > see debug level output for this scenario if possible. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Mon Feb 7 17:55:21 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Mon, 7 Feb 2011 15:55:21 -0800 (PST) Subject: [vpn-help] Juniper SSG-20/Shrew VPN client- Message-ID: <336660.74735.qm@web46306.mail.sp1.yahoo.com> I continually get this error message when configuring VPN users on the Juniper SSG-20 gateway. Rejected an IKE packet on ethernet0/0 from 9.9.9.2:500 to 9.9.9.1:500 with cookies cbf74b95a72b9d43 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway. Juniper won't support me unless I pay the $88/NCP vpn client. Thats bs. I connect my laptop to the outside interface of the SSG-20 and change my ip address to 9.9.9.2/24 and I can ping the interface of the SSG 9.9.9.1/24. The VPN client tunnel negotiation fails with no possible solution. The Shrew client configuration is attached. Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Shrew_VPN_Client_Error_Plus_Screenshots_of_Configured_Tabs.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 127800 bytes Desc: not available URL: From paul at anastrophe.com Tue Feb 8 00:50:20 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 22:50:20 -0800 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: <4D50E7AC.9080808@anastrophe.com> On 2/7/2011 10:48 AM, Matthew Grooms wrote: > I have seen Realtek device drivers cause problems many times before. > Have you updated them to use the the latest revision for your chipset? it's a pretty recent revision (checking)...7.31.1025.2010, which apparently has only recently been superceded. > There were very minor changes to the Shrew Soft drivers between 2.1.7 > and 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with > the additional Microsoft signatures. i also have openVPN adapter installed, though i haven't used it in ages. i wonder if uninstalling that might have any effect. i've kept it in place just in case an old client ever needed assistance again - but i can always reinstall... > Does stopping/starting the Shrew Soft ike/ipsec services resolve this > issue or are you forced to re-install the software? It would also be > helpful to see debug level output for this scenario if possible. haven't tried stop/start of the ike/ipsec services, will give it a try. thanks for your excellent support! -- Paul Theodoropoulos From steve.harrold at eosemi.com Tue Feb 8 07:15:54 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Tue, 08 Feb 2011 13:15:54 +0000 Subject: [vpn-help] Netgear336 connection problems Message-ID: <4D51420A.5070206@eosemi.com> An HTML attachment was scrubbed... URL: From glen_di_persio at hotmail.com Tue Feb 8 07:36:05 2011 From: glen_di_persio at hotmail.com (Glen Di Persio) Date: Tue, 8 Feb 2011 09:36:05 -0400 Subject: [vpn-help] Nortel Contivity VPN Message-ID: I'm trying to connect to a Contivity VPN using Shrewsoft. The Contivity client connects with Diffie-Hellman group 8 (EC2N), while the Shrewsoft client only supports groups 1/2/5/14/15. The Contivity server will not respond to my initial ISAKMP packet from Shrewsoft. Is DH Group 8 a proprietary Nortel transform, or is it more widely used? thanks, Glen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:47 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:47 -0800 (PST) Subject: [vpn-help] LDAP Display Will Authenticate Users but Not the Userid Message-ID: <801845.53887.qm@web46304.mail.sp1.yahoo.com> By the way, I was just on the phone with the Juniper TAC for 2 hours. We got LDAP to work with the SSG-20 but you have to enter the display name and not the userid into the Shrew VPN client? John H. Doe instead of doej. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:57 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:57 -0800 (PST) Subject: [vpn-help] Tailor the VPN Client with My Company Logo? Message-ID: <94651.89316.qm@web46302.mail.sp1.yahoo.com> Is there a way to tailor the client with my company logo? Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From pabouk at centrum.cz Mon Feb 14 17:43:59 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 00:43:59 +0100 Subject: [vpn-help] no traffic passing through tunnel (Windows Vista SP2 32bit) Message-ID: <20110214234359.B09A4100FDB64@mail1001.cent> Hello, I am testing Shrew Soft VPN Client 2.1.7 on Windows Vista SP2 32 bit. The VPN gateway is some Cisco device. It introduces itself as Cisco Systems, Inc ASA5520-K8. The IKE negotiation completes successfully and successful keep-alive packet exchange follows. Unfortunately no traffic passes the established VPN tunnel. It looks like there is an ARP or routing problem. ------ here is the virtual interface: Ethernet adapter Local Area Connection* 42: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Shrew Soft Virtual Adapter Physical Address. . . . . . . . . : AA-AA-AA-46-BC-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1fa:d425:d0c9:2bc4%134(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.94.48(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : -1968526678 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-70-91-69-00-1A-4B-61-1C-D2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled ------ relevant routes from the routing table: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.147.254 192.168.147.101 266 ... 192.168.94.0 255.255.255.0 On-link 192.168.94.48 286 192.168.94.48 255.255.255.255 On-link 192.168.94.48 286 192.168.94.255 255.255.255.255 On-link 192.168.94.48 286 192.168.95.0 255.255.255.0 On-link 192.168.94.48 31 192.168.95.255 255.255.255.255 On-link 192.168.94.48 286 192.168.94.0/24 - is the subnet for VPN client addresses 192.168.95.0/24 - is the remote subnet behind the VPN gateway I want to access Notice that the routing table is set as if the remote subnet was connected directly to a local interface (there is no gateway set) so Windows need to receive a reply to ARP when sending a packet to the remote subnet. Is the routing table supposed to be like this? ------ Unfortunately when I ping a remote address Windows receive no reply to ARP request resulting in "destination unreachable" message: C:Windowssystem32>ping 192.168.95.184 Pinging 192.168.95.184 with 32 bytes of data: Reply from 192.168.94.48: Destination host unreachable. Request timed out. ------ the ARP request captured using Wireshark (no reply was ever seen): 1 0.000000000 aa:aa:aa:46:3c:00 Broadcast ARP 42 Who has 192.168.95.184? Tell 192.168.94.48 What is strange: IPSEC service logs other ARP requests but not this one which does not get reply. ------ this message sequence continuously repeats twice per second in the IPSEC service log: 11/02/14 23:28:33 K< : recv GET UNSPEC pfkey message 11/02/14 23:28:33 DB : sa found 11/02/14 23:28:33 DB : sa ref increment ( ref count = 3, sa count = 2 ) 11/02/14 23:28:33 DB : sa ref decrement ( ref count = 2, sa count = 2 ) ------ message describing unrelated ARP request to local network: 11/02/14 23:28:44 ii : inspecting ARP request ... 11/02/14 23:28:44 DB : policy not found 11/02/14 23:28:44 ii : ignoring ARP request for 192.168.147.254, no policy found ------ message related to a request of other LAN machine asking for address of my Windows machine: 11/02/14 23:29:23 ii : inspecting ARP request ... 11/02/14 23:29:23 !! : ARP packet has invalid header (In fact the ARP request is does not look wrong and is correctly replied to by my Windows machine.) ARP request sent from the Shrew Soft Virtual Adapter does not appear in the log at all! It seems that the VPN client does not see the ARP request. Also the "transferred" counters of the IPsec Security Associations stay at 0 all the time. I tried a different internet connection (dialup over GPRS) too - no success. Am I missing something in the VPN client or Windows configuration or could this be a bug in the VPN client? Thank you in advance for your help. Pabouk From Rainer.Blaes at astrium.eads.net Tue Feb 15 08:02:07 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 15 Feb 2011 15:02:07 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates Message-ID: <4D5A875F.7090608@astrium.eads.net> Hi everybody, 2 weeks ago we setup a SHREW Dial Up VPN Client 2.1.7 connection to our SSG 350 device and the connection is working fine. Now we got a SSG 320 out of the box and imported the running SSG 350 configuration into it. Unfortunately the tunnel isn't coming up again it seems to us that something is wrong within Phase 1. But what? Pls see here the iked.log entries: 11/02/15 12:04:20 ## : IKE Daemon, ver 2.1.7 11/02/15 12:04:20 ## : Copyright 2010 Shrew Soft Inc. 11/02/15 12:04:20 ## : This product linked OpenSSL 0.9.8h 28 May 2008 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client\debug\iked.log' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap' 11/02/15 12:04:20 ii : rebuilding vnet device list ... 11/02/15 12:04:20 ii : device ROOT\VNET\0000 disabled 11/02/15 12:04:20 ii : network process thread begin ... 11/02/15 12:04:20 ii : pfkey process thread begin ... 11/02/15 12:04:20 ii : ipc server process thread begin ... 11/02/15 12:07:44 ii : ipc client process thread begin ... 11/02/15 12:07:44 192.168.11.1:500 11/02/15 12:07:46 DB : fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 DB : phase1 added ( obj count = 1 ) 11/02/15 12:07:46 >> : security association payload 11/02/15 12:07:46 >> : - proposal #1 payload 11/02/15 12:07:46 >> : -- transform #1 payload 11/02/15 12:07:46 >> : -- transform #2 payload 11/02/15 12:07:46 >> : -- transform #3 payload 11/02/15 12:07:46 >> : -- transform #4 payload 11/02/15 12:07:46 >> : -- transform #5 payload 11/02/15 12:07:46 >> : -- transform #6 payload 11/02/15 12:07:46 >> : -- transform #7 payload 11/02/15 12:07:46 >> : -- transform #8 payload 11/02/15 12:07:46 >> : -- transform #9 payload 11/02/15 12:07:46 >> : -- transform #10 payload 11/02/15 12:07:46 >> : -- transform #11 payload 11/02/15 12:07:46 >> : -- transform #12 payload 11/02/15 12:07:46 >> : -- transform #13 payload 11/02/15 12:07:46 >> : -- transform #14 payload 11/02/15 12:07:46 >> : -- transform #15 payload 11/02/15 12:07:46 >> : -- transform #16 payload 11/02/15 12:07:46 >> : -- transform #17 payload 11/02/15 12:07:46 >> : -- transform #18 payload 11/02/15 12:07:46 >> : key exchange payload 11/02/15 12:07:46 >> : nonce payload 11/02/15 12:07:46 >> : cert request payload 11/02/15 12:07:46 >> : identification payload 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports XAUTH 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v00 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v01 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v02 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v03 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( rfc ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports FRAGMENTATION 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports DPDv1 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SHREW SOFT compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is NETSCREEN compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SIDEWINDER compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is CISCO UNITY compatible 11/02/15 12:07:46 >= : cookies fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 >= : message 00000000 11/02/15 12:07:46 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 1245 bytes ) 11/02/15 12:07:46 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:07:51 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:07:56 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:01 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:06 ii : resend limit exceeded for phase1 exchange 11/02/15 12:08:06 ii : phase1 removal before expire time 11/02/15 12:08:06 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:08:06 DB : removing tunnel config references 11/02/15 12:08:06 DB : removing tunnel phase2 references 11/02/15 12:08:06 DB : removing tunnel phase1 references 11/02/15 12:08:06 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : removing all peer tunnel refrences 11/02/15 12:08:06 DB : peer deleted ( obj count = 0 ) 11/02/15 12:08:06 ii : ipc client process thread exit ... 11/02/15 12:11:51 ii : ipc client process thread begin ... 11/02/15 12:11:51 192.168.11.1:500 11/02/15 12:11:59 DB : 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 DB : phase1 added ( obj count = 1 ) 11/02/15 12:11:59 >> : security association payload 11/02/15 12:11:59 >> : - proposal #1 payload 11/02/15 12:11:59 >> : -- transform #1 payload 11/02/15 12:11:59 >> : key exchange payload 11/02/15 12:11:59 >> : nonce payload 11/02/15 12:11:59 >> : cert request payload 11/02/15 12:11:59 >> : identification payload 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports XAUTH 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v00 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v01 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v02 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v03 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( rfc ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports FRAGMENTATION 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports DPDv1 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SHREW SOFT compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is NETSCREEN compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SIDEWINDER compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is CISCO UNITY compatible 11/02/15 12:11:59 >= : cookies 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 >= : message 00000000 11/02/15 12:11:59 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 585 bytes ) 11/02/15 12:11:59 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:11:59 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:11:59 DB : phase1 found 11/02/15 12:11:59 ii : processing informational packet ( 64 bytes ) 11/02/15 12:11:59 =< : cookies 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 =< : message 00000000 11/02/15 12:11:59 << : notification payload 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:11:59 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:11:59 ii : - isakmp spi = 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 ii : - data size 8 11/02/15 12:12:04 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:04 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:04 DB : phase1 found 11/02/15 12:12:04 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:04 =< : cookies 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 =< : message 00000000 11/02/15 12:12:04 << : notification payload 11/02/15 12:12:04 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:04 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:04 ii : - isakmp spi = 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 ii : - data size 8 11/02/15 12:12:09 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:09 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:09 DB : phase1 found 11/02/15 12:12:09 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:09 =< : cookies 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 =< : message 00000000 11/02/15 12:12:09 << : notification payload 11/02/15 12:12:09 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:09 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:09 ii : - isakmp spi = 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 ii : - data size 8 11/02/15 12:12:14 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:14 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:14 DB : phase1 found 11/02/15 12:12:14 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:14 =< : cookies 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 =< : message 00000000 11/02/15 12:12:14 << : notification payload 11/02/15 12:12:14 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:14 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:14 ii : - isakmp spi = 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 ii : - data size 8 11/02/15 12:12:19 ii : resend limit exceeded for phase1 exchange 11/02/15 12:12:19 ii : phase1 removal before expire time 11/02/15 12:12:19 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:12:19 DB : removing tunnel config references 11/02/15 12:12:19 DB : removing tunnel phase2 references 11/02/15 12:12:19 DB : removing tunnel phase1 references 11/02/15 12:12:19 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : removing all peer tunnel refrences 11/02/15 12:12:19 DB : peer deleted ( obj count = 0 ) 11/02/15 12:12:19 ii : ipc client process thread exit ... Many thanks in advance! Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From pabouk at centrum.cz Tue Feb 15 08:57:34 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 15:57:34 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates In-Reply-To: <4D5A875F.7090608@astrium.eads.net> References: <4D5A875F.7090608@astrium.eads.net> Message-ID: <20110215145734.5F3396000A969@mail1014.cent> Hi Rainer, from the gateway you receive the message NO-PROPOSAL-CHOSEN: 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification This means that the gateway does not accept your proposals for phase 1. Check if the phase 1 configuration match on both client and gateway match. Probably you can see more detailed information in the gateway logs because for security reasons the gateway does not send detailed reason for not accepting a proposal of your client. Strange is that it seems that to the first client attempt the gateway does not respond at all. Regards, Vaclav From martin.kreutzer at iis.fraunhofer.de Fri Feb 18 06:43:03 2011 From: martin.kreutzer at iis.fraunhofer.de (Martin Kreutzer) Date: Fri, 18 Feb 2011 13:43:03 +0100 Subject: [vpn-help] VPN Connection does not show up in network connections Message-ID: <4D5E6957.1050008@iis.fraunhofer.de> Hi, I have the shrew client 2.1.7 installed on a Windows 7 Enterprise 64bit. It works fine, but I do not get a connection icon in the "network connections" windows (I hope that this is the english name for it, in german it's "Netzwerkverbindungen" - the windows which lists your network adapters). "ipconfig /all" shows it with the name "LAN-Verbindung* 2". Any suggestions where to look for it? Regards Martin -- Martin Kreutzer [Martin.Kreutzer at iis.fraunhofer.de] IT Services Fraunhofer IIS [www.iis.fraunhofer.de] Am Wolfsmantel 33 91058 Erlangen Germany Tel.: +49 9131 776 2776 Fax.: +49 9131 776 2799 From shrew64 at gmail.com Fri Feb 18 10:20:05 2011 From: shrew64 at gmail.com (Da Da) Date: Fri, 18 Feb 2011 17:20:05 +0100 Subject: [vpn-help] DPD parameters Message-ID: Hi, First of all, thank you for this great piece of software. I'm currently testing the VPN client on Windows x64 with a WWAN access. I've been testing the version 2.2b1 but I rolled back to v2.1.7 due to stability issues of the IKED service (I can't reproduce these issues yet). So I'm back in v2.1.7 and it works fine except one thing : the DPD feature disconnects the client very quickly if a gateway isn't reachable (about 10 seconds). As I create the VPN tunnel over a native mobile broadband connection, it's too short. Sometimes, I'm in the train or moving and the WWAN connection is lost for a few seconds, and Windows recovers it without problem. But Shrewsoft VPN already disconnected the tunnel... If I disable the DPD feature, it works. When the WWAN connection goes up again, the SA is maintained and I received packets again. However, this create session timeout issues on the facing gateway. A nice solution would be to increase the number of DPD retries, for it to be less aggressive. Is there a way to do it easily ? /David -------------- next part -------------- An HTML attachment was scrubbed... URL: From w2kfs1 at googlemail.com Mon Feb 21 09:13:56 2011 From: w2kfs1 at googlemail.com (w2kfs1) Date: Mon, 21 Feb 2011 16:13:56 +0100 Subject: [vpn-help] Manual ShrewVPN to ZyXEL USG-Series Message-ID: Dear Shrew, i have make a Manual to Connect our Client to ZyWALL USG-Series. It would be good if you insert this Manual to your Website under Support. Please Note in the Reference to "old" ZyWALL Series is a mistake, because if you choose "Enable Multiple Proposals" in Phase1&2, you can connect with wrong Phase1&2 Encyption settings, its a leak! Attached the new Manual for USG-Series. If u need an Access for check, please send me an Email with your PublicIP. Best Regards Christian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Confidentiality note This message (including any attachments) contains confidential information intended for a specific individual or entity as the intended recipient. If you are not the intended recipient, you are hereby notified that any distribution, any copying of this message in part or in whole, or any taking of action based on it, is strictly prohibited by law and may cause liability. In case you have received this message due to an error in transmission, we ask you to notify the sender immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ShrewVPN Client to ZyWALL USGx Series.pdf Type: application/pdf Size: 1416828 bytes Desc: not available URL: From darrenn at jkdesign.com Tue Feb 22 09:20:32 2011 From: darrenn at jkdesign.com (Darren Nye) Date: Tue, 22 Feb 2011 10:20:32 -0500 Subject: [vpn-help] unsubscribe Message-ID: <00c401cbd2a4$0d106980$27313c80$@com> unsubscribe -- Darren L. Nye VP Interactive & I.T. JK Design 465 Amwell Road Hillsborough, NJ 08844 P: 908 428 4700 Ext.12 F: 908 428 4701 E: darrenn at jkdesign.com www.jkdesign.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From huw at hermesmedical.com Thu Feb 24 06:19:06 2011 From: huw at hermesmedical.com (=?windows-1252?Q?Huw_Thomas?=) Date: Thu, 24 Feb 2011 12:19:06 +0000 Subject: [vpn-help] Help with config Message-ID: Dear all, ? I have a Shrewsoft configuration that connects to my NVS318g Netgear router no problem (using Mode Config) from my Windows 7 ultimate system. I successfully get assigned an IP address from the Mode Config range and can see devices on the remote network. ? However, when I install the exact same Shrewsoft ?configuration on a Windows Home Premium laptop, it connects fine but doesn?t get assigned an IP address from the Mode Config range so I can?t see the remote network. ? Can you please help? I am using Shrew 2.1.7 ? Thanks, Huw -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Fri Feb 25 05:23:23 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Fri, 25 Feb 2011 12:23:23 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW Message-ID: <4D67912B.1020302@cubewerk.de> Hi folks, i associated a tunnel between shrew (winxp) and ipcop (swan). according to the logs on both sides, tunnel is active but no packages comes back to the RW. here is a tcpdump on the server - my rw is 192.168.10.30 ipcop.localdomain is 172.20.0.1: IP 192.168.10.30 > ipcop.localdomain: ICMP echo request, id 1536, seq 1024, length 40 IP ipcop.localdomain > 192.168.10.30: ICMP echo reply, id 1536, seq 1024, length 40 I checked if the answers packages might get masqueraded, but i added an exception for the RW-network: Chain POSTROUTING (1 references) pkts bytes target prot opt in out source destination 17 1316 MASQUERADE all -- * ppp0 0.0.0.0/0 !192.168.10.0/24 Still, i see no answer traffic on my roadwarrior windows pc (sniffing traffic with libpcap / windump). Some debug/infos here: http://www.plzk.de/ipsec.log Ideas are greatly appreciated. thanks stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From stefan.bauer at cubewerk.de Sun Feb 27 14:09:52 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:09:52 +0100 Subject: [vpn-help] bugreport: gui + pkcs12 file import Message-ID: <4D6AAF90.3040700@cubewerk.de> Hi Matthew, this is a bugreport against the latest beta version for windows. I guess i found 2 bugs. One in the gui of the trace utility and one at using my pkcs12 file. The pkcs12 file was working fine with the stable version. I just switched to beta because i had problems like stated in "[vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW" Please see the demonstration of both bugs here: (turn speakers on) http://www.youtube.com/watch?v=3fGrxS3MULg thanks in advance stefan From stefan.bauer at cubewerk.de Sun Feb 27 14:47:09 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:47:09 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW In-Reply-To: <4D67912B.1020302@cubewerk.de> References: <4D67912B.1020302@cubewerk.de> Message-ID: <4D6AB84D.1050408@cubewerk.de> Am 25.02.2011 12:23, schrieb Stefan Bauer: > Hi folks, > > i associated a tunnel between shrew (winxp) and ipcop (swan). > > according to the logs on both sides, tunnel is active but no > packages comes back to the RW. After some network analysis - the packages even came back to the client but did not get used by the client. I had a virtual additonal ip-address setup at the ethernet-interface on client side in windows xp. after removing this ip address, the packages were used by shrew client. Matthew - is that a bug? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From akmangalick at gmail.com Sun Feb 27 15:18:48 2011 From: akmangalick at gmail.com (A. Kumar Mangalick) Date: Sun, 27 Feb 2011 13:18:48 -0800 Subject: [vpn-help] cannot install in Windows 7 64-bit Message-ID: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> I'm unable to install the client software. Every time I've tried, the installer sits forever at the step indicating that drvcfg.exe is being executed. The CPU is at about 50% the entire time and I have had to kill the process after nearly 15 minutes. Then the software is listed among the installed programs, so I've tried to uninstall it. However, the same thing happens at the step that involves drvcfg.exe. Now I cannot uninstall. Kumar -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Sun Feb 27 16:15:03 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 23:15:03 +0100 Subject: [vpn-help] cannot install in Windows 7 64-bit In-Reply-To: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> References: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> Message-ID: <4D6ACCE7.7060904@cubewerk.de> Am 27.02.2011 22:18, schrieb A. Kumar Mangalick: > I'm unable to install the client software. Every time I've tried, the > installer sits forever at the step indicating that drvcfg.exe is being > executed. The CPU is at about 50% the entire time and I have had to kill > the process after nearly 15 minutes. Then the software is listed among the > installed programs, so I've tried to uninstall it. However, the same thing > happens at the step that involves drvcfg.exe. Now I cannot uninstall. give it a try in the windows safe mode? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From florian.beckmann at camunda.com Mon Feb 28 06:50:39 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 13:50:39 +0100 Subject: [vpn-help] timeout for svn repos Message-ID: <201102281350.40013.florian.beckmann@camunda.com> Hi Matthew, I had the same build error as described in "ike-2.2.0-beta-1 make errors" by Steve. I tried to fetch HEAD from svn://svn.shrew.net/ike/head but the repository seems to be down. Did it move? Cheers Florian From florian.beckmann at camunda.com Mon Feb 28 05:09:02 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 11:09:02 +0000 (UTC) Subject: [vpn-help] ike-2.2.0-beta-1 make errors References: <4D4C4484.6040603@eosemi.com> <4D4EDD9D.8050508@shrew.net> Message-ID: Matthew Grooms writes: > I just fixed the build issues. Please pull down a copy from svn and give > it another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew Hi Matthew, i have the same problem as described above but right now I'm unable to reach the subversion repository (timeout) to try the head build. cheers Florian From t.steffen at gmx.de Sun Feb 27 08:50:11 2011 From: t.steffen at gmx.de (Thorsten Steffen) Date: Sun, 27 Feb 2011 15:50:11 +0100 Subject: [vpn-help] Problems using shrew to connect to ns5gt Message-ID: Hi guys, I'm trying to connect to Juniper NS5GT (Hardware Version: 1010, Firmware Version:6.2.0r2.0 Firewall+VPN) with Shrew VPN Client 2.1.7 (running on Win7 64bit) without success. I used http://www.shrew.net/support/wiki/HowtoJuniperSsg to configure both sides. Messages in shrew client window are === config loaded for site '222.61.123.22' configuring client settings... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... user authentication error tunnel disabled detached from key daemon ... === Error Messages on juniper are === 2011-02-27 15:27:29 info IKE 62.143.130.124: XAuth login failed for gateway vpnclient_gateway, username thorsten, retry: 0, timeout: 1. 2011-02-27 15:27:29 info Rejected an IKE packet on ethernet3 from 62.143.130.124:4500 to 222.61.123.22:4500 with cookies e11944da1f039872 and b6cc949745492852 because A Phase 2 packet arrived while XAuth was still pending. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed for user client.jersa.de. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the remote device. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the local device. 2011-02-27 15:27:29 info IKE 62.143.130.124 phase 1:The symmetric crypto key has been generated successfully. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Responder starts AGGRESSIVE mode negotiations. === The pw for user thorsten is correct, I already tried to connect with a wrong pw and got a different error message. Shrew Configuration is === n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 n:phase2-keylen:0 s:network-host:222.61.123.22 s:client-auto-mode:push s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:client.jersa.de s:ident-server-data:vpngw.jersa.de b:auth-mutual-psk:dGVzdDJURVNU s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-level:auto s:policy-list-include:10.1.1.0 / 255.255.255.0 === Shrew Debug log is === 11/02/27 15:15:44 ii : ipc client process thread begin ... 11/02/27 15:15:44 222.61.123.22:500 11/02/27 15:15:44 DB : e11944da1f039872:0000000000000000 11/02/27 15:15:44 DB : phase1 added ( obj count = 1 ) 11/02/27 15:15:44 >> : security association payload 11/02/27 15:15:44 >> : - proposal #1 payload 11/02/27 15:15:44 >> : -- transform #1 payload 11/02/27 15:15:44 >> : -- transform #2 payload 11/02/27 15:15:44 >> : -- transform #3 payload 11/02/27 15:15:44 >> : -- transform #4 payload 11/02/27 15:15:44 >> : -- transform #5 payload 11/02/27 15:15:44 >> : -- transform #6 payload 11/02/27 15:15:44 >> : -- transform #7 payload 11/02/27 15:15:44 >> : -- transform #8 payload 11/02/27 15:15:44 >> : -- transform #9 payload 11/02/27 15:15:44 >> : -- transform #10 payload 11/02/27 15:15:44 >> : -- transform #11 payload 11/02/27 15:15:44 >> : -- transform #12 payload 11/02/27 15:15:44 >> : -- transform #13 payload 11/02/27 15:15:44 >> : -- transform #14 payload 11/02/27 15:15:44 >> : -- transform #15 payload 11/02/27 15:15:44 >> : -- transform #16 payload 11/02/27 15:15:44 >> : -- transform #17 payload 11/02/27 15:15:44 >> : -- transform #18 payload 11/02/27 15:15:44 >> : key exchange payload 11/02/27 15:15:44 >> : nonce payload 11/02/27 15:15:44 >> : identification payload 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports XAUTH 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v00 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v01 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v02 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v03 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( rfc ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports FRAGMENTATION 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports DPDv1 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SHREW SOFT compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is NETSCREEN compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SIDEWINDER compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is CISCO UNITY compatible 11/02/27 15:15:44 >= : cookies e11944da1f039872:0000000000000000 11/02/27 15:15:44 >= : message 00000000 11/02/27 15:15:44 -> : send IKE packet 10.0.0.100:500 -> 222.61.123.22:500 ( 1191 bytes ) 11/02/27 15:15:44 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv IKE packet 222.61.123.22:500 -> 10.0.0.100:500 ( 446 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing phase1 packet ( 446 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 00000000 11/02/27 15:15:45 << : security association payload 11/02/27 15:15:45 << : - propsal #1 payload 11/02/27 15:15:45 << : -- transform #1 payload 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 !! : peer violates RFC, transform number mismatch ( 1 != 5 ) 11/02/27 15:15:45 ii : matched isakmp proposal #1 transform #1 11/02/27 15:15:45 ii : - transform = ike 11/02/27 15:15:45 ii : - cipher type = aes 11/02/27 15:15:45 ii : - key length = 128 bits 11/02/27 15:15:45 ii : - hash type = md5 11/02/27 15:15:45 ii : - dh group = modp-1024 11/02/27 15:15:45 ii : - auth type = xauth-initiator-psk 11/02/27 15:15:45 ii : - life seconds = 86400 11/02/27 15:15:45 ii : - life kbytes = 0 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : unknown vendor id ( 28 bytes ) 11/02/27 15:15:45 0x : 71957fc3 620a4219 70709668 132e871a 332378fc 0000000b 00000614 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports XAUTH 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports DPDv1 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports HEARTBEAT-NOTIFY 11/02/27 15:15:45 << : key exchange payload 11/02/27 15:15:45 << : nonce payload 11/02/27 15:15:45 << : identification payload 11/02/27 15:15:45 ii : phase1 id match 11/02/27 15:15:45 ii : received = fqdn vpngw.jersa.de 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports nat-t ( draft v02 ) 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 ii : nat discovery - local address is translated 11/02/27 15:15:45 ii : switching to src nat-t udp port 4500 11/02/27 15:15:45 ii : switching to dst nat-t udp port 4500 11/02/27 15:15:45 == : DH shared secret ( 128 bytes ) 11/02/27 15:15:45 == : SETKEYID ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_d ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_a ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_e ( 16 bytes ) 11/02/27 15:15:45 == : cipher key ( 16 bytes ) 11/02/27 15:15:45 == : cipher iv ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 00000000 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 88 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : phase1 resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( received ) ( 16 bytes ) 11/02/27 15:15:45 ii : phase1 sa established 11/02/27 15:15:45 ii : 222.61.123.22:4500 <-> 10.0.0.100:4500 11/02/27 15:15:45 ii : e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : sending peer INITIAL-CONTACT notification 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : notification payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a0c38ba0 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : phase2 not found 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config not found 11/02/27 15:15:45 DB : config added ( obj count = 1 ) 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 55466abc 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 8 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : - xauth authentication type 11/02/27 15:15:45 ii : - xauth username 11/02/27 15:15:45 ii : - xauth password 11/02/27 15:15:45 ii : received basic xauth request - 11/02/27 15:15:45 ii : - standard xauth username 11/02/27 15:15:45 ii : - standard xauth password 11/02/27 15:15:45 ii : sending xauth response for thorsten 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 55466abc 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 84 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 92 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 577a08a9 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 92 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 12 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received config push request 11/02/27 15:15:45 ii : - IP4 Address 11/02/27 15:15:45 ii : - IP4 Netmask 11/02/27 15:15:45 ii : - IP4 DNS Server = 10.1.1.1 11/02/27 15:15:45 ii : building config attribute list 11/02/27 15:15:45 ii : - IP4 DNS Server 11/02/27 15:15:45 ii : sending config push acknowledge 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 577a08a9 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 60 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 84591a7f 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 16 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received xauth result - 11/02/27 15:15:45 !! : user thorsten authentication failed 11/02/27 15:15:45 DB : phase1 soft event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : phase1 hard event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : phase1 dead event canceled ( ref count = 1 ) 11/02/27 15:15:45 ii : sending peer DELETE message 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : delete payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a29a73fe 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : config deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : phase1 removal before expire time 11/02/27 15:15:45 DB : phase1 deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : tunnel dpd event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : tunnel natt event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : removing tunnel config references 11/02/27 15:15:45 DB : removing tunnel phase2 references 11/02/27 15:15:45 DB : removing tunnel phase1 references 11/02/27 15:15:45 DB : tunnel deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : removing all peer tunnel refrences 11/02/27 15:15:45 DB : peer deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : ipc client process thread exit ... === I think "user thorsten authentication failed" is the relevant message Juniper Debug log (debug ike detail) is === ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 1191, action 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 1163 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 1163 bytes. src port 500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 1163, nxp 1[SA], exch 4[AG], flag 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : valid id checking, id type:FQDN, len:23. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > Validate (1135): SA/716 KE/132 NONCE/24 ID/23 VID/12 VID/20 VID/20 VID/20 VID/20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Receive Id in AG mode, id-type=2, id=client.jersa.de, idlen = 15 ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Found peer entry (vpnclient_gateway) from 62.143.130.124. ## 2011-02-27 15:34:06 : responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : init p1sa, pidt = 0x0 ## 2011-02-27 15:34:06 : change peer identity for p1 sa, pidt = 0x0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > create peer identity 0x622a4c0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2011-02-27 15:34:06 : peer identity 622a4c0 created. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > EDIPI disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getProfileFromP1Proposal-> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[1]=<00000005 00000001 00000001 00000002> for p1 proposal (id 4), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[2]=<00000007 00000002 00000001 00000002> for p1 proposal (id 7), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[3]=<00000007 00000001 00000001 00000002> for p1 proposal (id 6), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Responder starts AGGRESSIVE mode negotiations. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_NOSTATE. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 09 00 26 89 df d6 b7 12 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv XAUTH v6.0 vid ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 2011-02-27 15:34:06 : 80 00 00 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 ## 2011-02-27 15:34:06 : d0 fd 84 51 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [SA]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 proposal [3] selected. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA Life Type = seconds ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA lifetime (TLV) = 86400 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DH_BG_consume OK. p1 resp ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [KE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing ISA_KE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NONCE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing NONCE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [ID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID received: type=ID_FQDN, FQDN = client.jersa.de, port=0, protocol=0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> process_id need to update peer entry, cur . ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Dynamic peer IP addr, search peer by identity. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> peer gateway entry has no peer id configured ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID processed. return 0. sa->p1_state = 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 AG Responder constructing 2nd message. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [SA] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> lifetime/lifesize (86400/0) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NetScreen [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [KE] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NONCE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid: returning 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [ID] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=18, type=2, pro=17, port=500, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NAT-T [VID]: draft 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder psk ag mode: natt vid constructed. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing remote NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing local NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit : [SA] [VID] [VID] [VID] [VID] [KE] [NONCE] [ID] [HASH] ## 2011-02-27 15:34:06 : [VID] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 1 packet (len=446) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<5/91180f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 4[AG], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > extract payload (64): ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_INIT_EXCH. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [HASH]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=19, type=2, pro=0, port=0, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> completing Phase 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> sa_pidt = 622a4c0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> adjusting phase 1 hash ## 2011-02-27 15:34:06 : IKE<62.143.130.124> found existing peer identity 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed for ip <62.143.130.124>, user ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed Aggressive mode negotiation with a <28800>-second lifetime. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth is started: server, p1responder, aggr mode. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth(): as:0 ac:-1 enable:1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val empty string, type <16521> added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val empty string, type <16522> added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 22199719) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 20, type 1, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 0, valstr empty string, type <16521> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 0, valstr empty string, type <16522> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 68) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 22199719, len: 68, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NOTIF] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Need to pass XAUTH first. Silently Discard packet. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 22199719, msgtype 2, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 36, type 2, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got type: 16520 v<0> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16521 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16522 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_auth_pap: authing locally: uname thorsten, passwd *** SUCCESS ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Get config for client(local auth) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user remote setting ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user IP from pool ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Don't do xauth RADIUS accounting. Send cfg to client directly. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg: ip 10.1.2.1, v4mask 255.255.255.255 dns1 10.1.1.1, dns2 0.0.0.0, win1 0.0.0.0, win2 0.0.0.0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: id ::, prefix ::/0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: dns1 ::, dns2 ::, win1 ::, win2 :: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 1, val 10.1.2.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 2, val 255.255.255.255 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 10.1.1.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 85594f12) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 32, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 1, vallen 4, valstr 10.1.2.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 2, vallen 4, valstr 255.255.255.255 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 4, valstr 10.1.1.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 80) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=92) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 85594f12, len: 80, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 92, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 64 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 64 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 60, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 32) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 85594f12, msgtype 4, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 4, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 0, valstr 64.137.0.8 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 0.0.0.0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 90. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: -1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16527, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new e5ce2681) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16527, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 60) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid e5ce2681, len: 60, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_failed() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth login FAILED. gw , username , retry: 0, timeout: 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE Xauth: release prefix route, ret=<-2>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> XAUTH-failed: clear p2sa for p1sa(0x22b2268). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [DELETE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [DELETE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DELETE payload received, deleting Phase-1 SA ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:07 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:08 : reap_db. deleting p1sa 22b2268 ## 2011-02-27 15:34:08 : terminate_SA: trying to delete SA cause: 0 cond: 2 ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(e5ce2681) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(85594f12) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(22199719) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Done cleaning up IKE Phase 1 SA ## 2011-02-27 15:34:08 : peer_identity_unregister_p1_sa. ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > delete peer identity 0x622a4c0 ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2011-02-27 15:34:08 : peer_idt.c peer_identity_unregister_p1_sa 682: pidt deleted. === I think "xauth login FAILED. gw , username , retry: 0, timeout: 1" is the relevant message. Timestamps don't match because I took the debugs at different points of time. Configuration of juniper is === unset key protection enable set clock ntp set clock timezone 1 set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set service "Videoserver TCP 9999" protocol tcp src-port 0-65535 dst-port 9999-9999 set service "pcanywhere" protocol tcp src-port 0-65535 dst-port 5631-5631 set service "pcanywhere" + udp src-port 0-65535 dst-port 5632-5632 set service "POP3s" protocol tcp src-port 0-65535 dst-port 995-995 set service "SMTPs" protocol tcp src-port 0-65535 dst-port 465-465 set alg appleichat enable unset alg appleichat re-assembly enable unset alg p2p enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "untrust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 100 "vpn" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst unset zone "V1-Trust" tcp-rst unset zone "V1-Untrust" tcp-rst unset zone "VLAN" tcp-rst unset zone "vpn" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet1" zone "Trust" set interface "ethernet2" zone "DMZ" set interface "ethernet3" zone "Untrust" set interface ethernet1 ip 10.1.1.1/24 set interface ethernet1 nat set interface ethernet2 ip 10.99.99.1/24 set interface ethernet2 nat set interface ethernet3 ip 222.61.123.22/30 set interface ethernet3 route unset interface vlan1 ip set interface ethernet1 proxy dns unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1 ip manageable unset interface ethernet2 ip manageable set interface ethernet3 ip manageable unset interface ethernet1 manage telnet unset interface ethernet1 manage snmp set interface ethernet3 manage ssh set interface ethernet3 manage ssl set interface ethernet3 vip interface-ip 9999 "HTTP" 10.99.99.99 unset interface ethernet1 dhcp server config next-server-ip unset interface ethernet1 dhcp server config updatable set flow tcp-mss unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set console page 0 set hostname nsjs set dbuf usb filesize 0 set pki authority default scep mode "auto" set pki x509 default cert-path partial set dns host dns3 0.0.0.0 set dns host name ns-5gt-205 10.1.1.1 set dns proxy set dns proxy enable set dns server-select domain * outgoing-interface ethernet3 primary-server 212.202.215.1 secondary-server 212.202.215.2 tertiary-server 194.8.194.60 set address "Trust" "10.1.1.0/24" 10.1.1.0 255.255.255.0 set address "DMZ" "10.255.255.0/24" 10.255.255.0 255.255.255.0 set address "DMZ" "10.99.99.0/24" 10.99.99.0 255.255.255.0 set ippool "vpnclient" 10.1.2.1 10.1.2.10 set user "thorsten" uid 2 set user "thorsten" type xauth set user "thorsten" remote ippool "vpnclient" set user "thorsten" password "***" unset user "thorsten" type auth set user "thorsten" "enable" set user "vpnclient_ph1id" uid 1 set user "vpnclient_ph1id" ike-id fqdn "client.jersa.de" share-limit 2 set user "vpnclient_ph1id" type ike set user "vpnclient_ph1id" "enable" set user-group "vpnclient_group" id 1 set user-group "vpnclient_group" user "vpnclient_ph1id" set crypto-policy exit set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.jersa.de" outgoing-interface "ethernet3" preshare "***" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" set ike gateway "vpnclient_gateway" dpd-liveness interval 30 unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "vpnclient" set xauth default dns1 10.1.1.1 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set vpn "vpnclient_tunnel" monitor set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 11 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 11 disable set policy id 11 exit set policy id 1 from "Trust" to "Untrust" "10.1.1.0/24" "Any" "DNS" permit log set policy id 1 set service "FTP" set service "HTTP" set service "HTTPS" set service "NTP" set service "pcanywhere" set service "PING" set service "POP3" set service "POP3s" set service "SMTP" set service "SMTPs" set service "TRACEROUTE" set service "Videoserver TCP 9999" exit set policy id 4 from "Trust" to "Untrust" "Any" "Any" "UDP-ANY" deny log set policy id 4 exit set policy id 12 from "Untrust" to "DMZ" "Any" "Any" "ANY" permit log set policy id 12 disable set policy id 12 exit set policy id 2 from "Untrust" to "DMZ" "Any" "VIP(ethernet3)" "HTTP" permit log set policy id 2 set service "HTTPS" set service "Videoserver TCP 9999" exit set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log set policy id 3 exit set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 5 exit set policy id 6 from "Trust" to "DMZ" "10.1.1.0/24" "10.99.99.0/24" "HTTP" permit log set policy id 6 set service "HTTPS" set service "PING" exit set policy id 7 from "Trust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 7 exit set policy id 16 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set policy id 16 disable set policy id 16 exit set policy id 15 name "vpnclient_inbound" from "Untrust" to "Trust" "Dial-Up VPN" "10.1.1.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 log set policy id 15 exit set policy id 8 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log set policy id 8 exit set policy id 13 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log set policy id 13 disable set policy id 13 exit set policy id 9 from "DMZ" to "Trust" "Any" "Any" "ANY" deny log set policy id 9 exit set policy id 14 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit log set policy id 14 disable set policy id 14 exit set policy id 10 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny log set policy id 10 exit set log cli enable set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set ssh enable set config lock timeout 5 unset license-key auto-update set ssl port 23143 set ntp server "192.53.103.103" set ntp server backup1 "192.53.103.104" set ntp server backup2 "192.53.103.108" set ntp interval 1440 set modem speed 115200 set modem retry 3 set modem interval 10 set modem idle-time 10 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" set route 0.0.0.0/0 interface ethernet3 gateway *** permanent set route 10.1.1.0/24 vrouter "trust-vr" preference 20 metric 1 set route 10.99.99.0/24 vrouter "trust-vr" preference 20 metric 1 exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit === Does anybody have an idea what's going wrong? Many thanks in advance Thorsten -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at bbarker.co.uk Mon Feb 28 16:07:48 2011 From: ben at bbarker.co.uk (Ben Barker) Date: Mon, 28 Feb 2011 22:07:48 +0000 Subject: [vpn-help] VPN up, but no traffic to any destination Message-ID: Hello, I am running shrewsoft 2.1.7 on Ubunto 10.1 x64 All seems fine - I can open my VPN succesfully according to the client However, when it is open, I loose all connectivity to the internet and local LAN, but do not get any access to my remote network. Before my VPN is up, I have my routing tabel as: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 link-local * 255.255.0.0 U 1000 0 0 eth0 default O2wirelessbox.l 0.0.0.0 UG 0 0 0 eth0 After, I have: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 81.134.112.110 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 *192.168.13.0 192.168.14.51 255.255.255.0 UG 0 0 0 tap0* link-local * 255.255.0.0 U 1000 0 0 eth0 default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 Where the IP address allocated to my virtual adapter is on the 192.168.14.x subnet, and my destination is the 192.168.13.x subnet Any ideas what I am doing that is causing the VPN to apparently be brought up, but then causing no traffic at all to be routable? Cheers, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 04:09:15 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 11:09:15 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47DBCB.3070504@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log.zip Type: application/zip Size: 4842 bytes Desc: not available URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 05:40:06 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 12:40:06 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47F116.6060407@astrium.eads.net> Sorry, I have forgotten to show you the Client configuration. So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 192.168.11.1.vpn URL: From Rainer.Blaes at astrium.eads.net Tue Feb 1 03:52:30 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 01 Feb 2011 10:52:30 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> References: <8B42594C7750CD45BE1933C04AD2B6B13B21EA077A@w2008-server> Message-ID: <4D47D7DE.8030603@astrium.eads.net> Clemens wrote: > That looks like the Client is terminating the connection: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, > deleting Phase-1 SA > Something seems to be missing in the Xauth or Phase 2 settings. > Too see what is happening you will need to use the Shrew Trace utility > (see the according Wiki of ShrewSoft). That should give you (us) a hint. *Partial success. We had used the wrong CA Root cert and now it seems so that at least Phase 1 is established. Though SHREW is telling "bringing up tunnel/remote device configured/tunnel enabled" but Juniper's "get sa" do not show an Active tunnel. In particular the 'no policy found' lines in the ipsec.log irritate us. What does this mean? Thanks for any hint! Rainer* This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipsec.log Type: text/x-log Size: 64846 bytes Desc: not available URL: From uracs.tamas at peetandcook.hu Tue Feb 1 09:51:59 2011 From: uracs.tamas at peetandcook.hu (=?iso-8859-2?Q?Uracs_Tam=E1s?=) Date: Tue, 1 Feb 2011 15:51:59 +0000 Subject: [vpn-help] please help with SRX220 Message-ID: Hi Matthew, Could You please help me a little bit? I stuck creating Dialup VPN with SRX220 cluster. Phase 1 and 2 goes fine, and after a few successful SA key change the connection broken. It seems that our Shrew client tries to reauthenticate the already logged in user and loses the SA after that. See the log from SRX220 below. Do You have any thoughts about this? Thank You and best, Tamas Uracs 1.1.1.1: Shrew 2.1.7 2.2.2.2: SRX 220 cluster Feb 1 15:29:53 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:29:53 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f0f7631, remote = 1.1.1.1:2726 Feb 1 15:29:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:29:56 ike_retransmit_callback: Start, retransmit SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_retransmit_callback: Isakmp SA has been marked as deleted Feb 1 15:29:56 2.2.2.2:0 (Initiator) <-> 1.1.1.1:2726 { e745b337 b7895475 - 8ede6b29 1a2b4c81 [2] / 0x3b22e311 } CFG; Error = Timeout (8197) Feb 1 15:29:56 ike_send_notify: Private notification, do not send notification Feb 1 15:29:56 ike_delete_negotiation: Start, SA = { e745b337 b7895475 - 8ede6b29 1a2b4c81}, nego = 2 Feb 1 15:29:56 ike_free_negotiation_cfg: Start, nego = 2 Feb 1 15:29:56 ike_free_negotiation: Start, nego = 2 Feb 1 15:30:04 ike_state_restart_packet: Start, restart packet SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_st_o_qm_done: Quick Mode negotiation done Feb 1 15:30:04 ike_send_notify: Connected, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_delete_negotiation: Start, SA = { 1b1eb4a5 3c38975e - cff216d1 79bfcefb}, nego = 1 Feb 1 15:30:04 ike_free_negotiation_qm: Start, nego = 1 Feb 1 15:30:04 ike_free_negotiation: Start, nego = 1 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:04 ike_free_id_payload: Start, id type = 4 Feb 1 15:30:08 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:08 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 5f30985a, remote = 1.1.1.1:2726 Feb 1 15:30:08 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:12 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:12 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / a6525a3e, remote = 1.1.1.1:2726 Feb 1 15:30:12 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:15 ike_get_sa: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 ike_sa_find_half: Not found half SA = { 3f42e50f 80cd21b2 - 00000000 00000000 } Feb 1 15:30:15 ike_get_sa: Invalid cookie, no sa found, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152 } / 622d9826, remote = 1.1.1.1:2726 Feb 1 15:30:15 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:2726 Feb 1 15:30:16 ike_state_restart_packet: Start, restart packet SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_st_o_cfg_done: CFG negotiation done Feb 1 15:30:16 ike_send_notify: Connected, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_delete_negotiation: Start, SA = { 3f42e50f 80cd21b2 - 7775a279 0f399152}, nego = 0 Feb 1 15:30:16 ike_free_negotiation_cfg: Start, nego = 0 Feb 1 15:30:16 ike_free_negotiation: Start, nego = 0 Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the peer hash table Feb 1 15:30:17 Deleted (spi=894670796, protocol=ESP dst=2.2.2.2) entry from the dynamic sa spi hash table Feb 1 15:30:17 jnp_ike_connect_delete: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: Start, remote_name = 1.1.1.1:2726, flags = 00010000 Feb 1 15:30:17 jnp_ike_create_delete_internal: No isakmp sa found and connect flags require it Feb 1 15:30:17 Not route based VPN. Not deleting NHTB entry Feb 1 15:30:17 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 133955647;SPI-In = 894670796 Feb 1 15:30:17 Deleted SA pair for tunnel = 133955647 with SPI-In = 894670796 to kernel -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Blaes at astrium.eads.net Wed Feb 2 06:56:05 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Wed, 02 Feb 2011 13:56:05 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 350 with certificates In-Reply-To: <4D47F116.6060407@astrium.eads.net> References: <4D47F116.6060407@astrium.eads.net> Message-ID: <4D495465.50401@astrium.eads.net> I got it!!!!! After analyzing the SHREW Client's Phase 2 values I changed the proposal not to use PFS (nopfs) and now everything is working just fine! So long, Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From marco.zevering at eo.nl Thu Feb 3 02:17:58 2011 From: marco.zevering at eo.nl (Marco Zevering) Date: Thu, 03 Feb 2011 09:17:58 +0100 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? Message-ID: <4D4A64B6.2060307@eo.nl> Does anybody got a working situation using Shrew VPN Client on Mac OS X ? If yes, how did you do that. I got a working situation on Windows XP and used the same configuration, but this doesn't work with Mac OS X. Please help. Kind regards, Marco From deejay at jay-mail.de Thu Feb 3 03:35:03 2011 From: deejay at jay-mail.de (Jay) Date: Thu, 03 Feb 2011 10:35:03 +0100 Subject: [vpn-help] virtual network adapter cannot be created Message-ID: <4D4A76C7.50109@jay-mail.de> Hello, I?m new to this list and I hope you can help me. First, I want to apologize my bad english. I do my best to write as good as possible. The client worked fine until but now the virtual adapter dosn?t become created by the ShrewSoft vpn client. I found out that there are problems if a adapter called "Microsoft Virtual WiFi Miniport Adapter" exists. There?s no adapter excepting the hardware devices (lan, wifi, firewire). Do you have any idea? Best regards, Jay From tony.silveston at hp.com Wed Feb 2 16:01:16 2011 From: tony.silveston at hp.com (Silveston, Tony) Date: Wed, 2 Feb 2011 22:01:16 +0000 Subject: [vpn-help] Other VPN software stops Shrew Working Message-ID: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Hi I am running Windows XP on a specilaized HP build laptop. It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ This works fine although I cannot configure it to allow access to other VPN sites apart from HP. Therfore I have also installed SHREW v2.1.7. I want this to connect to a Cisco VPN gateway that is nothing to do with HP. If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. I get a "negotiation timeout ocurred"... Any ideas how to get them both working together? Thanks Tony From rfling at estand.com Thu Feb 3 18:01:03 2011 From: rfling at estand.com (Russ Fling) Date: Thu, 03 Feb 2011 18:01:03 -0600 Subject: [vpn-help] Help using NetGear FSV318v3 Message-ID: <4D4B41BF.60503@estand.com> I am having problems connecting to the NetGear FSV318v3. NetGear FSV318v3 firmware 0_28 (latest) Shrew client versions 2.1.7 and 2.2.0 beta 1 Client OS Windows 7 Home Premium 64 bit (I've also tried Ubuntu and Mac clients, same issue) NetGear LAN 192.168.8.0/24 NetGear WAN connected directly to internet at xxx.xxx.xxx.xxx (obscured for now) Windows client LAN 192.168.3.0/24 client has a DCHP address of 192.168.3.139 The Shrew FAQ's deal with the 338 not the 318 which has a different interface for users. I am not using the XAuth feature at this time, just Mutual PSK. In Policy tab, Policy Generation Level is auto, 192.168.8.0 / 255.255.255.0 has been added to topology. Maintain Persistent Security Associations is check (but also tried unchecked). When connecting, the tunnel is enabled but security associations fail 10-20 seconds later. iked.log contains the following lines when it fails. ii : fragmented packet to 1514 bytes ( MTU 1500 bytes ) ii : fragmented packet to 70 bytes ( MTU 1500 bytes ) -> : resend 1 phase2 packet(s) [2/2] 192.168.3.139:500 -> xxx.xxx.xxx.xxx:500 ii : resend limit exceeded for phase2 exchange Different Phase 1 settings will cause it to fail sooner so I think these and Authentication settings are OK. Phase 2 settings seem to have no effect (but I think they are configured properly) and it appears that the 318 is not responding to phase2 requests (or they are being blocked somewhere). Is is a packet fragmentation issue? Firewall issue? I saw on some blog that the 338 may need WAN ping enabled, this is currently off. Any suggestions? Thanks in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: rfling.vcf Type: text/x-vcard Size: 382 bytes Desc: not available URL: From alexis.lagoutte at gmail.com Fri Feb 4 02:00:01 2011 From: alexis.lagoutte at gmail.com (Alexis La Goutte) Date: Fri, 4 Feb 2011 09:00:01 +0100 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: Hi, On Fri, Feb 4, 2011 at 1:01 AM, Russ Fling wrote: > [...] > > In Policy tab, *Policy Generation Level is auto*, 192.168.8.0 / > 255.255.255.0 has been added to topology. Maintain Persistent Security > Associations is check (but also tried unchecked). > > [...] > > Any suggestions? > > Thanks in advance. > > Set *Unique* for Policy Generation Level and i should work Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.borges at skitter.tv Fri Feb 4 08:32:43 2011 From: david.borges at skitter.tv (David Borges) Date: Fri, 04 Feb 2011 09:32:43 -0500 Subject: [vpn-help] Help using NetGear FSV318v3 In-Reply-To: <4D4B41BF.60503@estand.com> References: <4D4B41BF.60503@estand.com> Message-ID: <1296829963.2260.2.camel@dborges-ThinkPad-R400> Russ, Would you consider using xauth? I have a FVS338 and it works great phase 2 with xauth. Thanks, On Thu, 2011-02-03 at 18:01 -0600, Russ Fling wrote: > is enabled but security associations fail > 10-20 seconds later. > > -- David Borges Director of Network Administration www.skitter.tv From galvarez3d at gmail.com Fri Feb 4 09:41:34 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 16:41:34 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) Message-ID: Hi I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am doing on my Windows XP 32 bits machine. I have exported the configuration from XP and imported it on Mac, but there are some data which does not get copied. This is what happens when I try to connect with the Mac: config loaded for site 'XXX_XXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... invalid message from gateway tunnel disabled detached from key daemon ... Any hints? -- Gerardo ?lvarez -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.harrold at eosemi.com Fri Feb 4 12:25:08 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Fri, 04 Feb 2011 18:25:08 +0000 Subject: [vpn-help] ike-2.2.0-beta-1 make errors Message-ID: <4D4C4484.6040603@eosemi.com> An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Fri Feb 4 12:32:39 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Fri, 4 Feb 2011 19:32:39 +0100 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> References: <246624c3-6983-48d2-be2f-d34d14b8457d@blur> Message-ID: Hi Russ Just curious, why Netgear? It seems we get a bit further now: config loaded for site 'XXXX_XXXX' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled attached to key daemon ... detached from key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... El 4 de febrero de 2011 19:00, Russ Fling escribi?: > Geraldo, > > Check shrew soft support on netgear for more info. > > General > Existing adapter > > Make sure all Authenication tab settings match netgear settings. > > I'm using mutual-psk now but am having problems at phase2 so may need to > use mutual-psk xauth. > > Phase 1 > Aggressive > Group 2 > 3des > Sha1 > > Phase2 > esp-3des > Sha1 > > Policy > Unique > Add your remote local lan > > > -----Original message----- > > *From: *"Gerardo ?lvarez" * > To: *vpn-help at lists.shrew.net* > Sent: *Fri, Feb 4, 2011 15:41:34 GMT+00:00* > Subject: *[vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) > > -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sander.liebert at gmail.com Sat Feb 5 13:07:00 2011 From: sander.liebert at gmail.com (Sander Liebert) Date: Sat, 5 Feb 2011 13:07:00 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP Message-ID: I have the shrew client loaded on several pc's. The XP seems to work fine and I can ping on the remote network. On my Win7 pc's I can connect, but cannot ping, or browse the network. I upgraded the Win7 pc's to 2.20 to rule out the possible virtual wifi adapter problem. Can anyone tell me what I should troubleshoot next? Thanks, Sander -------------- next part -------------- An HTML attachment was scrubbed... URL: From galvarez3d at gmail.com Sun Feb 6 10:17:55 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 17:17:55 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not Message-ID: I have given up trying to connect from Mac OS X 10.6.6 by now. I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, copying the configuration exported from XP 32 bit at the studio, differente ADSL routers but equivalente network topology and setup. The XP 32 bit connects fine: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... network device configured tunnel enabled However the W7 64 bits does not: config loaded for site 'FCSC' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured pre-shared key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... I see that the W7 is not able to configure the network device, maybe because I wasn?t able to install the software in W7 64 bits because it got stuck forever at "installing Network Adapter", until I rebooted into Safe Mode with Network, that way I could install it. Maybe it is not properly installed? -- Gerardo ?lvarez Producer El Viaje Imposible http://www.evipc.com (+34) 617 764 201 gerardo at evipc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Sun Feb 6 10:50:33 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 10:50:33 -0600 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> Message-ID: <4D4ED159.1080208@shrew.net> On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: > Hello > > we tested today to update VPN which worked flawlessly from > 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always > ask for user/passwort and if ignoring it the VPN claims to be connected > but no traffic passes the VPN. > > Client is Windows XP-SP3 > VPN is PSK against a BinTEC VPN Gateway > > Any idea what is going wrong? > Is this still happening with the beta1 build? If so, please forward me the debug level output in a private email. http://www.shrew.net/support/wiki/BugReportVpnWindows Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:17:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:17:25 -0600 Subject: [vpn-help] Shrew VPN Client on Mac OS X ? In-Reply-To: <4D4A64B6.2060307@eo.nl> References: <4D4A64B6.2060307@eo.nl> Message-ID: <4D4ED7A5.8050209@shrew.net> On 2/3/2011 2:17 AM, Marco Zevering wrote: > Does anybody got a working situation using Shrew VPN Client on Mac OS X ? > If yes, how did you do that. > > I got a working situation on Windows XP and used the same configuration, > but this doesn't work with Mac OS X. > Marco, I just built a new package using the latest source code. Please give it a try and see if the same issue occurs. http://www.shrew.net/download/vpn/vpn-client-install.dmg Thanks, -Matthew From mgrooms at shrew.net Sun Feb 6 11:22:51 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:22:51 -0600 Subject: [vpn-help] Adtran 908e In-Reply-To: <001501cbbf3c$a49544e0$edbfcea0$@com> References: <001501cbbf3c$a49544e0$edbfcea0$@com> Message-ID: <4D4ED8EB.50608@shrew.net> On 1/28/2011 4:42 PM, Danny Lloyd wrote: > I am not sure how to reply to the original thread. I have updated > information regarding my problem with connecting with the adtran 908e. I > appreciate any assistance. > > Here is the debug information from the adtran. I see ?Invalid > Authentication type which is not supported?. I don?t know how to address > that error. > Yes. Your gateway is rejecting the client Authentication due to an Authentication type mismatch. Check the settings under the authentication tab in your site configuration and make sure they match the type configured on the gateway. -Matthew From mgrooms at shrew.net Sun Feb 6 11:26:22 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:26:22 -0600 Subject: [vpn-help] shrew VPN client Ver. 2.1.7 In-Reply-To: <268875.87898.qm@web36506.mail.mud.yahoo.com> References: <268875.87898.qm@web36506.mail.mud.yahoo.com> Message-ID: <4D4ED9BE.40606@shrew.net> On 1/30/2011 6:58 AM, Wasiu Adebowale Fagbemi wrote: > I had installed shrew VPN client version 2.1.7 on my windows 7 PC. I can > successfully make connection to the remote network but I can not ping or > do RDC to any of the remote network resources. > > All these I can do very well with shrew VPN. client Version 2.1.5. > > My VPN gateway is cisco ASA5520 > Have you looked at the debug level output to see if it shows any issues? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 11:34:01 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:34:01 -0600 Subject: [vpn-help] VPN Tunnel disconnected by gateway after successful authentication In-Reply-To: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <3F185A541960DB4B9FBBBB4104820BBC0150075A3F3D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D4EDB89.9080302@shrew.net> On 1/28/2011 5:45 PM, Brian Harmer wrote: > Don wrote: >> I am hoping the community can help me with this. > >> I am using a Windows 7 64bit OS on my laptop and have used the NCP >> applcation (trial) in the successfully in the past. However, with >> Shrew's client, I can authenticate, but right after the >> splashscreen that tells me to behave myself on he corporate >> network, I get a disconnect by gateway. I have no idea what is >> happening that the gateway disconnects me after an appearent >> successful negotiation and authentication. Anyone seen this before >> and have any ideas? > > >> bringing up tunnel ... network device configured tunnel enabled >> session terminated by gateway tunnel disabled detached from key >> daemon ... > > I have a similiar experience. I can add to that the fact that in the > box which shrinks to the task bar on the "apparently" successful > connection, there are two tabs, one labelled connect, and the other > labelled network. If I watch the newtork tab while the system is > thinking about finally connecting, I can see that the client tells me > that security associations failed .... 9 times ... is that 9 > associations or 9 tries? As a VPN novice despearate to connect, I > have no idea what this means. Any insights gratefully received. > This is the typical result when the VPN client connects to a Cisco gateway and phase2 negotiation is failing for some reason. Check the log output on both the client and gateway to find clues as to what the issue could be. You will likely need to modify either a phase2 tab or a policy tab parameter in your site configuration. -Matthew From mgrooms at shrew.net Sun Feb 6 11:42:53 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 11:42:53 -0600 Subject: [vpn-help] ike-2.2.0-beta-1 make errors In-Reply-To: <4D4C4484.6040603@eosemi.com> References: <4D4C4484.6040603@eosemi.com> Message-ID: <4D4EDD9D.8050508@shrew.net> On 2/4/2011 12:25 PM, Steve Harrold wrote: > Hi all, > I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is > based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am > getting errors and warnings when I run "make". > I just fixed the build issues. Please pull down a copy from svn and give it another try. svn export svn://svn.shrew.net/ike/head -Matthew From zkosn at zkosn.com Sun Feb 6 11:44:54 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 10:44:54 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 12:52:14 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 12:52:14 -0600 Subject: [vpn-help] Can I just installed iked it keeps wanting to install 2.1.7 Shrew Message-ID: Matt, List, I am getting Failure to attach to Key daemon on Shrew 2.2.0-beta-1 latest build checked out of SVN. If I go to install iked it wants to install the 2.1.7 client. I just want to install Iked. Advise? JT On Sun, Feb 6, 2011 at 11:42 AM, Matthew Grooms wrote: > On 2/4/2011 12:25 PM, Steve Harrold wrote: > >> Hi all, >> I'm trying to compile ike-2.2.0-beta-1 under Linux Mint 7 (which is >> based on Ubuntu jaunty). The 2.1.7 release compiled fine, but I am >> getting errors and warnings when I run "make". >> >> > I just fixed the build issues. Please pull down a copy from svn and give it > another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tstrike34 at gmail.com Sun Feb 6 13:07:08 2011 From: tstrike34 at gmail.com (JT Edwards) Date: Sun, 6 Feb 2011 13:07:08 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon Message-ID: Matthew, I am having a problem of having the latest bulid client stay connected to the Ike daemon. It actually kills it on Ubuntu 10.10. Here is what I am getting: config loaded for site 'test33.dyndns.org' attached to key daemon ... peer config failed detached from key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon failed to attach to key daemon Advice? Nothing in the iked log but this: 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) -- J.T. Edwards Senior Solutions Architect and Managing Consultant IBM Tivoli Certified Global Direct +01-512-772-3266 Celluar +01-281-226-0284 Skype tstrike29 JT Edwards Commissioner, Alt 2, Building and Standards City of Galveston P.O. Box 779 823 Rosenberg Galveston, Texas 77553 Phone: (409) 797-3500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lst_hoe02 at kwsoft.de Sun Feb 6 14:02:00 2011 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Sun, 06 Feb 2011 21:02:00 +0100 Subject: [vpn-help] Problem with 2.2.0-alpha-11 In-Reply-To: <4D4ED159.1080208@shrew.net> References: <20110126111021.13972p1k8atc6fc4@webmail.kwsoft.de> <4D4ED159.1080208@shrew.net> Message-ID: <20110206210200.61878wd5jqbsoytc@webmail.kwsoft.de> Zitat von Matthew Grooms : > On 1/26/2011 4:10 AM, lst_hoe02 at kwsoft.de wrote: >> Hello >> >> we tested today to update VPN which worked flawlessly from >> 2.2.0-alpha-10 to 2.2.0-alpha-11. After the update the VPN client always >> ask for user/passwort and if ignoring it the VPN claims to be connected >> but no traffic passes the VPN. >> >> Client is Windows XP-SP3 >> VPN is PSK against a BinTEC VPN Gateway >> >> Any idea what is going wrong? >> > > Is this still happening with the beta1 build? If so, please forward > me the debug level output in a private email. > > http://www.shrew.net/support/wiki/BugReportVpnWindows Beta1 is working again. Many Thanks. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature URL: From paul at athosconsulting.com Sun Feb 6 14:42:07 2011 From: paul at athosconsulting.com (Paul Papasavas) Date: Sun, 6 Feb 2011 20:42:07 +0000 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: <006601cbb25a$8d28e760$a77ab620$@com> Message-ID: Matthew, FYI the issue was resolved simply by using a virtual adapter and assigning am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 Paul On 1/12/11 8:13 AM, "Darren Nye" wrote: >Hi Matthew, > >I'm absolutely sure that using NCP and Green Bow, resolves the issues. > >I'm not sure how to setup a Virtual Adapter - everything was setup by the >consultant we hired. Are there instructions somewhere of how to try a >virtual adapter? > >I don't know if it matters but the consultant was able to get the free IP >Securitas to work fine also - which runs on Macs (half of our clients are >Macs). > >I did try stepping through the alternate configuration found here: >http://www.shrew.net/support/wiki/HowtoJuniperSsg > >But I couldn't get a tunnel connection at all with the above. Maybe it's >because some of the SSG pages were a bit different, with the updated >firmware. And one field, IKE ID Type, was not sticking on AUTO but was >being >changed to something starting with an F (not currently connected to >router). > >To answer your other question, the user is not stopping the service. As >per >the pictures what is happening, is I start copying using Windows Explorer >from the server to my notebook, and the copy stops and produces the >Windows >error as per the pics - and it seems the halt happens at that time. But >the >user never touches the servers from a technical standpoint. > >I will try your latest alpha version and report back: >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > > > >-----Original Message----- >From: Matthew Grooms [mailto:mgrooms at shrew.net] >Sent: Wednesday, January 12, 2011 2:21 AM >To: Darren Nye >Cc: vpn-help at lists.shrew.net >Subject: Re: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue > >On 1/7/2011 1:11 PM, Darren Nye wrote: >> Hi all, >> > >Hi Darren, > >> VPN Client: ShrewSoft 2.1.7 and 2.2 Alpha 9. >> >> Windows: 7 64bit and Vista 64bit >> >> Gateway: Juniper SSG5 >> >> Gateway Hardware Version: 710(0) >> >> Gateway Firmware Version: 6.3.0r5.0 (also tried firmware 6.0 with same >> issue). >> >> Five people in different locations, have been able to duplicate this >> problem, with the ShrewSoft 2.1.7 and 2.2 Alpha 9 clients. >> >> However when we use NCP Client or Green Bow VPN Client, we do not have >> this issue and everything seems fine. So this points to either a >> configuration issue with ShrewSoft or a bug. I hope someone can help? >> > >Are you absolutely sure that this problem can be resolved by installing >the NCP or Greenbow clients? I'm not to proud to admit when the Shrew >Soft client has a bug that needs to be fixed. From looking at your log >output, it would appear that you are not using virtual adapter configs >which can cause problems related to MTU issues. Some carriers will drop >packet fragments or large UDP packets for no good reason. When using a >virtual adapter, a custom MTU can be set to avoid these issues. > >> We can connect to the Juniper with ShrewSoft and also connect to our >> network file servers, and perform short tasks such as copy small files >> up/down or use remote desktop. >> >> However, when we try to use Windows Explorer to connect to a Linux/Samba >> (v3.1) file server (ie: \\192.168.66.1\printfileserver >> ) and copy a folder with a large >> number of files (100mb or more) - by dragging and dropping from the >> server to the desktop - it seems that Windows thinks the connection to >> the server is lost - although the tunnel itself in ShrewSoft doesn't >> show that it disconnected. But the log file seem to show a "halt" >> command around the same time the issue is probably happening. >> > >The halt should only show up in the log when someone stops the service. >It's the normal shutdown procedure. I see the halt in your logs about >four minutes into the connection. Is that a user stopping the service or >do you mean that its stopping itself? > >> See attached: >> >> Windows-preparing-copy.jpg = the beginning of the file copy - things >> going normal so far >> >> Windows-copy-start.jpg = after windows is finished preparing (I believe >> figuring out how much and what it's going to copy) - it then tries to >> start the copy - but never seems to start >> >> Windows-failure.jpg = a short time after the windows-copy-start above, >> windows will display a failure. It's at this point that shrewsoft >> perhaps is getting the halt. >> >> The Shrew trace and other log/dump files are attached. 1.1.1.1 is a >> changed IP address but represents our internal IP address of the Juniper >> router. >> >> These particular logs were when connecting via ATT and my cell phone. >> However we've had these issues remotely from homes on Comcast and >> Optimum cable modems. >> >> I've been told by our Juniper tech rep that our internal servers are >> sending a RST (reset) although I don't see that in any of the logs I'm >> looking at. >> >> But we don't experience these odd issues when using the NCP client or >> Green Bow. But I'd rather not license every single one of our users. >> >> Any suggestions, please let me know. >> > >There is a feature included in modern network adapters called TCP Large >Segment Offload. Up until the last 2.2.0 alpha release, the client had a >bug that caused problems similar to the one you describe when TCP LSO >was enable and virtual adapters were not in use. The Alpha 9 version of >the client that you tested with does not have the fix for this bug. Not >that I can imagine TCP LSO would be implemented by an AT&T cell phone >dongle driver, but it could certainly be effecting your home users. If >you want to try a version of the client that has been tested a bit more >than the latest alpha, you can have a user try this version ... > >http://www.shrew.net/download/vpn/vpn-client-2.2.0-lsofix-1.exe > >-Matthew > From mgrooms at shrew.net Sun Feb 6 15:55:26 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 15:55:26 -0600 Subject: [vpn-help] Other VPN software stops Shrew Working In-Reply-To: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> References: <1B7E2E28661CFD418A0067A7D01342CC8D3D29F737@GVW1102EXC.americas.hpqcorp.net> Message-ID: <4D4F18CE.2010000@shrew.net> On 2/2/2011 4:01 PM, Silveston, Tony wrote: > Hi > > I am running Windows XP on a specilaized HP build laptop. > > It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks. > http://remote-access-to-hp-ra2hp-vpn.software.informer.com/ > > This works fine although I cannot configure it to allow access to other VPN sites apart from HP. > > Therfore I have also installed SHREW v2.1.7. > > I want this to connect to a Cisco VPN gateway that is nothing to do with HP. > > If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN. > > If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway. > > I get a "negotiation timeout ocurred"... > > Any ideas how to get them both working together? > Tony, No, unfortunately I don't. We have made every attempt to create a VPN client that is as friendly to other installed software as possible. We use very specialized rules to only accept and process traffic that is unique to a VPN session established by our VPN client. We don't touch any other traffic, even if it is IPsec related. That means that it is _possible_ to use the Shrew Soft client along with other VPN clients. But possible doesn't mean it will work. In fact, in most cases it will probably break in one way or another unless the following are true ... 1) The other VPN client software was written with the same care as the Shrew Soft client. That means, not making assumptions about being the only IPsec client installed on the machine and blindly eating IKE or IPsec packets that may belong to other software. 2) Your IPsec policies don't overlap. If one client is configured to send all traffic down its tunnel, then a second VPN client would fail to establish its tunnel ( negotiation traffic is sent down the first VPN connections tunnel ). 3) In most cases, only one client will _win_ when it comes to custom DNS settings, with the latter overwriting the former connections settings. So to summarize: Yes, its possible to do what you want but the chance of two tunnels working correctly without them being designed to do so is just about nil. From what I have seen from other VPN client vendors, they just don't seem to care much to co-exist with other IPsec client software. This leads to a lot of head scratching and questions like, "Am I running into a configuration conflict that can be fixed, or are the software components stepping on each others toes"? Sorry I can't be more help, -Matthew From mgrooms at shrew.net Sun Feb 6 16:08:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:08:45 -0600 Subject: [vpn-help] VPN 2.2.0 on Mac OS X 10.6.6 (spanish) In-Reply-To: References: Message-ID: <4D4F1BED.9070807@shrew.net> On 2/4/2011 9:41 AM, Gerardo ?lvarez wrote: > Hi > I am trying to use Shrew Soft VPN Access Manager in my Mac just as I am > doing on my Windows XP 32 bits machine. > I have exported the configuration from XP and imported it on Mac, but > there are some data which does not get copied. > This is what happens when I try to connect with the Mac: > I just uploaded a new build to the website. The OSX support is still very preliminary but I have fixed a few bugs recently. One of them was related to configuration mismatches between different platforms ... http://www.shrew.net/download/vpn/vpn-client-install.dmg -Matthew From mgrooms at shrew.net Sun Feb 6 16:10:18 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:10:18 -0600 Subject: [vpn-help] Shrew on Windows 7 vs Windows XP In-Reply-To: References: Message-ID: <4D4F1C4A.9070007@shrew.net> On 2/5/2011 1:07 PM, Sander Liebert wrote: > I have the shrew client loaded on several pc's. The XP seems to work > fine and I can ping on the remote network. On my Win7 pc's I can > connect, but cannot ping, or browse the network. I upgraded the Win7 > pc's to 2.20 to rule out the possible virtual wifi adapter problem. > Can anyone tell me what I should troubleshoot next? Are you using the beta-1 or a previous version? Have you looked at the debug output to see if it displays any useful information? http://www.shrew.net/support/wiki/BugReportVpnWindows -Matthew From mgrooms at shrew.net Sun Feb 6 16:12:00 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:12:00 -0600 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: References: Message-ID: <4D4F1CB0.10603@shrew.net> On 2/6/2011 10:17 AM, Gerardo ?lvarez wrote: > I have given up trying to connect from Mac OS X 10.6.6 by now. > I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, > copying the configuration exported from XP 32 bit at the studio, > differente ADSL routers but equivalente network topology and setup. > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... http://www.shrew.net/support/wiki/FrequentlyAskedQuestions -Matthew From mgrooms at shrew.net Sun Feb 6 16:14:39 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:14:39 -0600 Subject: [vpn-help] 2.2 b1 miniport adapter In-Reply-To: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> References: <20110206104454.35cc758f207e5a82ede39c4fdf64e9e5.e5937e9476.wbe@email01.secureserver.net> Message-ID: <4D4F1D4F.3030608@shrew.net> On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From mgrooms at shrew.net Sun Feb 6 16:16:23 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:16:23 -0600 Subject: [vpn-help] Latest Build issues staying connected to Ike daemon In-Reply-To: References: Message-ID: <4D4F1DB7.7060308@shrew.net> On 2/6/2011 1:07 PM, JT Edwards wrote: > Matthew, > > I am having a problem of having the latest bulid client stay connected > to the Ike daemon. It actually kills it on Ubuntu 10.10. > > Here is what I am getting: > > config loaded for site 'test33.dyndns.org ' > > ... > Advice? Nothing in the iked log but this: > > 1/02/06 13:04:01 ## : IKE Daemon, ver 2.1.5 > 11/02/06 13:04:01 ## : Copyright 2009 Shrew Soft Inc. > 11/02/06 13:04:01 ## : This product linked OpenSSL 0.9.8o 01 Jun 2010 > 11/02/06 13:04:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) > Uninstall the 2.1.5 version, then re-install the 2.2.0 version. The two versions of the client have different components that are incompatible with one another. -Matthew From mgrooms at shrew.net Sun Feb 6 16:19:19 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Sun, 06 Feb 2011 16:19:19 -0600 Subject: [vpn-help] ShrewSoft 2.1.7 and 2.2.0 Issue In-Reply-To: References: Message-ID: <4D4F1E67.5030103@shrew.net> On 2/6/2011 2:42 PM, Paul Papasavas wrote: > Matthew, > > FYI the issue was resolved simply by using a virtual adapter and assigning > am MTU of I believe 1380 ... All problems went away with Shrew / ssg5 > Hi Paul, Thanks for the feedback. If I can reproduce the non-virtual network adapter style connection issues I'll try to get it resolved. However, its not going to bubble up to the top of my todo list any time soon. But in the long run, I'm pretty sure you would be happier with the virtual adapter style connections anyway. Thanks again, -Matthew From galvarez3d at gmail.com Sun Feb 6 16:28:32 2011 From: galvarez3d at gmail.com (=?ISO-8859-1?Q?Gerardo_=C1lvarez?=) Date: Sun, 6 Feb 2011 23:28:32 +0100 Subject: [vpn-help] Windows XP 32 bit connects but Windows 7 64 bit does not In-Reply-To: <4D4F1CB0.10603@shrew.net> References: <4D4F1CB0.10603@shrew.net> Message-ID: <-7856785405170327861@unknownmsgid> No , none of the machine uses WIFI, only ethernet. Gerardo Alvarez Le?n galvarez3d at gmail.com El 06/02/2011, a las 23:12, Matthew Grooms escribi?: > On 2/6/2011 10:17 AM, Gerardo ???lvarez wrote: >> I have given up trying to connect from Mac OS X 10.6.6 by now. >> I have installed 2.1.7 64 bit at one PC with Windows 7 64 bit at home, >> copying the configuration exported from XP 32 bit at the studio, >> differente ADSL routers but equivalente network topology and setup. >> > > Are you using a WIFI connection? If so, try disabling the Microsoft virutal wifi adapter as our Wiki suggests ... > > http://www.shrew.net/support/wiki/FrequentlyAskedQuestions > > -Matthew From zkosn at zkosn.com Sun Feb 6 20:06:01 2011 From: zkosn at zkosn.com (zkosn at zkosn.com) Date: Sun, 06 Feb 2011 19:06:01 -0700 Subject: [vpn-help] 2.2 b1 miniport adapter Message-ID: <20110206190601.35cc758f207e5a82ede39c4fdf64e9e5.dbcdb8e51b.wbe@email01.secureserver.net> I'm only using infrastructure networks, however I have used ad-hocs in the past. If I disable the Virtual Miniport adapter, either the entire adapter or just the shrewsoft filter component, 2.2.0 will then immediately connect fine. I can even re-enable the Miniport adapter/filter and still I'm able to connect. However, if I reboot and the Virtual Miniport adapter is enabled, it cannot connect again until I disable it again. If I leave it disabled, all is good. Thanks! -------- Original Message -------- Subject: Re: [vpn-help] 2.2 b1 miniport adapter From: Matthew Grooms Date: Sun, February 06, 2011 4:14 pm To: zkosn at zkosn.com Cc: vpn-help at lists.shrew.net On 2/6/2011 11:44 AM, zkosn at zkosn.com wrote: > Win7/32 Can't establish a tunnel (doesn't even make an attempt to > establish) if the Virtual Miniport adapter is enabled. Disabling it > allows it to function and establish a tunnel. > > 2.17 works with the virtual miniport enabled. > > Any workaround or is it broken? > Hmmm. It should be the other way around unless you are communicating over an AD-Hoc Wifi network. The 2.2.0 version favors the base Wifi adapter but doesn't work the MS Virtual Adapter used for AD-Hoc Wifi. -Matthew From paul at anastrophe.com Sun Feb 6 23:01:57 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Sun, 06 Feb 2011 21:01:57 -0800 Subject: [vpn-help] new windows login credentials? Message-ID: <4D4F7CC5.1030206@anastrophe.com> having recently installed 2.2.0 beta 1 for windows 7 64bit, when my machine comes out of 'sleep', i'm now presented with a shrew vpn credentials login page by default, rather than my normal fingerprint sensor credentials login page. i can hit the 'log in as another user' button and then use my fingerprint - but, uh, what the heck is this? i went into the windows 'user accounts' control panel and there's nothing there for me to modify, and i can't figure out how to get rid of this...? thanks in advance. -- Paul Theodoropoulos From mgrooms at shrew.net Mon Feb 7 00:47:45 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 00:47:45 -0600 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F7CC5.1030206@anastrophe.com> References: <4D4F7CC5.1030206@anastrophe.com> Message-ID: <4D4F9591.6070805@shrew.net> On 2/6/2011 11:01 PM, Paul Theodoropoulos wrote: > having recently installed 2.2.0 beta 1 for windows 7 64bit, when my > machine comes out of 'sleep', i'm now presented with a shrew vpn > credentials login page by default, rather than my normal fingerprint > sensor credentials login page. i can hit the 'log in as another user' > button and then use my fingerprint - but, uh, what the heck is this? i > went into the windows 'user accounts' control panel and there's nothing > there for me to modify, and i can't figure out how to get rid of this...? > > thanks in advance. > The 2.2.0 version includes an option for Secure Domain Login support. This is accomplished by installing a windows credentials provider on Windows Vista/7. If you don't want that option, you can re-install the client and uncheck the credentials provider to prevent the component from being installed. I'm not sure why its being presented by default if you didn't manually select during the Login process. I'll have a look at that before we do the next beta release. -Matthew From paul at anastrophe.com Mon Feb 7 12:20:56 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:20:56 -0800 Subject: [vpn-help] new windows login credentials? In-Reply-To: <4D4F9591.6070805@shrew.net> References: <4D4F7CC5.1030206@anastrophe.com> <4D4F9591.6070805@shrew.net> Message-ID: <4D503808.9060504@anastrophe.com> On 2/6/2011 10:47 PM, Matthew Grooms wrote: > The 2.2.0 version includes an option for Secure Domain Login support. > This is accomplished by installing a windows credentials provider on > Windows Vista/7. If you don't want that option, you can re-install the > client and uncheck the credentials provider to prevent the component > from being installed. I'm not sure why its being presented by default > if you didn't manually select during the Login process. I'll have a > look at that before we do the next beta release. > > -Matthew thanks matthew. i payed closer attention during the reinstall and indeed i see the credentials provider option. it was pre-selected, which is why i didn't notice it before. this brings up another issue pertaining to installs - but i'll start a separate thread for that since it's unrelated. -- Paul Theodoropoulos From paul at anastrophe.com Mon Feb 7 12:27:05 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 10:27:05 -0800 Subject: [vpn-help] reinstall problems Message-ID: <4D503979.2000607@anastrophe.com> i've had this problem with all 2.2.0 versions - whenever i attempt a reinstall, my system bluescreens while the previous version is being removed. win7 64bit, realtek ethernet hardware/drivers. i have no wireless on this system. curiously, on my work laptop that does have wireless, reinstall does not bluescreen. one might ask why i reinstall sometimes. well, also with the 2.2.0 versions, if i've used the vpn previously, and later my PC has gone into sleep mode, after coming out of sleep, i can no longer use the vpn. i either get 'failed to attach to key daemon' - or it'll go through the full sequence of reconnecting to the vpn apparently successfully - but i'll be unable to actually use the connection - my ssh sessions just time out. on my work laptop, all i need do is run a reinstall, and then the vpn will work again. but on my PC, as above, the reinstall bluescreens. -- Paul Theodoropoulos -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Mon Feb 7 12:48:25 2011 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon, 07 Feb 2011 12:48:25 -0600 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503979.2000607@anastrophe.com> References: <4D503979.2000607@anastrophe.com> Message-ID: <4D503E79.9080402@shrew.net> On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > i've had this problem with all 2.2.0 versions - whenever i attempt a > reinstall, my system bluescreens while the previous version is being > removed. win7 64bit, realtek ethernet hardware/drivers. i have no > wireless on this system. curiously, on my work laptop that does have > wireless, reinstall does not bluescreen. > I have seen Realtek device drivers cause problems many times before. Have you updated them to use the the latest revision for your chipset? There were very minor changes to the Shrew Soft drivers between 2.1.7 and 2.2.0. In fact, I just submit them to WinQual yesterday for final certification and they passed with no issues. That means these driver binaries will be the version included in the 2.2.0 release, just with the additional Microsoft signatures. > one might ask why i reinstall sometimes. well, also with the 2.2.0 > versions, if i've used the vpn previously, and later my PC has gone into > sleep mode, after coming out of sleep, i can no longer use the vpn. i > either get 'failed to attach to key daemon' - or it'll go through the > full sequence of reconnecting to the vpn apparently successfully - but > i'll be unable to actually use the connection - my ssh sessions just > time out. on my work laptop, all i need do is run a reinstall, and then > the vpn will work again. but on my PC, as above, the reinstall bluescreens. > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue or are you forced to re-install the software? It would also be helpful to see debug level output for this scenario if possible. -Matthew From nss at compu-skill.com Mon Feb 7 16:34:52 2011 From: nss at compu-skill.com (Noach Sumner) Date: Tue, 8 Feb 2011 00:34:52 +0200 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: I have the same problem where after my computer sleeps I can't connect unless I restart (IFF I was connected when it went into sleep mode). I am almost always connected Wirelessly with an Intel 3945ABG, on Windows 7 32 bit. On Mon, Feb 7, 2011 at 8:48 PM, Matthew Grooms wrote: > On 2/7/2011 12:27 PM, Paul Theodoropoulos wrote: > >> i've had this problem with all 2.2.0 versions - whenever i attempt a >> reinstall, my system bluescreens while the previous version is being >> removed. win7 64bit, realtek ethernet hardware/drivers. i have no >> wireless on this system. curiously, on my work laptop that does have >> wireless, reinstall does not bluescreen. >> >> > I have seen Realtek device drivers cause problems many times before. Have > you updated them to use the the latest revision for your chipset? > > There were very minor changes to the Shrew Soft drivers between 2.1.7 and > 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with the > additional Microsoft signatures. > > > one might ask why i reinstall sometimes. well, also with the 2.2.0 >> versions, if i've used the vpn previously, and later my PC has gone into >> sleep mode, after coming out of sleep, i can no longer use the vpn. i >> either get 'failed to attach to key daemon' - or it'll go through the >> full sequence of reconnecting to the vpn apparently successfully - but >> i'll be unable to actually use the connection - my ssh sessions just >> time out. on my work laptop, all i need do is run a reinstall, and then >> the vpn will work again. but on my PC, as above, the reinstall >> bluescreens. >> >> > Does stopping/starting the Shrew Soft ike/ipsec services resolve this issue > or are you forced to re-install the software? It would also be helpful to > see debug level output for this scenario if possible. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Mon Feb 7 17:55:21 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Mon, 7 Feb 2011 15:55:21 -0800 (PST) Subject: [vpn-help] Juniper SSG-20/Shrew VPN client- Message-ID: <336660.74735.qm@web46306.mail.sp1.yahoo.com> I continually get this error message when configuring VPN users on the Juniper SSG-20 gateway. Rejected an IKE packet on ethernet0/0 from 9.9.9.2:500 to 9.9.9.1:500 with cookies cbf74b95a72b9d43 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway. Juniper won't support me unless I pay the $88/NCP vpn client. Thats bs. I connect my laptop to the outside interface of the SSG-20 and change my ip address to 9.9.9.2/24 and I can ping the interface of the SSG 9.9.9.1/24. The VPN client tunnel negotiation fails with no possible solution. The Shrew client configuration is attached. Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Shrew_VPN_Client_Error_Plus_Screenshots_of_Configured_Tabs.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 127800 bytes Desc: not available URL: From paul at anastrophe.com Tue Feb 8 00:50:20 2011 From: paul at anastrophe.com (Paul Theodoropoulos) Date: Mon, 07 Feb 2011 22:50:20 -0800 Subject: [vpn-help] reinstall problems In-Reply-To: <4D503E79.9080402@shrew.net> References: <4D503979.2000607@anastrophe.com> <4D503E79.9080402@shrew.net> Message-ID: <4D50E7AC.9080808@anastrophe.com> On 2/7/2011 10:48 AM, Matthew Grooms wrote: > I have seen Realtek device drivers cause problems many times before. > Have you updated them to use the the latest revision for your chipset? it's a pretty recent revision (checking)...7.31.1025.2010, which apparently has only recently been superceded. > There were very minor changes to the Shrew Soft drivers between 2.1.7 > and 2.2.0. In fact, I just submit them to WinQual yesterday for final > certification and they passed with no issues. That means these driver > binaries will be the version included in the 2.2.0 release, just with > the additional Microsoft signatures. i also have openVPN adapter installed, though i haven't used it in ages. i wonder if uninstalling that might have any effect. i've kept it in place just in case an old client ever needed assistance again - but i can always reinstall... > Does stopping/starting the Shrew Soft ike/ipsec services resolve this > issue or are you forced to re-install the software? It would also be > helpful to see debug level output for this scenario if possible. haven't tried stop/start of the ike/ipsec services, will give it a try. thanks for your excellent support! -- Paul Theodoropoulos From steve.harrold at eosemi.com Tue Feb 8 07:15:54 2011 From: steve.harrold at eosemi.com (Steve Harrold) Date: Tue, 08 Feb 2011 13:15:54 +0000 Subject: [vpn-help] Netgear336 connection problems Message-ID: <4D51420A.5070206@eosemi.com> An HTML attachment was scrubbed... URL: From glen_di_persio at hotmail.com Tue Feb 8 07:36:05 2011 From: glen_di_persio at hotmail.com (Glen Di Persio) Date: Tue, 8 Feb 2011 09:36:05 -0400 Subject: [vpn-help] Nortel Contivity VPN Message-ID: I'm trying to connect to a Contivity VPN using Shrewsoft. The Contivity client connects with Diffie-Hellman group 8 (EC2N), while the Shrewsoft client only supports groups 1/2/5/14/15. The Contivity server will not respond to my initial ISAKMP packet from Shrewsoft. Is DH Group 8 a proprietary Nortel transform, or is it more widely used? thanks, Glen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:47 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:47 -0800 (PST) Subject: [vpn-help] LDAP Display Will Authenticate Users but Not the Userid Message-ID: <801845.53887.qm@web46304.mail.sp1.yahoo.com> By the way, I was just on the phone with the Juniper TAC for 2 hours. We got LDAP to work with the SSG-20 but you have to enter the display name and not the userid into the Shrew VPN client? John H. Doe instead of doej. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattlenco at yahoo.com Tue Feb 8 14:58:57 2011 From: mattlenco at yahoo.com (Matt Lenco) Date: Tue, 8 Feb 2011 12:58:57 -0800 (PST) Subject: [vpn-help] Tailor the VPN Client with My Company Logo? Message-ID: <94651.89316.qm@web46302.mail.sp1.yahoo.com> Is there a way to tailor the client with my company logo? Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From pabouk at centrum.cz Mon Feb 14 17:43:59 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 00:43:59 +0100 Subject: [vpn-help] no traffic passing through tunnel (Windows Vista SP2 32bit) Message-ID: <20110214234359.B09A4100FDB64@mail1001.cent> Hello, I am testing Shrew Soft VPN Client 2.1.7 on Windows Vista SP2 32 bit. The VPN gateway is some Cisco device. It introduces itself as Cisco Systems, Inc ASA5520-K8. The IKE negotiation completes successfully and successful keep-alive packet exchange follows. Unfortunately no traffic passes the established VPN tunnel. It looks like there is an ARP or routing problem. ------ here is the virtual interface: Ethernet adapter Local Area Connection* 42: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Shrew Soft Virtual Adapter Physical Address. . . . . . . . . : AA-AA-AA-46-BC-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1fa:d425:d0c9:2bc4%134(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.94.48(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : -1968526678 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-70-91-69-00-1A-4B-61-1C-D2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled ------ relevant routes from the routing table: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.147.254 192.168.147.101 266 ... 192.168.94.0 255.255.255.0 On-link 192.168.94.48 286 192.168.94.48 255.255.255.255 On-link 192.168.94.48 286 192.168.94.255 255.255.255.255 On-link 192.168.94.48 286 192.168.95.0 255.255.255.0 On-link 192.168.94.48 31 192.168.95.255 255.255.255.255 On-link 192.168.94.48 286 192.168.94.0/24 - is the subnet for VPN client addresses 192.168.95.0/24 - is the remote subnet behind the VPN gateway I want to access Notice that the routing table is set as if the remote subnet was connected directly to a local interface (there is no gateway set) so Windows need to receive a reply to ARP when sending a packet to the remote subnet. Is the routing table supposed to be like this? ------ Unfortunately when I ping a remote address Windows receive no reply to ARP request resulting in "destination unreachable" message: C:Windowssystem32>ping 192.168.95.184 Pinging 192.168.95.184 with 32 bytes of data: Reply from 192.168.94.48: Destination host unreachable. Request timed out. ------ the ARP request captured using Wireshark (no reply was ever seen): 1 0.000000000 aa:aa:aa:46:3c:00 Broadcast ARP 42 Who has 192.168.95.184? Tell 192.168.94.48 What is strange: IPSEC service logs other ARP requests but not this one which does not get reply. ------ this message sequence continuously repeats twice per second in the IPSEC service log: 11/02/14 23:28:33 K< : recv GET UNSPEC pfkey message 11/02/14 23:28:33 DB : sa found 11/02/14 23:28:33 DB : sa ref increment ( ref count = 3, sa count = 2 ) 11/02/14 23:28:33 DB : sa ref decrement ( ref count = 2, sa count = 2 ) ------ message describing unrelated ARP request to local network: 11/02/14 23:28:44 ii : inspecting ARP request ... 11/02/14 23:28:44 DB : policy not found 11/02/14 23:28:44 ii : ignoring ARP request for 192.168.147.254, no policy found ------ message related to a request of other LAN machine asking for address of my Windows machine: 11/02/14 23:29:23 ii : inspecting ARP request ... 11/02/14 23:29:23 !! : ARP packet has invalid header (In fact the ARP request is does not look wrong and is correctly replied to by my Windows machine.) ARP request sent from the Shrew Soft Virtual Adapter does not appear in the log at all! It seems that the VPN client does not see the ARP request. Also the "transferred" counters of the IPsec Security Associations stay at 0 all the time. I tried a different internet connection (dialup over GPRS) too - no success. Am I missing something in the VPN client or Windows configuration or could this be a bug in the VPN client? Thank you in advance for your help. Pabouk From Rainer.Blaes at astrium.eads.net Tue Feb 15 08:02:07 2011 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue, 15 Feb 2011 15:02:07 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates Message-ID: <4D5A875F.7090608@astrium.eads.net> Hi everybody, 2 weeks ago we setup a SHREW Dial Up VPN Client 2.1.7 connection to our SSG 350 device and the connection is working fine. Now we got a SSG 320 out of the box and imported the running SSG 350 configuration into it. Unfortunately the tunnel isn't coming up again it seems to us that something is wrong within Phase 1. But what? Pls see here the iked.log entries: 11/02/15 12:04:20 ## : IKE Daemon, ver 2.1.7 11/02/15 12:04:20 ## : Copyright 2010 Shrew Soft Inc. 11/02/15 12:04:20 ## : This product linked OpenSSL 0.9.8h 28 May 2008 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client\debug\iked.log' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap' 11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap' 11/02/15 12:04:20 ii : rebuilding vnet device list ... 11/02/15 12:04:20 ii : device ROOT\VNET\0000 disabled 11/02/15 12:04:20 ii : network process thread begin ... 11/02/15 12:04:20 ii : pfkey process thread begin ... 11/02/15 12:04:20 ii : ipc server process thread begin ... 11/02/15 12:07:44 ii : ipc client process thread begin ... 11/02/15 12:07:44 192.168.11.1:500 11/02/15 12:07:46 DB : fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 DB : phase1 added ( obj count = 1 ) 11/02/15 12:07:46 >> : security association payload 11/02/15 12:07:46 >> : - proposal #1 payload 11/02/15 12:07:46 >> : -- transform #1 payload 11/02/15 12:07:46 >> : -- transform #2 payload 11/02/15 12:07:46 >> : -- transform #3 payload 11/02/15 12:07:46 >> : -- transform #4 payload 11/02/15 12:07:46 >> : -- transform #5 payload 11/02/15 12:07:46 >> : -- transform #6 payload 11/02/15 12:07:46 >> : -- transform #7 payload 11/02/15 12:07:46 >> : -- transform #8 payload 11/02/15 12:07:46 >> : -- transform #9 payload 11/02/15 12:07:46 >> : -- transform #10 payload 11/02/15 12:07:46 >> : -- transform #11 payload 11/02/15 12:07:46 >> : -- transform #12 payload 11/02/15 12:07:46 >> : -- transform #13 payload 11/02/15 12:07:46 >> : -- transform #14 payload 11/02/15 12:07:46 >> : -- transform #15 payload 11/02/15 12:07:46 >> : -- transform #16 payload 11/02/15 12:07:46 >> : -- transform #17 payload 11/02/15 12:07:46 >> : -- transform #18 payload 11/02/15 12:07:46 >> : key exchange payload 11/02/15 12:07:46 >> : nonce payload 11/02/15 12:07:46 >> : cert request payload 11/02/15 12:07:46 >> : identification payload 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports XAUTH 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v00 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v01 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v02 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( draft v03 ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports nat-t ( rfc ) 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports FRAGMENTATION 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local supports DPDv1 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SHREW SOFT compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is NETSCREEN compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is SIDEWINDER compatible 11/02/15 12:07:46 >> : vendor id payload 11/02/15 12:07:46 ii : local is CISCO UNITY compatible 11/02/15 12:07:46 >= : cookies fa229af570c7fb18:0000000000000000 11/02/15 12:07:46 >= : message 00000000 11/02/15 12:07:46 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 1245 bytes ) 11/02/15 12:07:46 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:07:51 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:07:56 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:01 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:08:06 ii : resend limit exceeded for phase1 exchange 11/02/15 12:08:06 ii : phase1 removal before expire time 11/02/15 12:08:06 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : policy not found 11/02/15 12:08:06 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:08:06 DB : removing tunnel config references 11/02/15 12:08:06 DB : removing tunnel phase2 references 11/02/15 12:08:06 DB : removing tunnel phase1 references 11/02/15 12:08:06 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:08:06 DB : removing all peer tunnel refrences 11/02/15 12:08:06 DB : peer deleted ( obj count = 0 ) 11/02/15 12:08:06 ii : ipc client process thread exit ... 11/02/15 12:11:51 ii : ipc client process thread begin ... 11/02/15 12:11:51 192.168.11.1:500 11/02/15 12:11:59 DB : 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 DB : phase1 added ( obj count = 1 ) 11/02/15 12:11:59 >> : security association payload 11/02/15 12:11:59 >> : - proposal #1 payload 11/02/15 12:11:59 >> : -- transform #1 payload 11/02/15 12:11:59 >> : key exchange payload 11/02/15 12:11:59 >> : nonce payload 11/02/15 12:11:59 >> : cert request payload 11/02/15 12:11:59 >> : identification payload 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports XAUTH 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v00 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v01 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v02 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( draft v03 ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports nat-t ( rfc ) 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports FRAGMENTATION 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local supports DPDv1 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SHREW SOFT compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is NETSCREEN compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is SIDEWINDER compatible 11/02/15 12:11:59 >> : vendor id payload 11/02/15 12:11:59 ii : local is CISCO UNITY compatible 11/02/15 12:11:59 >= : cookies 221f334a8c0e197f:0000000000000000 11/02/15 12:11:59 >= : message 00000000 11/02/15 12:11:59 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 585 bytes ) 11/02/15 12:11:59 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/15 12:11:59 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:11:59 DB : phase1 found 11/02/15 12:11:59 ii : processing informational packet ( 64 bytes ) 11/02/15 12:11:59 =< : cookies 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 =< : message 00000000 11/02/15 12:11:59 << : notification payload 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:11:59 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:11:59 ii : - isakmp spi = 221f334a8c0e197f:d3c668fbd6a61255 11/02/15 12:11:59 ii : - data size 8 11/02/15 12:12:04 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:04 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:04 DB : phase1 found 11/02/15 12:12:04 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:04 =< : cookies 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 =< : message 00000000 11/02/15 12:12:04 << : notification payload 11/02/15 12:12:04 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:04 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:04 ii : - isakmp spi = 221f334a8c0e197f:b6b9df9481bde6cb 11/02/15 12:12:04 ii : - data size 8 11/02/15 12:12:09 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:09 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:09 DB : phase1 found 11/02/15 12:12:09 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:09 =< : cookies 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 =< : message 00000000 11/02/15 12:12:09 << : notification payload 11/02/15 12:12:09 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:09 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:09 ii : - isakmp spi = 221f334a8c0e197f:9e28c29bed6baea3 11/02/15 12:12:09 ii : - data size 8 11/02/15 12:12:14 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500 11/02/15 12:12:14 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes ) 11/02/15 12:12:14 DB : phase1 found 11/02/15 12:12:14 ii : processing informational packet ( 64 bytes ) 11/02/15 12:12:14 =< : cookies 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 =< : message 00000000 11/02/15 12:12:14 << : notification payload 11/02/15 12:12:14 ii : received peer NO-PROPOSAL-CHOSEN notification 11/02/15 12:12:14 ii : - 192.168.11.1:500 -> 192.168.11.3:500 11/02/15 12:12:14 ii : - isakmp spi = 221f334a8c0e197f:b3a30e0e8a811912 11/02/15 12:12:14 ii : - data size 8 11/02/15 12:12:19 ii : resend limit exceeded for phase1 exchange 11/02/15 12:12:19 ii : phase1 removal before expire time 11/02/15 12:12:19 DB : phase1 deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : policy not found 11/02/15 12:12:19 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/15 12:12:19 DB : removing tunnel config references 11/02/15 12:12:19 DB : removing tunnel phase2 references 11/02/15 12:12:19 DB : removing tunnel phase1 references 11/02/15 12:12:19 DB : tunnel deleted ( obj count = 0 ) 11/02/15 12:12:19 DB : removing all peer tunnel refrences 11/02/15 12:12:19 DB : peer deleted ( obj count = 0 ) 11/02/15 12:12:19 ii : ipc client process thread exit ... Many thanks in advance! Rainer This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Ust. Ident. Nr. / VAT reg. no. DE167015356 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From pabouk at centrum.cz Tue Feb 15 08:57:34 2011 From: pabouk at centrum.cz (Vaclav Brozik) Date: Tue, 15 Feb 2011 15:57:34 +0100 Subject: [vpn-help] SHREW Dial Up Client and SSG 320 with Certificates In-Reply-To: <4D5A875F.7090608@astrium.eads.net> References: <4D5A875F.7090608@astrium.eads.net> Message-ID: <20110215145734.5F3396000A969@mail1014.cent> Hi Rainer, from the gateway you receive the message NO-PROPOSAL-CHOSEN: 11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification This means that the gateway does not accept your proposals for phase 1. Check if the phase 1 configuration match on both client and gateway match. Probably you can see more detailed information in the gateway logs because for security reasons the gateway does not send detailed reason for not accepting a proposal of your client. Strange is that it seems that to the first client attempt the gateway does not respond at all. Regards, Vaclav From martin.kreutzer at iis.fraunhofer.de Fri Feb 18 06:43:03 2011 From: martin.kreutzer at iis.fraunhofer.de (Martin Kreutzer) Date: Fri, 18 Feb 2011 13:43:03 +0100 Subject: [vpn-help] VPN Connection does not show up in network connections Message-ID: <4D5E6957.1050008@iis.fraunhofer.de> Hi, I have the shrew client 2.1.7 installed on a Windows 7 Enterprise 64bit. It works fine, but I do not get a connection icon in the "network connections" windows (I hope that this is the english name for it, in german it's "Netzwerkverbindungen" - the windows which lists your network adapters). "ipconfig /all" shows it with the name "LAN-Verbindung* 2". Any suggestions where to look for it? Regards Martin -- Martin Kreutzer [Martin.Kreutzer at iis.fraunhofer.de] IT Services Fraunhofer IIS [www.iis.fraunhofer.de] Am Wolfsmantel 33 91058 Erlangen Germany Tel.: +49 9131 776 2776 Fax.: +49 9131 776 2799 From shrew64 at gmail.com Fri Feb 18 10:20:05 2011 From: shrew64 at gmail.com (Da Da) Date: Fri, 18 Feb 2011 17:20:05 +0100 Subject: [vpn-help] DPD parameters Message-ID: Hi, First of all, thank you for this great piece of software. I'm currently testing the VPN client on Windows x64 with a WWAN access. I've been testing the version 2.2b1 but I rolled back to v2.1.7 due to stability issues of the IKED service (I can't reproduce these issues yet). So I'm back in v2.1.7 and it works fine except one thing : the DPD feature disconnects the client very quickly if a gateway isn't reachable (about 10 seconds). As I create the VPN tunnel over a native mobile broadband connection, it's too short. Sometimes, I'm in the train or moving and the WWAN connection is lost for a few seconds, and Windows recovers it without problem. But Shrewsoft VPN already disconnected the tunnel... If I disable the DPD feature, it works. When the WWAN connection goes up again, the SA is maintained and I received packets again. However, this create session timeout issues on the facing gateway. A nice solution would be to increase the number of DPD retries, for it to be less aggressive. Is there a way to do it easily ? /David -------------- next part -------------- An HTML attachment was scrubbed... URL: From w2kfs1 at googlemail.com Mon Feb 21 09:13:56 2011 From: w2kfs1 at googlemail.com (w2kfs1) Date: Mon, 21 Feb 2011 16:13:56 +0100 Subject: [vpn-help] Manual ShrewVPN to ZyXEL USG-Series Message-ID: Dear Shrew, i have make a Manual to Connect our Client to ZyWALL USG-Series. It would be good if you insert this Manual to your Website under Support. Please Note in the Reference to "old" ZyWALL Series is a mistake, because if you choose "Enable Multiple Proposals" in Phase1&2, you can connect with wrong Phase1&2 Encyption settings, its a leak! Attached the new Manual for USG-Series. If u need an Access for check, please send me an Email with your PublicIP. Best Regards Christian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Confidentiality note This message (including any attachments) contains confidential information intended for a specific individual or entity as the intended recipient. If you are not the intended recipient, you are hereby notified that any distribution, any copying of this message in part or in whole, or any taking of action based on it, is strictly prohibited by law and may cause liability. In case you have received this message due to an error in transmission, we ask you to notify the sender immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ShrewVPN Client to ZyWALL USGx Series.pdf Type: application/pdf Size: 1416828 bytes Desc: not available URL: From darrenn at jkdesign.com Tue Feb 22 09:20:32 2011 From: darrenn at jkdesign.com (Darren Nye) Date: Tue, 22 Feb 2011 10:20:32 -0500 Subject: [vpn-help] unsubscribe Message-ID: <00c401cbd2a4$0d106980$27313c80$@com> unsubscribe -- Darren L. Nye VP Interactive & I.T. JK Design 465 Amwell Road Hillsborough, NJ 08844 P: 908 428 4700 Ext.12 F: 908 428 4701 E: darrenn at jkdesign.com www.jkdesign.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From huw at hermesmedical.com Thu Feb 24 06:19:06 2011 From: huw at hermesmedical.com (=?windows-1252?Q?Huw_Thomas?=) Date: Thu, 24 Feb 2011 12:19:06 +0000 Subject: [vpn-help] Help with config Message-ID: Dear all, ? I have a Shrewsoft configuration that connects to my NVS318g Netgear router no problem (using Mode Config) from my Windows 7 ultimate system. I successfully get assigned an IP address from the Mode Config range and can see devices on the remote network. ? However, when I install the exact same Shrewsoft ?configuration on a Windows Home Premium laptop, it connects fine but doesn?t get assigned an IP address from the Mode Config range so I can?t see the remote network. ? Can you please help? I am using Shrew 2.1.7 ? Thanks, Huw -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Fri Feb 25 05:23:23 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Fri, 25 Feb 2011 12:23:23 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW Message-ID: <4D67912B.1020302@cubewerk.de> Hi folks, i associated a tunnel between shrew (winxp) and ipcop (swan). according to the logs on both sides, tunnel is active but no packages comes back to the RW. here is a tcpdump on the server - my rw is 192.168.10.30 ipcop.localdomain is 172.20.0.1: IP 192.168.10.30 > ipcop.localdomain: ICMP echo request, id 1536, seq 1024, length 40 IP ipcop.localdomain > 192.168.10.30: ICMP echo reply, id 1536, seq 1024, length 40 I checked if the answers packages might get masqueraded, but i added an exception for the RW-network: Chain POSTROUTING (1 references) pkts bytes target prot opt in out source destination 17 1316 MASQUERADE all -- * ppp0 0.0.0.0/0 !192.168.10.0/24 Still, i see no answer traffic on my roadwarrior windows pc (sniffing traffic with libpcap / windump). Some debug/infos here: http://www.plzk.de/ipsec.log Ideas are greatly appreciated. thanks stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From stefan.bauer at cubewerk.de Sun Feb 27 14:09:52 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:09:52 +0100 Subject: [vpn-help] bugreport: gui + pkcs12 file import Message-ID: <4D6AAF90.3040700@cubewerk.de> Hi Matthew, this is a bugreport against the latest beta version for windows. I guess i found 2 bugs. One in the gui of the trace utility and one at using my pkcs12 file. The pkcs12 file was working fine with the stable version. I just switched to beta because i had problems like stated in "[vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW" Please see the demonstration of both bugs here: (turn speakers on) http://www.youtube.com/watch?v=3fGrxS3MULg thanks in advance stefan From stefan.bauer at cubewerk.de Sun Feb 27 14:47:09 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 21:47:09 +0100 Subject: [vpn-help] RW (shrew) -> swan (ipcop) - tunnel active - no packages back to RW In-Reply-To: <4D67912B.1020302@cubewerk.de> References: <4D67912B.1020302@cubewerk.de> Message-ID: <4D6AB84D.1050408@cubewerk.de> Am 25.02.2011 12:23, schrieb Stefan Bauer: > Hi folks, > > i associated a tunnel between shrew (winxp) and ipcop (swan). > > according to the logs on both sides, tunnel is active but no > packages comes back to the RW. After some network analysis - the packages even came back to the client but did not get used by the client. I had a virtual additonal ip-address setup at the ethernet-interface on client side in windows xp. after removing this ip address, the packages were used by shrew client. Matthew - is that a bug? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From akmangalick at gmail.com Sun Feb 27 15:18:48 2011 From: akmangalick at gmail.com (A. Kumar Mangalick) Date: Sun, 27 Feb 2011 13:18:48 -0800 Subject: [vpn-help] cannot install in Windows 7 64-bit Message-ID: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> I'm unable to install the client software. Every time I've tried, the installer sits forever at the step indicating that drvcfg.exe is being executed. The CPU is at about 50% the entire time and I have had to kill the process after nearly 15 minutes. Then the software is listed among the installed programs, so I've tried to uninstall it. However, the same thing happens at the step that involves drvcfg.exe. Now I cannot uninstall. Kumar -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bauer at cubewerk.de Sun Feb 27 16:15:03 2011 From: stefan.bauer at cubewerk.de (Stefan Bauer) Date: Sun, 27 Feb 2011 23:15:03 +0100 Subject: [vpn-help] cannot install in Windows 7 64-bit In-Reply-To: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> References: <000901cbd6c3$ede95610$c9bc0230$@gmail.com> Message-ID: <4D6ACCE7.7060904@cubewerk.de> Am 27.02.2011 22:18, schrieb A. Kumar Mangalick: > I'm unable to install the client software. Every time I've tried, the > installer sits forever at the step indicating that drvcfg.exe is being > executed. The CPU is at about 50% the entire time and I have had to kill > the process after nearly 15 minutes. Then the software is listed among the > installed programs, so I've tried to uninstall it. However, the same thing > happens at the step that involves drvcfg.exe. Now I cannot uninstall. give it a try in the windows safe mode? Stefan -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- From florian.beckmann at camunda.com Mon Feb 28 06:50:39 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 13:50:39 +0100 Subject: [vpn-help] timeout for svn repos Message-ID: <201102281350.40013.florian.beckmann@camunda.com> Hi Matthew, I had the same build error as described in "ike-2.2.0-beta-1 make errors" by Steve. I tried to fetch HEAD from svn://svn.shrew.net/ike/head but the repository seems to be down. Did it move? Cheers Florian From florian.beckmann at camunda.com Mon Feb 28 05:09:02 2011 From: florian.beckmann at camunda.com (Florian Beckmann) Date: Mon, 28 Feb 2011 11:09:02 +0000 (UTC) Subject: [vpn-help] ike-2.2.0-beta-1 make errors References: <4D4C4484.6040603@eosemi.com> <4D4EDD9D.8050508@shrew.net> Message-ID: Matthew Grooms writes: > I just fixed the build issues. Please pull down a copy from svn and give > it another try. > > svn export svn://svn.shrew.net/ike/head > > -Matthew Hi Matthew, i have the same problem as described above but right now I'm unable to reach the subversion repository (timeout) to try the head build. cheers Florian From t.steffen at gmx.de Sun Feb 27 08:50:11 2011 From: t.steffen at gmx.de (Thorsten Steffen) Date: Sun, 27 Feb 2011 15:50:11 +0100 Subject: [vpn-help] Problems using shrew to connect to ns5gt Message-ID: Hi guys, I'm trying to connect to Juniper NS5GT (Hardware Version: 1010, Firmware Version:6.2.0r2.0 Firewall+VPN) with Shrew VPN Client 2.1.7 (running on Win7 64bit) without success. I used http://www.shrew.net/support/wiki/HowtoJuniperSsg to configure both sides. Messages in shrew client window are === config loaded for site '222.61.123.22' configuring client settings... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... user authentication error tunnel disabled detached from key daemon ... === Error Messages on juniper are === 2011-02-27 15:27:29 info IKE 62.143.130.124: XAuth login failed for gateway vpnclient_gateway, username thorsten, retry: 0, timeout: 1. 2011-02-27 15:27:29 info Rejected an IKE packet on ethernet3 from 62.143.130.124:4500 to 222.61.123.22:4500 with cookies e11944da1f039872 and b6cc949745492852 because A Phase 2 packet arrived while XAuth was still pending. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed for user client.jersa.de. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the remote device. 2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE responder has detected NAT in front of the local device. 2011-02-27 15:27:29 info IKE 62.143.130.124 phase 1:The symmetric crypto key has been generated successfully. 2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Responder starts AGGRESSIVE mode negotiations. === The pw for user thorsten is correct, I already tried to connect with a wrong pw and got a different error message. Shrew Configuration is === n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 n:phase2-keylen:0 s:network-host:222.61.123.22 s:client-auto-mode:push s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:client.jersa.de s:ident-server-data:vpngw.jersa.de b:auth-mutual-psk:dGVzdDJURVNU s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled n:phase2-pfsgroup:-1 s:policy-level:auto s:policy-list-include:10.1.1.0 / 255.255.255.0 === Shrew Debug log is === 11/02/27 15:15:44 ii : ipc client process thread begin ... 11/02/27 15:15:44 222.61.123.22:500 11/02/27 15:15:44 DB : e11944da1f039872:0000000000000000 11/02/27 15:15:44 DB : phase1 added ( obj count = 1 ) 11/02/27 15:15:44 >> : security association payload 11/02/27 15:15:44 >> : - proposal #1 payload 11/02/27 15:15:44 >> : -- transform #1 payload 11/02/27 15:15:44 >> : -- transform #2 payload 11/02/27 15:15:44 >> : -- transform #3 payload 11/02/27 15:15:44 >> : -- transform #4 payload 11/02/27 15:15:44 >> : -- transform #5 payload 11/02/27 15:15:44 >> : -- transform #6 payload 11/02/27 15:15:44 >> : -- transform #7 payload 11/02/27 15:15:44 >> : -- transform #8 payload 11/02/27 15:15:44 >> : -- transform #9 payload 11/02/27 15:15:44 >> : -- transform #10 payload 11/02/27 15:15:44 >> : -- transform #11 payload 11/02/27 15:15:44 >> : -- transform #12 payload 11/02/27 15:15:44 >> : -- transform #13 payload 11/02/27 15:15:44 >> : -- transform #14 payload 11/02/27 15:15:44 >> : -- transform #15 payload 11/02/27 15:15:44 >> : -- transform #16 payload 11/02/27 15:15:44 >> : -- transform #17 payload 11/02/27 15:15:44 >> : -- transform #18 payload 11/02/27 15:15:44 >> : key exchange payload 11/02/27 15:15:44 >> : nonce payload 11/02/27 15:15:44 >> : identification payload 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports XAUTH 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v00 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v01 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v02 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( draft v03 ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports nat-t ( rfc ) 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports FRAGMENTATION 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local supports DPDv1 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SHREW SOFT compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is NETSCREEN compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is SIDEWINDER compatible 11/02/27 15:15:44 >> : vendor id payload 11/02/27 15:15:44 ii : local is CISCO UNITY compatible 11/02/27 15:15:44 >= : cookies e11944da1f039872:0000000000000000 11/02/27 15:15:44 >= : message 00000000 11/02/27 15:15:44 -> : send IKE packet 10.0.0.100:500 -> 222.61.123.22:500 ( 1191 bytes ) 11/02/27 15:15:44 DB : phase1 resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv IKE packet 222.61.123.22:500 -> 10.0.0.100:500 ( 446 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing phase1 packet ( 446 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 00000000 11/02/27 15:15:45 << : security association payload 11/02/27 15:15:45 << : - propsal #1 payload 11/02/27 15:15:45 << : -- transform #1 payload 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 256 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 ii : unmatched isakmp proposal/transform 11/02/27 15:15:45 ii : key length ( 128 != 192 ) 11/02/27 15:15:45 !! : peer violates RFC, transform number mismatch ( 1 != 5 ) 11/02/27 15:15:45 ii : matched isakmp proposal #1 transform #1 11/02/27 15:15:45 ii : - transform = ike 11/02/27 15:15:45 ii : - cipher type = aes 11/02/27 15:15:45 ii : - key length = 128 bits 11/02/27 15:15:45 ii : - hash type = md5 11/02/27 15:15:45 ii : - dh group = modp-1024 11/02/27 15:15:45 ii : - auth type = xauth-initiator-psk 11/02/27 15:15:45 ii : - life seconds = 86400 11/02/27 15:15:45 ii : - life kbytes = 0 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : unknown vendor id ( 28 bytes ) 11/02/27 15:15:45 0x : 71957fc3 620a4219 70709668 132e871a 332378fc 0000000b 00000614 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports XAUTH 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports DPDv1 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports HEARTBEAT-NOTIFY 11/02/27 15:15:45 << : key exchange payload 11/02/27 15:15:45 << : nonce payload 11/02/27 15:15:45 << : identification payload 11/02/27 15:15:45 ii : phase1 id match 11/02/27 15:15:45 ii : received = fqdn vpngw.jersa.de 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : vendor id payload 11/02/27 15:15:45 ii : peer supports nat-t ( draft v02 ) 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 << : nat discovery payload 11/02/27 15:15:45 ii : nat discovery - local address is translated 11/02/27 15:15:45 ii : switching to src nat-t udp port 4500 11/02/27 15:15:45 ii : switching to dst nat-t udp port 4500 11/02/27 15:15:45 == : DH shared secret ( 128 bytes ) 11/02/27 15:15:45 == : SETKEYID ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_d ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_a ( 16 bytes ) 11/02/27 15:15:45 == : SETKEYID_e ( 16 bytes ) 11/02/27 15:15:45 == : cipher key ( 16 bytes ) 11/02/27 15:15:45 == : cipher iv ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >> : nat discovery payload 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 00000000 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 88 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : phase1 resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : phase1 hash_r ( received ) ( 16 bytes ) 11/02/27 15:15:45 ii : phase1 sa established 11/02/27 15:15:45 ii : 222.61.123.22:4500 <-> 10.0.0.100:4500 11/02/27 15:15:45 ii : e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : sending peer INITIAL-CONTACT notification 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : notification payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a0c38ba0 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : phase2 not found 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config not found 11/02/27 15:15:45 DB : config added ( obj count = 1 ) 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 55466abc 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 8 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : - xauth authentication type 11/02/27 15:15:45 ii : - xauth username 11/02/27 15:15:45 ii : - xauth password 11/02/27 15:15:45 ii : received basic xauth request - 11/02/27 15:15:45 ii : - standard xauth username 11/02/27 15:15:45 ii : - standard xauth password 11/02/27 15:15:45 ii : sending xauth response for thorsten 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 55466abc 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 84 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 124 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 92 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 577a08a9 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 92 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 12 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received config push request 11/02/27 15:15:45 ii : - IP4 Address 11/02/27 15:15:45 ii : - IP4 Netmask 11/02/27 15:15:45 ii : - IP4 DNS Server = 10.1.1.1 11/02/27 15:15:45 ii : building config attribute list 11/02/27 15:15:45 ii : - IP4 DNS Server 11/02/27 15:15:45 ii : sending config push acknowledge 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : attribute payload 11/02/27 15:15:45 == : new configure hash ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message 577a08a9 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 60 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 92 bytes ) 11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 ) 11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 -> 10.0.0.100:4500 ( 76 bytes ) 11/02/27 15:15:45 DB : phase1 found 11/02/27 15:15:45 ii : processing config packet ( 76 bytes ) 11/02/27 15:15:45 DB : config found 11/02/27 15:15:45 == : new config iv ( 16 bytes ) 11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 =< : message 84591a7f 11/02/27 15:15:45 =< : decrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : decrypt packet ( 76 bytes ) 11/02/27 15:15:45 <= : trimmed packet padding ( 16 bytes ) 11/02/27 15:15:45 <= : stored iv ( 16 bytes ) 11/02/27 15:15:45 << : hash payload 11/02/27 15:15:45 << : attribute payload 11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes ) 11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes ) 11/02/27 15:15:45 ii : configure hash verified 11/02/27 15:15:45 ii : received xauth result - 11/02/27 15:15:45 !! : user thorsten authentication failed 11/02/27 15:15:45 DB : phase1 soft event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : phase1 hard event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : phase1 dead event canceled ( ref count = 1 ) 11/02/27 15:15:45 ii : sending peer DELETE message 11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500 11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 ii : - data size 0 11/02/27 15:15:45 >> : hash payload 11/02/27 15:15:45 >> : delete payload 11/02/27 15:15:45 == : new informational hash ( 16 bytes ) 11/02/27 15:15:45 == : new informational iv ( 16 bytes ) 11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852 11/02/27 15:15:45 >= : message a29a73fe 11/02/27 15:15:45 >= : encrypt iv ( 16 bytes ) 11/02/27 15:15:45 == : encrypt packet ( 76 bytes ) 11/02/27 15:15:45 == : stored iv ( 16 bytes ) 11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 -> 222.61.123.22:4500 ( 108 bytes ) 11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : config deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : phase1 removal before expire time 11/02/27 15:15:45 DB : phase1 deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : policy not found 11/02/27 15:15:45 DB : tunnel dpd event canceled ( ref count = 3 ) 11/02/27 15:15:45 DB : tunnel natt event canceled ( ref count = 2 ) 11/02/27 15:15:45 DB : tunnel stats event canceled ( ref count = 1 ) 11/02/27 15:15:45 DB : removing tunnel config references 11/02/27 15:15:45 DB : removing tunnel phase2 references 11/02/27 15:15:45 DB : removing tunnel phase1 references 11/02/27 15:15:45 DB : tunnel deleted ( obj count = 0 ) 11/02/27 15:15:45 DB : removing all peer tunnel refrences 11/02/27 15:15:45 DB : peer deleted ( obj count = 0 ) 11/02/27 15:15:45 ii : ipc client process thread exit ... === I think "user thorsten authentication failed" is the relevant message Juniper Debug log (debug ike detail) is === ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 1191, action 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 1163 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 1163 bytes. src port 500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 1163, nxp 1[SA], exch 4[AG], flag 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] ## 2011-02-27 15:34:06 : valid id checking, id type:FQDN, len:23. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > Validate (1135): SA/716 KE/132 NONCE/24 ID/23 VID/12 VID/20 VID/20 VID/20 VID/20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Receive Id in AG mode, id-type=2, id=client.jersa.de, idlen = 15 ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Found peer entry (vpnclient_gateway) from 62.143.130.124. ## 2011-02-27 15:34:06 : responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : init p1sa, pidt = 0x0 ## 2011-02-27 15:34:06 : change peer identity for p1 sa, pidt = 0x0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > create peer identity 0x622a4c0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2011-02-27 15:34:06 : peer identity 622a4c0 created. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > EDIPI disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getProfileFromP1Proposal-> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[1]=<00000005 00000001 00000001 00000002> for p1 proposal (id 4), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[2]=<00000007 00000002 00000001 00000002> for p1 proposal (id 7), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[3]=<00000007 00000001 00000001 00000002> for p1 proposal (id 6), xauth(1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder create sa: 62.143.130.124->222.61.123.22 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Responder starts AGGRESSIVE mode negotiations. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_NOSTATE. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 09 00 26 89 df d6 b7 12 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv XAUTH v6.0 vid ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 2011-02-27 15:34:06 : 80 00 00 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 ## 2011-02-27 15:34:06 : d0 fd 84 51 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID payload ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID: ## 2011-02-27 15:34:06 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID payload. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [SA]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(256) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(192) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(2), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(5)<3DES>, hash(1), group(2) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(2), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 proposal [3] selected. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA Life Type = seconds ## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA lifetime (TLV) = 86400 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DH_BG_consume OK. p1 resp ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [KE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing ISA_KE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NONCE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing NONCE in phase 1. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [ID]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID received: type=ID_FQDN, FQDN = client.jersa.de, port=0, protocol=0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> process_id need to update peer entry, cur . ## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by identity. ## 2011-02-27 15:34:06 : Found identity in group <1> user id <1>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Dynamic peer IP addr, search peer by identity. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> peer gateway entry has no peer id configured ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID processed. return 0. sa->p1_state = 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 AG Responder constructing 2nd message. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #1) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [SA] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1), encr(7), hash(1), group(2), keylen(128) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: disabled ## 2011-02-27 15:34:06 : IKE<62.143.130.124> lifetime/lifesize (86400/0) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NetScreen [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [KE] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NONCE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid: returning 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [ID] for ISAKMP ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1 ID. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=18, type=2, pro=17, port=500, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NAT-T [VID]: draft 2 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder psk ag mode: natt vid constructed. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing remote NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing local NAT-D ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit : [SA] [VID] [VID] [VID] [VID] [KE] [NONCE] [ID] [HASH] ## 2011-02-27 15:34:06 : [VID] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 1 packet (len=446) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<5/91180f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 4[AG], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NATD] [NATD] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > extract payload (64): ## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_INIT_EXCH. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [HASH]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=19, type=2, pro=0, port=0, ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> completing Phase 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> sa_pidt = 622a4c0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> adjusting phase 1 hash ## 2011-02-27 15:34:06 : IKE<62.143.130.124> found existing peer identity 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed for ip <62.143.130.124>, user ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed Aggressive mode negotiation with a <28800>-second lifetime. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth is started: server, p1responder, aggr mode. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth(): as:0 ac:-1 enable:1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val empty string, type <16521> added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val empty string, type <16522> added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 22199719) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 20, type 1, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 0, valstr empty string, type <16521> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 0, valstr empty string, type <16522> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 68) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 22199719, len: 68, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NOTIF] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Need to pass XAUTH first. Silently Discard packet. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(b90d3f73) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 22199719, msgtype 2, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 36, type 2, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 8, valstr thorste ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val thorste added, len 8. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got type: 16520 v<0> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16521 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type: 16522 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 20 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 20. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_auth_pap: authing locally: uname thorsten, passwd *** SUCCESS ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Get config for client(local auth) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user remote setting ## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user IP from pool ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Don't do xauth RADIUS accounting. Send cfg to client directly. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg: ip 10.1.2.1, v4mask 255.255.255.255 dns1 10.1.1.1, dns2 0.0.0.0, win1 0.0.0.0, win2 0.0.0.0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: id ::, prefix ::/0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: dns1 ::, dns2 ::, win1 ::, win2 :: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 1, val 10.1.2.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 2, val 255.255.255.255 added, len 4. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 10.1.1.1 added, len 4. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 85594f12) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 32, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 1, vallen 4, valstr 10.1.2.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 2, vallen 4, valstr 255.255.255.255 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 4, valstr 10.1.1.1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 80) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=92) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid 85594f12, len: 80, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 92, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 64 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 64 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 60, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 32) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload. msgid 85594f12, msgtype 4, payload ID 61307 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 4, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen 0, valstr 64.137.0.8 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3, val 0.0.0.0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state machine: 90 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server: xauthstatus 90. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state machine: -1 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 16527, val 0 added, len 0. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new e5ce2681) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload #8) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH] ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 3, identifier 61307. ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16527, valint 0 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 60) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP 62.143.130.124/port 4500 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid e5ce2681, len: 60, peer<62.143.130.124> ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_failed() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth login FAILED. gw , username , retry: 0, timeout: 1 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE Xauth: release prefix route, ret=<-2>. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> XAUTH-failed: clear p2sa for p1sa(0x22b2268). ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0 ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from socket. ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if of vsys ****** ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port 4500 ## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48) ## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [DELETE] ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [DELETE]: ## 2011-02-27 15:34:06 : IKE<62.143.130.124> DELETE payload received, deleting Phase-1 SA ## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(96990a95) ## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2011-02-27 15:34:07 : IKE<0.0.0.0 > dh group 2 ## 2011-02-27 15:34:08 : reap_db. deleting p1sa 22b2268 ## 2011-02-27 15:34:08 : terminate_SA: trying to delete SA cause: 0 cond: 2 ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(e5ce2681) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(85594f12) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry... ## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(22199719) ## 2011-02-27 15:34:08 : IKE<62.143.130.124> xauth_cleanup() ## 2011-02-27 15:34:08 : IKE<62.143.130.124> Done cleaning up IKE Phase 1 SA ## 2011-02-27 15:34:08 : peer_identity_unregister_p1_sa. ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > delete peer identity 0x622a4c0 ## 2011-02-27 15:34:08 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2011-02-27 15:34:08 : peer_idt.c peer_identity_unregister_p1_sa 682: pidt deleted. === I think "xauth login FAILED. gw , username , retry: 0, timeout: 1" is the relevant message. Timestamps don't match because I took the debugs at different points of time. Configuration of juniper is === unset key protection enable set clock ntp set clock timezone 1 set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set service "Videoserver TCP 9999" protocol tcp src-port 0-65535 dst-port 9999-9999 set service "pcanywhere" protocol tcp src-port 0-65535 dst-port 5631-5631 set service "pcanywhere" + udp src-port 0-65535 dst-port 5632-5632 set service "POP3s" protocol tcp src-port 0-65535 dst-port 995-995 set service "SMTPs" protocol tcp src-port 0-65535 dst-port 465-465 set alg appleichat enable unset alg appleichat re-assembly enable unset alg p2p enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "untrust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 100 "vpn" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst unset zone "V1-Trust" tcp-rst unset zone "V1-Untrust" tcp-rst unset zone "VLAN" tcp-rst unset zone "vpn" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet1" zone "Trust" set interface "ethernet2" zone "DMZ" set interface "ethernet3" zone "Untrust" set interface ethernet1 ip 10.1.1.1/24 set interface ethernet1 nat set interface ethernet2 ip 10.99.99.1/24 set interface ethernet2 nat set interface ethernet3 ip 222.61.123.22/30 set interface ethernet3 route unset interface vlan1 ip set interface ethernet1 proxy dns unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1 ip manageable unset interface ethernet2 ip manageable set interface ethernet3 ip manageable unset interface ethernet1 manage telnet unset interface ethernet1 manage snmp set interface ethernet3 manage ssh set interface ethernet3 manage ssl set interface ethernet3 vip interface-ip 9999 "HTTP" 10.99.99.99 unset interface ethernet1 dhcp server config next-server-ip unset interface ethernet1 dhcp server config updatable set flow tcp-mss unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set console page 0 set hostname nsjs set dbuf usb filesize 0 set pki authority default scep mode "auto" set pki x509 default cert-path partial set dns host dns3 0.0.0.0 set dns host name ns-5gt-205 10.1.1.1 set dns proxy set dns proxy enable set dns server-select domain * outgoing-interface ethernet3 primary-server 212.202.215.1 secondary-server 212.202.215.2 tertiary-server 194.8.194.60 set address "Trust" "10.1.1.0/24" 10.1.1.0 255.255.255.0 set address "DMZ" "10.255.255.0/24" 10.255.255.0 255.255.255.0 set address "DMZ" "10.99.99.0/24" 10.99.99.0 255.255.255.0 set ippool "vpnclient" 10.1.2.1 10.1.2.10 set user "thorsten" uid 2 set user "thorsten" type xauth set user "thorsten" remote ippool "vpnclient" set user "thorsten" password "***" unset user "thorsten" type auth set user "thorsten" "enable" set user "vpnclient_ph1id" uid 1 set user "vpnclient_ph1id" ike-id fqdn "client.jersa.de" share-limit 2 set user "vpnclient_ph1id" type ike set user "vpnclient_ph1id" "enable" set user-group "vpnclient_group" id 1 set user-group "vpnclient_group" user "vpnclient_ph1id" set crypto-policy exit set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id "vpngw.jersa.de" outgoing-interface "ethernet3" preshare "***" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5" set ike gateway "vpnclient_gateway" dpd-liveness interval 30 unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20 set ike gateway "vpnclient_gateway" xauth server "Local" unset ike gateway "vpnclient_gateway" xauth do-edipi-auth set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set xauth default ippool "vpnclient" set xauth default dns1 10.1.1.1 set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5" set vpn "vpnclient_tunnel" monitor set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 11 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 11 disable set policy id 11 exit set policy id 1 from "Trust" to "Untrust" "10.1.1.0/24" "Any" "DNS" permit log set policy id 1 set service "FTP" set service "HTTP" set service "HTTPS" set service "NTP" set service "pcanywhere" set service "PING" set service "POP3" set service "POP3s" set service "SMTP" set service "SMTPs" set service "TRACEROUTE" set service "Videoserver TCP 9999" exit set policy id 4 from "Trust" to "Untrust" "Any" "Any" "UDP-ANY" deny log set policy id 4 exit set policy id 12 from "Untrust" to "DMZ" "Any" "Any" "ANY" permit log set policy id 12 disable set policy id 12 exit set policy id 2 from "Untrust" to "DMZ" "Any" "VIP(ethernet3)" "HTTP" permit log set policy id 2 set service "HTTPS" set service "Videoserver TCP 9999" exit set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log set policy id 3 exit set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 5 exit set policy id 6 from "Trust" to "DMZ" "10.1.1.0/24" "10.99.99.0/24" "HTTP" permit log set policy id 6 set service "HTTPS" set service "PING" exit set policy id 7 from "Trust" to "DMZ" "Any" "Any" "ANY" deny log set policy id 7 exit set policy id 16 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set policy id 16 disable set policy id 16 exit set policy id 15 name "vpnclient_inbound" from "Untrust" to "Trust" "Dial-Up VPN" "10.1.1.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 log set policy id 15 exit set policy id 8 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log set policy id 8 exit set policy id 13 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log set policy id 13 disable set policy id 13 exit set policy id 9 from "DMZ" to "Trust" "Any" "Any" "ANY" deny log set policy id 9 exit set policy id 14 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit log set policy id 14 disable set policy id 14 exit set policy id 10 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny log set policy id 10 exit set log cli enable set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set ssh enable set config lock timeout 5 unset license-key auto-update set ssl port 23143 set ntp server "192.53.103.103" set ntp server backup1 "192.53.103.104" set ntp server backup2 "192.53.103.108" set ntp interval 1440 set modem speed 115200 set modem retry 3 set modem interval 10 set modem idle-time 10 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" set route 0.0.0.0/0 interface ethernet3 gateway *** permanent set route 10.1.1.0/24 vrouter "trust-vr" preference 20 metric 1 set route 10.99.99.0/24 vrouter "trust-vr" preference 20 metric 1 exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit === Does anybody have an idea what's going wrong? Many thanks in advance Thorsten -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at bbarker.co.uk Mon Feb 28 16:07:48 2011 From: ben at bbarker.co.uk (Ben Barker) Date: Mon, 28 Feb 2011 22:07:48 +0000 Subject: [vpn-help] VPN up, but no traffic to any destination Message-ID: Hello, I am running shrewsoft 2.1.7 on Ubunto 10.1 x64 All seems fine - I can open my VPN succesfully according to the client However, when it is open, I loose all connectivity to the internet and local LAN, but do not get any access to my remote network. Before my VPN is up, I have my routing tabel as: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 link-local * 255.255.0.0 U 1000 0 0 eth0 default O2wirelessbox.l 0.0.0.0 UG 0 0 0 eth0 After, I have: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 81.134.112.110 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 *192.168.13.0 192.168.14.51 255.255.255.0 UG 0 0 0 tap0* link-local * 255.255.0.0 U 1000 0 0 eth0 default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 Where the IP address allocated to my virtual adapter is on the 192.168.14.x subnet, and my destination is the 192.168.13.x subnet Any ideas what I am doing that is causing the VPN to apparently be brought up, but then causing no traffic at all to be routable? Cheers, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: