From matthias.paust at seetec.de Thu Feb 2 08:17:54 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Thu, 2 Feb 2012 14:17:54 +0000 Subject: [vpn-help] (no subject) Message-ID: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Problem: The VPN client is connected to my gateway (tunnel enabled) but no access to the remote network is possible. We are using FortiGate 80c (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client 2.1.7 for Windows. The problems occurred after updating the firewall to the new version. With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no problem. Attached debug logs. -------------- next part -------------- A non-text attachment was scrubbed... Name: shrewsoft_log.zip Type: application/x-zip-compressed Size: 9415 bytes Desc: shrewsoft_log.zip URL: From kvpn at live.com Thu Feb 2 20:53:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 21:53:54 -0500 Subject: [vpn-help] Cannot access VPN resources In-Reply-To: <4F2A9228.8020706@gmail.com> References: <4F2A9228.8020706@gmail.com> Message-ID: On 02/02/2012 08:39 AM, Daniele at Gmail wrote: > Hi Kevin, > I resolved my problem by these steps: > > * uninstall VPN client (last installed: version 2.2.0) > * drop all connections files > * reinstall VPN client (2.1.7) > * import my VPN configuration from CISCo pcf file > > Now the VPN works. > Thank you. > Daniele > > > > > Il 27/01/2012 04:47, Kevin VPN ha scritto: >> On 01/26/2012 08:38 AM, Daniele Comand wrote: >>> Phase 1 appears to connect and I get the 'Tunnel enabled' message, >>> however, >>> I cannot ping or access any remote IP addresses. >>> I tried both the client versions 2.1.7 and 2.2.0, with almost identical >>> results. >>>> From another Windows XP machine with a Cisco client I can connect. >>> In the IKED.log debug file I find this message: >>> "12/01/25 20:07:08!: Peer violates RFC number transform mismatch (1! >>> = 14)" >>> Can you help me to get the VPN works? >>> >>> VPN Client Version = 2.1.7 e 2.2.0 >>> Windows OS Version = Windows 7 64-bit >>> Gateway Make/Model = CISCO PIX >>> Gateway OS Version = unknown >>> >> >> Hi Daniele, >> >> The problem is that the Phase2 negotiation is failing. According to >> the iked.log you provided, Phase1, XAuth and client configuration >> succeed, but Phase2 fails. >> >> You'll need to contact the VPN gateway administrator to find out why >> Phase2 is failing. It is probably because some of the settings in the >> Shrew client do not match what the Cisco requires. >> >> iked.log: >> >> 12/01/25 20:07:08 ii : phase1 sa established >> ... >> 12/01/25 20:07:08 ii : received basic xauth request - >> 12/01/25 20:07:08 ii : - standard xauth username >> 12/01/25 20:07:08 ii : - standard xauth password >> 12/01/25 20:07:08 ii : sending xauth response for comand >> 12/01/25 20:07:08 ii : received xauth result - >> 12/01/25 20:07:08 ii : user comand authentication succeeded >> ... >> 12/01/25 20:07:08 ii : sending config pull request >> 12/01/25 20:07:08 ii : processing config packet ( 76 bytes ) >> 12/01/25 20:07:08 DB : config found >> 12/01/25 20:07:08 ii : received config pull response >> 12/01/25 20:07:08 ii : - IP4 Address = 192.168.61.6 >> ... >> 12/01/25 20:07:24 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:27 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:29 ii : resend limit exceeded for phase2 exchange >> 12/01/25 20:07:29 ii : phase2 removal before expire time >> 12/01/25 20:07:29 DB : phase2 deleted ( obj count = 1 ) >> Great Daniele, thanks for reporting back! I've copied the list so that others who are having problems with PCF-related configurations can see what you did. By "dropped all connection files" I assume you mean that you went into the "Documents/Shrew Soft VPN/sites" directory and deleted the configuration files that were in there. Doing that would prevent Shrew from automatically importing them when you installed the client again, which would allow you to import the PCF file again. From kvpn at live.com Thu Feb 2 21:09:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 22:09:54 -0500 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: On 02/02/2012 09:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > > Attached debug logs. > Hi Matthias, In general, everything looks good. Phase1 & Phase2 negotiations, and DHCP over IPSec configuration completes: 12/02/02 12:06:36 ii : phase1 sa established 12/02/02 12:06:36 ii : phase2 sa established 12/02/02 12:06:40 ii : reading DHCP reply options 12/02/02 12:06:40 ii : - message type = ack ( 192.168.123.53 ) From the looks of the policies, the VPN clients get an IP in the 192.168.0.0/16 private range and your internal network is in the 10.0.0.0/8 range. This means there is no overlap between the VPN clients and private hosts, which is good. However, this is received about 1.5 minutes after the connection is established, then Shrew tears the connection down. 12/02/02 12:08:25 !! : message type is invalid ( 0 ) I would look at the Fortigate logs to see if it decided to kill the connection for some reason. From l.modenese at gmail.com Sat Feb 4 07:23:10 2012 From: l.modenese at gmail.com (Loris Modenese) Date: Sat, 04 Feb 2012 14:23:10 +0100 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: References: Message-ID: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Hi Kevin, I can confirm what Gergely said. The problem it is related to the NAT-T and DPD code on both 2.1.7 and 2.2.0 versions. With NAT-T disabled or with a dial-up connection (public IP address) the link is stable. I've also notice that no matter the client it is configured (with or w/o DPD and different timeout) it keep on sending DPD every 30sec when NAT-T option is enabled for 10 times then it always disconnect (about 5-5.5 min). I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running JunOS 10.4 with the same results. Here my working config for JunOS 10.4 (NAT-T disabled) n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:300 n:network-frag-size:540 n:network-dpd-enable:0 n:client-banner-enable:0 n:network-notify-enable:0 n:client-wins-used:1 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host:12.34.56.78 s:client-auto-mode:push s:client-iface:virtual s:network-natt-mode:disable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:any s:ident-client-data:vpnclient.domain.local b:auth-mutual-psk:xxxxxxxxxxxxxxxxx s:phase1-exchange:aggressive s:phase1-cipher:3des s:phase1-hash:md5 s:phase2-transform:esp-3des s:phase2-hmac:md5 s:ipcomp-transform:disabled n:phase2-pfsgroup:2 s:policy-level:auto s:policy-list-include:192.168.78.0 / 255.255.255.0 s:client-saved-username: Best regards Loris Modenese > On 07/05/2011 05:06 AM, Gergely Kiss wrote: >> Dear List! >> >> I'm having problems while connecting to a Juniper SRX210 firewall >> running JunOS 11.1R1.10. I'm using the latest stable Shrewsoft client >> (2.1.7) on Windows 7 (but the issue happens on Windows XP, too). >> >> If I try to connect from a device with a public IP-address, like a >> mobile broadband connection (without using NAT-T), everything works >> perfectly, but if I connect through a NAT device (Linksys WRT54GS), the >> connection works only for 6-7 minutes and then it terminates with no >> particular reason (the error message is: "session terminated by gateway"). >> > ... > >> I already tried debugging both ends, but I found nothing helpful in the >> logs (except some "config packet ignored" messages on the client). I >> already tried upgrading to the latest beta release (2.2.0-beta-1), but >> the issues still exists. >> > Hi Gergely, > > It might be that the Dead Peer Detection is somehow failing... that > usually is 5 minutes or so. When you did the debug trace, did you see > DPD messages (DPDV1-R-U-THERE) going back and forth? > > You could try disabling Dead Peer Detection in the Shrew site > configuration... > From mh at morxy.co.uk Thu Feb 2 11:22:09 2012 From: mh at morxy.co.uk (mh at morxy.co.uk) Date: Thu, 02 Feb 2012 17:22:09 +0000 Subject: [vpn-help] ikea startup: Session Management error Message-ID: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). $ iked ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.1.7 ## : Copyright 2010 Shrew Soft Inc. ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 $ ikea & Session management error: None of the authentication protocols specified are supported Can anyone explain this error? I've tried googling and can't find any definitive solution or cause. I can't use the ikea access manager to connect to any remote VPN server, probably as a result of this. (Meanwhile, the same VPN server works perfectly on my Windows XP laptop with the same Shrew client.) From stefan.bauer at cubewerk.de Sun Feb 5 05:21:03 2012 From: stefan.bauer at cubewerk.de (=?utf-8?Q?Stefan_Bauer?=) Date: Sun, 5 Feb 2012 12:21:03 +0100 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: -----Urspr?ngliche Nachricht----- Von: mh at morxy.co.uk Gesendet: Sa 04.02.2012 15:33 Betreff: [vpn-help] ikea startup: Session Management error An: vpn-help at lists.shrew.net; > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols > specified are supported Well either you specified an auth protocol that your local system is not supporting or the remote server. Stefan From stephen.more at gmail.com Mon Feb 6 10:47:45 2012 From: stephen.more at gmail.com (Stephen More) Date: Mon, 6 Feb 2012 11:47:45 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX Message-ID: Currently there is no Configuration Guides for Juniper SRX. I have seen sample configs like: http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 But I am unable to get past phase 1. Does anyone know the current status ? -Thanks From mpaci1 at gmail.com Mon Feb 6 23:55:58 2012 From: mpaci1 at gmail.com (Mike Pacifico) Date: Mon, 6 Feb 2012 21:55:58 -0800 Subject: [vpn-help] No packets going through Watchguard Message-ID: Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From olli.henttonen at datapro.fi Tue Feb 7 21:35:10 2012 From: olli.henttonen at datapro.fi (Olli Henttonen) Date: Wed, 8 Feb 2012 03:35:10 +0000 Subject: [vpn-help] How to disable Windows 7 pre login? Message-ID: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> How to disable windows 7 pre login if not needed? Btw. Thanks for this great software! Regards, OLLI -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 04:35:13 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 11:35:13 +0100 Subject: [vpn-help] Run shrew withiout graphic interface Message-ID: Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.more at gmail.com Wed Feb 8 05:23:21 2012 From: stephen.more at gmail.com (Stephen More) Date: Wed, 8 Feb 2012 06:23:21 -0500 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: ?ikec On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: > Good day > > How do? run ikea without graphic interface for establish a vpn connection > between a linux server? and my router ? > > What command linux do i used ?far that ? > > Thank yoou and excuse me for bas english . > I am french man . > > > Best regards > > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > From jernej's-shrew at eternallybored.org Wed Feb 8 08:08:23 2012 From: jernej's-shrew at eternallybored.org (=?utf-8?Q?Jernej_Simon=C4=8Di=C4=8D?=) Date: Wed, 8 Feb 2012 15:08:23 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> Message-ID: <1498845072.20120208150823@eternallybored.org> On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > How to disable windows 7 pre login if not needed? Uninstall, the install again without the Credential provider component. -- < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > Food that tastes the best has the highest number of calories. -- Dieter's Law From aroper at bcsvoicedata.com Wed Feb 8 09:42:24 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:42:24 +0000 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC8098@CORPSERV.bcsvds.local> Jacques, You would not use Shrew in this instance. You would just set up a standard IPSec VPN connection between the Linux server and the router. The procedures for this vary depending on the Linux distribution and the type of router. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Jacques EESES Sent: Wednesday, February 08, 2012 5:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Run shrew withiout graphic interface Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 10:30:42 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 17:30:42 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <1498845072.20120208150823@eternallybored.org> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> <1498845072.20120208150823@eternallybored.org> Message-ID: error it's no for me jack 2012/2/8 Jernej Simon?i? > On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > > > How to disable windows 7 pre login if not needed? > > Uninstall, the install again without the Credential provider > component. > > -- > < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > > > Food that tastes the best has the highest number of calories. > -- Dieter's Law > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 8 09:40:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:40:40 +0000 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC807D@CORPSERV.bcsvds.local> Mike, It doesn't look like Phase 2 is being completed. Without Phase 2 negotiations completing you cannot build the tunnel. Check your Phase 2 proposals on the client and make sure they match with what the firewall is expecting. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mike Pacifico Sent: Tuesday, February 07, 2012 12:56 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] No packets going through Watchguard Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 <-> xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 ->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Tue Feb 14 17:47:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:47:13 -0600 Subject: [vpn-help] Mailing List Services Restored ... Message-ID: <4F3AF281.4010906@shrew.net> The Shrew Soft mailing lists went down for a few days. I believe everything is back up and running. Sorry for any inconvenience. -Matthew From mgrooms at shrew.net Tue Feb 14 17:52:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:52:30 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local> <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> Message-ID: <4F3AF3BE.8010603@shrew.net> On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is just > pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew From mgrooms at shrew.net Tue Feb 14 18:01:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:01:30 -0600 Subject: [vpn-help] Windows Client Login Screen and Shrew VPN Client In-Reply-To: <185431391.20120105172903@eternallybored.org> References: <20B2861F76CB724690F1809A616849052AA77FD8@CORPSERV.bcsvds.local> <185431391.20120105172903@eternallybored.org> Message-ID: <4F3AF5DA.7090104@shrew.net> On 1/5/2012 10:29 AM, Jernej Simon?i? wrote: > On Thursday, January 5, 2012, 15:37:48, Roper, Andrew wrote: > >> How do I make that session available at the login screen? > > Right-click it in Shrew and select Public. > And just to piggy back on this with some more info, the last beta build had a bug that prevented DNS lookups from working correctly with the login version of the client. You may have been lucky enough to have specified an IP address instead of a DNS name for your gateway :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:14:44 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:14:44 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> <1769885532.20120112233142@gmx.de> Message-ID: <4F3AF8F4.2020305@shrew.net> On 1/15/2012 9:06 PM, Kevin VPN wrote: > On 01/12/2012 05:31 PM, Thorsten Albrecht wrote: >> Hello Kevin, >> >> it still works after some reboots. Thanks for your support. BTW You >> are not >> the developer, aren't you? >> > > No, I'm not the developer. All that credit (and hopefully donations!) > goes to Matthew and the others who provide patches. I'm just a > user/believer of the software and help as much as I can on the list. And thank you so much! Your input on the mailing list has been nothing short of amazing! :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:17:04 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:17:04 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: <573634176.20111219140829@gmx.de> References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> Message-ID: <4F3AF980.6010603@shrew.net> On 12/19/2011 7:08 AM, Thorsten Albrecht wrote: > Hello Kevin, > > the solution was: first it was necessary (as I wrote) to disable the MS Virtual > WiFi Adapter to make Shrew VPN work. But Shrew VPN continued to work after > reenabling the Virtual Adapter again. So it was not necessary to > deinstall and reinstall everything. > Hmm. I'm a little sad to hear this is still an issue with 2.2.x. I have an idea on how to solve this problem but it will require another round of submissions to Winqual to get the drivers re-certified. Because of this, the fix will need to wait until a post 2.2.0 release. -Matthew From demi at intellipro.com Tue Feb 14 18:04:42 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 19:04:42 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AF3BE.8010603@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> How do I tell if I'm running in "direct adapter mode"? -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms Sent: Tuesday, February 14, 2012 6:53 PM To: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is > just pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:21:32 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:21:32 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> Message-ID: <4F3AFA8C.5050405@shrew.net> On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:29:17 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:29:17 -0600 Subject: [vpn-help] What is the different between windows and Mac version for shrew VPN? In-Reply-To: References: <20B2861F76CB724690F1809A616849052AA81946@CORPSERV.bcsvds.local> Message-ID: <4F3AFC5D.6080402@shrew.net> On 1/15/2012 8:58 PM, Kevin VPN wrote: > On 01/13/2012 10:37 PM, Jinyan Huang wrote: >> Both windows and Mac, I set MUT to 1380. I used CocoapacketAnalyzer >> to obtain some packet. But no hints for me. >> This is an interesting problem, especially since you stated that the OSX host worked in France but not in China. I'm sure you have thought of these, but I'll ask the questions anyway ... 1) Is this the same OSX laptop you used in both france and China? 2) Is this the same wired or wireless adapter used in both locations? 3) Have you tried connecting to the VPN using a different carrier? Without seeing the packet dump output, it's difficult to make a good guess as to what the problem may be. -Matthew From mgrooms at shrew.net Tue Feb 14 18:32:54 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:32:54 -0600 Subject: [vpn-help] Can same server config work for iPhone and Shrew? - Phase 1 trouble In-Reply-To: <20120119155146.GA5905@black.transpect.com> References: <20120119153144.GA5410@black.transpect.com> <20120119155146.GA5905@black.transpect.com> Message-ID: <4F3AFD36.1070501@shrew.net> On 1/19/2012 9:51 AM, Whit Blauvelt wrote: > On Thu, Jan 19, 2012 at 10:31:44AM -0500, Whit Blauvelt wrote: > >> Is Shrew's "Mutual PSK + XAuth" the equivalent of "xauth_psk_client" >> rather than "xauth_psk_server" on the racoon side? I have no idea what the >> difference between those two is ... > > Well, Googling it, it looks like the server should properly use > "xauth_psk_server," and the "_client" variant is only for (duh!) a remote > client. So that shouldn't be it. Although I'm just deducing that from > examples. Documentation is thin. > > Could there be some other setting necessary to get Shrew's "Mutual PSK + > XAuth" behavior to be accepted by racoon's "xauth_psk_server" expectations? > The Admin Guide has a lot of material related to configuring racoon / ipsec-tools as a vpn gateway for the vpn client ... http://www.shrew.net/static/help-2.1.x/vpnhelp.htm -Matthew From mgrooms at shrew.net Tue Feb 14 19:02:08 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:02:08 -0600 Subject: [vpn-help] Outlook interrupted In-Reply-To: References: <1041054682.20120126194525@eternallybored.org> Message-ID: <4F3B0410.9010601@shrew.net> On 1/26/2012 10:02 PM, Kevin VPN wrote: > > Hi Jernej, > > I'm disappointed that deleting the route actually works. I just tried > it. I would have thought (hoped!) that Shrew might watch for things > messing with the routes and reset them if they change. > > I'd think that would be a potential way for trojan to get into an > organization - wait for a tunnel to come up, enumerate the remote > network, add a non-tunneled route to it's C&C server and call home for > instructions. Sort of defeats one of the purposes of a full-tunnel VPN. :( > There is no mechanism that I'm aware of the can "lock" a route in the OS. You could have two processes fight over which routes it believes should be the correct routes for a given point in time. Having a route added or removed from your route table can happen at any point by a process with the correct privilege level. The only thing the client can really do is monitor the route table and potentially disconnect if it sees a change. > Does anyone know if this route hack can be done with other VPN clients > like Cisco or Juniper? > What do you want in a VPN client? IPsec security policies define source and destination IP networks and request or require that a transform be applied to the traffic pattern to encrypt or authenticate the content. It doesn't prescribe any particular methods to ensure that packets are allowed to originate from an authorized process. Further more, there is no distinction made between server or client insofar as IPsec protocols or vanilla IKE are concerned. For additional protection, a firewall and anti-malware software should be used to protect your machine. Otherwise it could be used as an attack vector to any remote network you may be connected to. Some VPN clients bundle these with their software ( cisco can push firewall rules to their VPN Client ) and some don't. The Shrew Soft client falls into the latter category. -Matthew From mgrooms at shrew.net Tue Feb 14 19:10:55 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:10:55 -0600 Subject: [vpn-help] [Vpn-help] Problems with Client Install or Uninstall ... In-Reply-To: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> References: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> Message-ID: <4F3B061F.80806@shrew.net> On 1/26/2012 3:01 PM, Peter Olivieri wrote: > I am receiving a message peer config failed when attempting to connect > to a VPN. This was working and I am not sure what was done as it is not > my computer. > > I went through each of the steps on the following page > > http://lists.shrew.net/pipermail/vpn-help/2008-May/000703.html > > rebooted and went through the install again. After completing the > install the configuration reappeared and I am still having the same issue. > > Anything you can suggest would be helpful. > The peer config failed message tends to happen when a version of the client program ( ipsecc.exe ) is talking to mismatched version of the IKE daemon ( iked.exe ). For example ( ver 2.1.7 vs ver 2.2.x ). Did you happen to copy ipsecc.exe somewhere instead of making a shortcut? Or have you searched your system to make sure there are not multiple copies of programs installed somehow in different locations? -Matthew From demi at intellipro.com Tue Feb 14 19:21:14 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 20:21:14 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AFA8C.5050405@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Yes, that's the mode I'm using. -----Original Message----- From: Matthew Grooms [mailto:mgrooms at shrew.net] Sent: Tuesday, February 14, 2012 7:22 PM To: Mark A. DeMichele Cc: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and >> then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the >> same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's >> router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 19:29:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:29:13 -0600 Subject: [vpn-help] INVALID-SPI Notification In-Reply-To: References: Message-ID: <4F3B0A69.2090200@shrew.net> On 1/31/2012 10:42 AM, S?bastien HELLE wrote: > Hi, > > I am currently using ShrewSoft VPN Client to connect to a Fortigate VPN. > The VPN is route-based, with Mutual RSA authentication. > > Every body using this VPN with shrewsoft client is often disconnected, > either partially (the client is still connected, but some routes are > unreachable) or totally (the client is disconnected). > > When I take a look at the client debug Trace utility (decode mode), I > have this : > > 12/01/31 17:09:47 DB : phase1 found > 12/01/31 17:09:47 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) > 12/01/31 17:09:47 ii : processing informational packet ( 76 bytes ) > 12/01/31 17:09:47 == : new informational iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 =< : cookies 3cada944dd48eeba:13485b109cc7cffd > 12/01/31 17:09:47 =< : message 4991d5d5 > 12/01/31 17:09:47 =< : decrypt iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 == : decrypt packet ( 76 bytes ) > 12/01/31 17:09:47 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > 4991d5d5 0000004c 0b000018 > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 00000010 00000001 0304000b > 12/01/31 17:09:47 0x : 5d004625 bec85867 fb6ada07 > 12/01/31 17:09:47 <= : trimmed packet padding ( 8 bytes ) > 12/01/31 17:09:47 <= : stored iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 7d379dfc 17b5a654 653d3ded 16a861fe > 12/01/31 17:09:47 << : hash payload > 12/01/31 17:09:47 << : notification payload > 12/01/31 17:09:47 == : informational hash_i ( computed ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 == : informational hash_c ( received ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 ii : informational hash verified > 12/01/31 17:09:47 ii : received peer INVALID-SPI notification > 12/01/31 17:09:47 ii : - 217.119.132.38:4500 > -> 192.168.30.103:4500 > > 12/01/31 17:09:47 ii : - ipsec-esp spi = 0x5d004625 > 12/01/31 17:09:47 ii : - data size 0 > 12/01/31 17:09:47 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) > 12/01/31 17:09:50 <- : recv NAT-T:IKE packet 217.119.132.38:4500 > -> 192.168.30.103:4500 > ( 76 bytes ) > 12/01/31 17:09:50 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > afdd4e70 0000004c 4295f33a > 12/01/31 17:09:50 0x : 1aeba2a3 8399c33e 5393a32f 26f4b98f 96eee83d > 3738e253 00269a9f b2f4bf2f > 12/01/31 17:09:50 0x : 70e8b563 ce6bb2aa 848a0774 > > The important part is the INVALID-SPI Notification from the peer. It > looks like Shrew client receive the info, but don't care of. I've seen > that the Cisco VPN Client has a functionnality invalid-spi-recovery. Is > there nothing like that in Shrew ? > After reading the RFC, an INVALID-SPI notification should only be sent in response to a IKE level message that includes an SPI that is thought to be invalid ( ie. received in a proposal or a notification payload ) ... http://www.faqs.org/rfcs/rfc2408.html What is happening right before this section in the error log, and what does the Fortigate log detail say regarding the sent notification? Any reason? Does it think the SA related to the SPI has expired? Do you have a lifetime mismatch between your gateway / client configuration? -Matthew From mgrooms at shrew.net Tue Feb 14 19:33:19 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:33:19 -0600 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: <4F3B0B5F.3010704@shrew.net> On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew From mgrooms at shrew.net Tue Feb 14 19:38:33 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:38:33 -0600 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: <4F3B0C99.4060601@shrew.net> On 2/2/2012 11:22 AM, mh at morxy.co.uk wrote: > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols specified > are supported > > Can anyone explain this error? I've tried googling and can't find any > definitive solution or cause. I can't use the ikea access manager to > connect to any remote VPN server, probably as a result of this. > (Meanwhile, the same VPN server works perfectly on my Windows XP laptop > with the same Shrew client.) > I believe this is coming from the Qt GUI library that ikea links to. Looks like quite a few users of Ubuntu have reported this issue. The most common solution I can see is upgrading your qt package. -Matthew From mgrooms at shrew.net Tue Feb 14 20:00:24 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:00:24 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Message-ID: <4F3B11B8.2000301@shrew.net> On 2/14/2012 7:21 PM, Mark A. DeMichele wrote: > Yes, that's the mode I'm using. > This improvement is most likely related to proper emulation of Large Segment Offload in 2.2.x. What happens is this: A packet is sometimes send down the NDIS driver stack with the expectation that the adapter will handle a specific task on behalf of the OS to increase throughput. However, the VPN Client can intercept and process packets before they reach the adapter. In 2.1.7, the client doesn't emulate any bypassed hardware features, so the only option is to disable it in the adapter properties ( or experience awful throughput due to malformed packets ). The problem isn't reported very often as most people use a virtual adapter mode which doesn't claim to support any hardware acceleration. In 2.2.x, the client emulates most of the common task offload features to avoid these kinds of issues. -Matthew From mgrooms at shrew.net Tue Feb 14 20:04:23 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:04:23 -0600 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> References: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Message-ID: <4F3B12A7.9040804@shrew.net> On 2/4/2012 7:23 AM, Loris Modenese wrote: > > Hi Kevin, > > I can confirm what Gergely said. > The problem it is related to the NAT-T and DPD code on both 2.1.7 and > 2.2.0 versions. > With NAT-T disabled or with a dial-up connection (public IP address) the > link is stable. > I've also notice that no matter the client it is configured (with or w/o > DPD and different timeout) > it keep on sending DPD every 30sec when NAT-T option is enabled for 10 > times then it always disconnect (about 5-5.5 min). > I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running > JunOS 10.4 with the same results. > Hmm, this doesn't sound good. Is the client initiating the DPD messages or responding to them ( or both )? Can you send me a sample of the log output with the IP addresses obscured? If the client is simply ignoring the DPD configuration option, that shouldn't be too hard to fix. -Matthew From mgrooms at shrew.net Tue Feb 14 20:05:39 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:05:39 -0600 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: References: Message-ID: <4F3B12F3.60201@shrew.net> On 2/6/2012 10:47 AM, Stephen More wrote: > Currently there is no Configuration Guides for Juniper SRX. > > I have seen sample configs like: > http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 > > But I am unable to get past phase 1. > > Does anyone know the current status ? > The status is that I don't have an SRX in my lab to test with. I may at some point in the future. What does your log output say? -Matthew From mgrooms at shrew.net Tue Feb 14 20:13:34 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:13:34 -0600 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <4F3B14CE.7050304@shrew.net> On 2/6/2012 11:55 PM, Mike Pacifico wrote: > Hello, > > Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, > imported the config file into the VPN client. According the the > watchguard, I am authenticated as an client, or am I? No packets are > being moved. > > I apologize in advance if I'm overlooking the obvious, but it's been a > very long day. > ... > 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) > 12/02/06 21:38:35 ii : building config attribute list > 12/02/06 21:38:35 ii : - IP4 Address > 12/02/06 21:38:35 ii : - Address Expiry > 12/02/06 21:38:35 ii : - IP4 Netamask > 12/02/06 21:38:35 ii : - IP4 DNS Server > 12/02/06 21:38:35 ii : - IP4 WINS Server > 12/02/06 21:38:35 ii : - IP4 Subnet > 12/02/06 21:38:35 == : new config iv ( 8 bytes ) > 12/02/06 21:38:35 ii : sending config pull request > 12/02/06 21:38:35 >> : hash payload > 12/02/06 21:38:35 >> : attribute payload > 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) > 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea > 12/02/06 21:38:35 >= : message 6a213b7c > 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) > 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) > 12/02/06 21:38:35 == : stored iv ( 8 bytes ) > 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) > 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 > It would appear that the client is requesting modecfg information but doesn't receive a response from the gateway. This would typically point to a configuration mismatch between the client and the server. You say you exported the .vpn file. Was that from another working client? -Matthew From mgrooms at shrew.net Tue Feb 14 20:15:25 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:15:25 -0600 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <4F3B153D.8020802@shrew.net> On 2/8/2012 5:23 AM, Stephen More wrote: > ikec > I just want to add that this is only available in the 2.2.x version. In the 2.1.7 version, ikec and ikea are actually Qt applications. In 2.2.x versions, they have been renamed to qikec and qikea with ikec being the command line client version. -Matthew > On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: >> Good day >> >> How do run ikea without graphic interface for establish a vpn connection >> between a linux server and my router ? >> >> What command linux do i used far that ? >> >> Thank yoou and excuse me for bas english . >> I am french man . >> >> >> Best regards >> >> >> _______________________________________________ >> vpn-help mailing list >> vpn-help at lists.shrew.net >> http://lists.shrew.net/mailman/listinfo/vpn-help >> > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From stephen.more at gmail.com Tue Feb 14 20:59:44 2012 From: stephen.more at gmail.com (Stephen More) Date: Tue, 14 Feb 2012 21:59:44 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: <4F3B12F3.60201@shrew.net> References: <4F3B12F3.60201@shrew.net> Message-ID: You can find sample configs and output from the SRX here: http://forums.juniper.net/t5/SRX-Services-Gateway/Troubleshooting-Shrew-and-SRX/td-p/128641 On Tue, Feb 14, 2012 at 9:05 PM, Matthew Grooms wrote: > On 2/6/2012 10:47 AM, Stephen More wrote: >> >> Currently there is no Configuration Guides for Juniper SRX. >> >> I have seen sample configs like: >> >> http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 >> >> But I am unable to get past phase 1. >> >> Does anyone know the current status ? >> > > The status is that I don't have an SRX in my lab to test with. I may at some > point in the future. What does your log output say? > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From matthias.paust at seetec.de Wed Feb 15 01:19:35 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Wed, 15 Feb 2012 07:19:35 +0000 Subject: [vpn-help] (no subject) In-Reply-To: <4F3B0B5F.3010704@shrew.net> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> <4F3B0B5F.3010704@shrew.net> Message-ID: <3DF319ED62CDA647A0CAE1018FB99B042229388C@seetec16.seetecDE> We've tested it with ShrewSoft version 2.1.5: there's no problem. Everything works fine... Regards, Matthias -----Urspr?ngliche Nachricht----- Von: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] Im Auftrag von Matthew Grooms Gesendet: Mittwoch, 15. Februar 2012 02:33 An: vpn-help at lists.shrew.net Betreff: Re: [vpn-help] (no subject) On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 19:31:22 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:31:22 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... Message-ID: <4F3C5C6A.2000300@shrew.net> All, For the longest time I thought there was no way to manually influence the order in which windows prioritizes adapter specific DNS servers. I ran across this solution the other day and wanted to share it with the mailing list. Apparently, the DNS server priority is directly related to binding order of the associated adapter ... http://support.microsoft.com/kb/311218 If you bump up the binding order of the adapter, the DNS servers that are associated with that adapter will be preferred over other adapters when performing name resolution. For example: By bumping up the Shrew Soft Virtual Adapter in the binding order, the DNS servers associated with that adapter will be preferred over other adapters set to a lower binding order ( when the VPN client is active ). Hope this helps someone, -Matthew From mgrooms at shrew.net Wed Feb 15 19:37:58 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:37:58 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C5DF6.10909@shrew.net> By the way, you shouldn't have to manually edit the registry like that the knowledge base article states. You should be able to re-order the adapters bindings in the "Advanced Settings" section of the Network Connections dialog ( hit the ALT button to see this in the menu under Windows Vista/7 ). Just wanted to make that clear. -Matthew On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > > Hope this helps someone, > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 20:07:49 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 20:07:49 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C64F5.2060306@shrew.net> On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > Crap. Now that I look at it closer, the Shrew Soft Virtual Adapter is hidden so it can't be easily re-ordered. I did find this solution but it's a command line tool ... http://archive.msdn.microsoft.com/nvspbind As a quick howto, you run the tool in a cmd window as root. First you find your adapter binding order for ms_tcpip ... >nvspbind.exe /o ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 cleaning up...finished (0) ... Local Area Connection* 12 is my Shrew Soft VPN Network Adapter. If I want to move it up one position in the network binding, I can use the following command line options ... >nvspbind.exe /+ "Local Area Connection* 12" ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. acquiring write lock...success Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 moving 'Local Area Connection* 12' above 'Local Area Connection* 11' enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 12 enabled: Local Area Connection* 11 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 'Local Area Connection* 12' found cleaning up...releasing write lock...success finished (0) ... Problem solved :) -Matthew From jcope at discovertravelandtours.com Mon Feb 20 07:35:00 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 13:35:00 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcope at discovertravelandtours.com Mon Feb 20 09:58:24 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 15:58:24 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA78A5D@EXVS02.SSP.local> Hi, We can see the packets leaving the client and hitting the firewall, what we can't see is the client accepting the returned packets from the firewall. I have other users using the same routers, DSL from same provider and same machine setup. We have an old XP laptop on site and that can connect so it looks to be something specific about this machines config (not the VPN config as that is standard). 2012-02-20 11:57:43 info IKE 217.41.45.141 Phase 1: Retransmission limit has been reached. 2012-02-20 11:57:35 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:57:35 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. 2012-02-20 11:56:54 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:56:54 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. Thanks James ________________________________ From: Roper, Andrew [mailto:aroper at bcsvoicedata.com] Sent: 20 February 2012 15:45 To: James Cope; vpn-help at lists.shrew.net Subject: RE: Shrew 2.1.7 & Windows 7 (64 bit) James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Mon Feb 20 09:45:22 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Mon, 20 Feb 2012 15:45:22 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Message-ID: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Mach at inco.at Mon Feb 20 16:15:53 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Mon, 20 Feb 2012 22:15:53 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband Message-ID: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer From aroper at bcsvoicedata.com Tue Feb 21 08:37:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 14:37:40 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From Rainer.Mach at inco.at Tue Feb 21 10:38:51 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Tue, 21 Feb 2012 16:38:51 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Message-ID: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From aroper at bcsvoicedata.com Tue Feb 21 11:21:42 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 17:21:42 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB098CF@CORPSERV.bcsvds.local> Is the firewall setup for Aggressive mode negotiations for that particular tunnel? -Andrew -----Original Message----- From: Mach Rainer [mailto:Rainer.Mach at inco.at] Sent: Tuesday, February 21, 2012 11:39 AM To: Roper, Andrew; 'vpn-help at lists.shrew.net' Subject: RE: Problems connecting Windows7 over Broadband Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From jrizk at hayesandassociates.com Tue Feb 21 10:33:47 2012 From: jrizk at hayesandassociates.com (Jack Rizk) Date: Tue, 21 Feb 2012 11:33:47 -0500 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established Message-ID: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn't. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 22 13:10:26 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 22 Feb 2012 19:10:26 +0000 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established In-Reply-To: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> References: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Message-ID: <168BE652-516E-410F-9F46-4DF58DD21225@bcsvoicedata.com> Jack, It makes total sense that it does not work in Safe Mode. Safe Mode disables networking and only enables minimum services for OS functionality. I would even suspect that you'd have issues in Safe Mode with Networking as other dependent services would be offline. If, however, you are suggesting that a normal reboot does not resolve the issue but booting into Safe Mode and then a normal boot does then that is particularly curious. For this I have no explanation. As for continued troubleshooting, it would be necessary to perform a debug on the Netvanta and look for clues there and on the client I would make sure there are no conflicting VPN clients installed, AV isn't interfering, drivers are up to date and the connection is stable. Running some debug logs on the client side would also help in narrowing down the problem. Regards, Andrew Sent from my iPhone On Feb 22, 2012, at 1:43 PM, "Jack Rizk" > wrote: Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn?t. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at davenjudy.org Sat Feb 25 23:58:29 2012 From: dave at davenjudy.org (David G. Miller) Date: Sat, 25 Feb 2012 22:58:29 -0700 Subject: [vpn-help] EL6 client? Message-ID: <4F49CA05.9060701@davenjudy.org> Hi List - I'm looking into whether there is a way to get the Shrew Soft VPN client working with Red Hat Enterprise Linux 6.X (or clones such as Scientific Linux or CentOS). I have a working configuration installed on a Fedora Core 16 system but I need it working on EL6. I noticed that folks who usually provide an RPM such as EPEL, rpmforge, ATrpms, etc. don't have one for EL6 which I'm taking as a hint that there is a deeper problem than just building the rpm. I also noticed that the client doesn't work on my development EL6 box regardless of whether I build from the archive available for download here or build from a backport of the source rpm from Fedora 16. Both of these approaches result in a clean build that installs, logs into my VPN server and appear to get packets back to the client but not back to the program such as ping or ssh that attempted to connect over the VPN. Has anyone looked into building a statically linked version of iked (the other pieces appear to work) under Fedora? Anyone succeed? Thanks, Dave "You can avoid reality, but you cannot avoid the consequences of avoiding reality." - Ayn Rand From matthias.paust at seetec.de Thu Feb 2 08:17:54 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Thu, 2 Feb 2012 14:17:54 +0000 Subject: [vpn-help] (no subject) Message-ID: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Problem: The VPN client is connected to my gateway (tunnel enabled) but no access to the remote network is possible. We are using FortiGate 80c (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client 2.1.7 for Windows. The problems occurred after updating the firewall to the new version. With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no problem. Attached debug logs. -------------- next part -------------- A non-text attachment was scrubbed... Name: shrewsoft_log.zip Type: application/x-zip-compressed Size: 9415 bytes Desc: shrewsoft_log.zip URL: From kvpn at live.com Thu Feb 2 20:53:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 21:53:54 -0500 Subject: [vpn-help] Cannot access VPN resources In-Reply-To: <4F2A9228.8020706@gmail.com> References: <4F2A9228.8020706@gmail.com> Message-ID: On 02/02/2012 08:39 AM, Daniele at Gmail wrote: > Hi Kevin, > I resolved my problem by these steps: > > * uninstall VPN client (last installed: version 2.2.0) > * drop all connections files > * reinstall VPN client (2.1.7) > * import my VPN configuration from CISCo pcf file > > Now the VPN works. > Thank you. > Daniele > > > > > Il 27/01/2012 04:47, Kevin VPN ha scritto: >> On 01/26/2012 08:38 AM, Daniele Comand wrote: >>> Phase 1 appears to connect and I get the 'Tunnel enabled' message, >>> however, >>> I cannot ping or access any remote IP addresses. >>> I tried both the client versions 2.1.7 and 2.2.0, with almost identical >>> results. >>>> From another Windows XP machine with a Cisco client I can connect. >>> In the IKED.log debug file I find this message: >>> "12/01/25 20:07:08!: Peer violates RFC number transform mismatch (1! >>> = 14)" >>> Can you help me to get the VPN works? >>> >>> VPN Client Version = 2.1.7 e 2.2.0 >>> Windows OS Version = Windows 7 64-bit >>> Gateway Make/Model = CISCO PIX >>> Gateway OS Version = unknown >>> >> >> Hi Daniele, >> >> The problem is that the Phase2 negotiation is failing. According to >> the iked.log you provided, Phase1, XAuth and client configuration >> succeed, but Phase2 fails. >> >> You'll need to contact the VPN gateway administrator to find out why >> Phase2 is failing. It is probably because some of the settings in the >> Shrew client do not match what the Cisco requires. >> >> iked.log: >> >> 12/01/25 20:07:08 ii : phase1 sa established >> ... >> 12/01/25 20:07:08 ii : received basic xauth request - >> 12/01/25 20:07:08 ii : - standard xauth username >> 12/01/25 20:07:08 ii : - standard xauth password >> 12/01/25 20:07:08 ii : sending xauth response for comand >> 12/01/25 20:07:08 ii : received xauth result - >> 12/01/25 20:07:08 ii : user comand authentication succeeded >> ... >> 12/01/25 20:07:08 ii : sending config pull request >> 12/01/25 20:07:08 ii : processing config packet ( 76 bytes ) >> 12/01/25 20:07:08 DB : config found >> 12/01/25 20:07:08 ii : received config pull response >> 12/01/25 20:07:08 ii : - IP4 Address = 192.168.61.6 >> ... >> 12/01/25 20:07:24 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:27 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:29 ii : resend limit exceeded for phase2 exchange >> 12/01/25 20:07:29 ii : phase2 removal before expire time >> 12/01/25 20:07:29 DB : phase2 deleted ( obj count = 1 ) >> Great Daniele, thanks for reporting back! I've copied the list so that others who are having problems with PCF-related configurations can see what you did. By "dropped all connection files" I assume you mean that you went into the "Documents/Shrew Soft VPN/sites" directory and deleted the configuration files that were in there. Doing that would prevent Shrew from automatically importing them when you installed the client again, which would allow you to import the PCF file again. From kvpn at live.com Thu Feb 2 21:09:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 22:09:54 -0500 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: On 02/02/2012 09:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > > Attached debug logs. > Hi Matthias, In general, everything looks good. Phase1 & Phase2 negotiations, and DHCP over IPSec configuration completes: 12/02/02 12:06:36 ii : phase1 sa established 12/02/02 12:06:36 ii : phase2 sa established 12/02/02 12:06:40 ii : reading DHCP reply options 12/02/02 12:06:40 ii : - message type = ack ( 192.168.123.53 ) From the looks of the policies, the VPN clients get an IP in the 192.168.0.0/16 private range and your internal network is in the 10.0.0.0/8 range. This means there is no overlap between the VPN clients and private hosts, which is good. However, this is received about 1.5 minutes after the connection is established, then Shrew tears the connection down. 12/02/02 12:08:25 !! : message type is invalid ( 0 ) I would look at the Fortigate logs to see if it decided to kill the connection for some reason. From l.modenese at gmail.com Sat Feb 4 07:23:10 2012 From: l.modenese at gmail.com (Loris Modenese) Date: Sat, 04 Feb 2012 14:23:10 +0100 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: References: Message-ID: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Hi Kevin, I can confirm what Gergely said. The problem it is related to the NAT-T and DPD code on both 2.1.7 and 2.2.0 versions. With NAT-T disabled or with a dial-up connection (public IP address) the link is stable. I've also notice that no matter the client it is configured (with or w/o DPD and different timeout) it keep on sending DPD every 30sec when NAT-T option is enabled for 10 times then it always disconnect (about 5-5.5 min). I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running JunOS 10.4 with the same results. Here my working config for JunOS 10.4 (NAT-T disabled) n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:300 n:network-frag-size:540 n:network-dpd-enable:0 n:client-banner-enable:0 n:network-notify-enable:0 n:client-wins-used:1 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host:12.34.56.78 s:client-auto-mode:push s:client-iface:virtual s:network-natt-mode:disable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:any s:ident-client-data:vpnclient.domain.local b:auth-mutual-psk:xxxxxxxxxxxxxxxxx s:phase1-exchange:aggressive s:phase1-cipher:3des s:phase1-hash:md5 s:phase2-transform:esp-3des s:phase2-hmac:md5 s:ipcomp-transform:disabled n:phase2-pfsgroup:2 s:policy-level:auto s:policy-list-include:192.168.78.0 / 255.255.255.0 s:client-saved-username: Best regards Loris Modenese > On 07/05/2011 05:06 AM, Gergely Kiss wrote: >> Dear List! >> >> I'm having problems while connecting to a Juniper SRX210 firewall >> running JunOS 11.1R1.10. I'm using the latest stable Shrewsoft client >> (2.1.7) on Windows 7 (but the issue happens on Windows XP, too). >> >> If I try to connect from a device with a public IP-address, like a >> mobile broadband connection (without using NAT-T), everything works >> perfectly, but if I connect through a NAT device (Linksys WRT54GS), the >> connection works only for 6-7 minutes and then it terminates with no >> particular reason (the error message is: "session terminated by gateway"). >> > ... > >> I already tried debugging both ends, but I found nothing helpful in the >> logs (except some "config packet ignored" messages on the client). I >> already tried upgrading to the latest beta release (2.2.0-beta-1), but >> the issues still exists. >> > Hi Gergely, > > It might be that the Dead Peer Detection is somehow failing... that > usually is 5 minutes or so. When you did the debug trace, did you see > DPD messages (DPDV1-R-U-THERE) going back and forth? > > You could try disabling Dead Peer Detection in the Shrew site > configuration... > From mh at morxy.co.uk Thu Feb 2 11:22:09 2012 From: mh at morxy.co.uk (mh at morxy.co.uk) Date: Thu, 02 Feb 2012 17:22:09 +0000 Subject: [vpn-help] ikea startup: Session Management error Message-ID: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). $ iked ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.1.7 ## : Copyright 2010 Shrew Soft Inc. ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 $ ikea & Session management error: None of the authentication protocols specified are supported Can anyone explain this error? I've tried googling and can't find any definitive solution or cause. I can't use the ikea access manager to connect to any remote VPN server, probably as a result of this. (Meanwhile, the same VPN server works perfectly on my Windows XP laptop with the same Shrew client.) From stefan.bauer at cubewerk.de Sun Feb 5 05:21:03 2012 From: stefan.bauer at cubewerk.de (=?utf-8?Q?Stefan_Bauer?=) Date: Sun, 5 Feb 2012 12:21:03 +0100 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: -----Urspr?ngliche Nachricht----- Von: mh at morxy.co.uk Gesendet: Sa 04.02.2012 15:33 Betreff: [vpn-help] ikea startup: Session Management error An: vpn-help at lists.shrew.net; > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols > specified are supported Well either you specified an auth protocol that your local system is not supporting or the remote server. Stefan From stephen.more at gmail.com Mon Feb 6 10:47:45 2012 From: stephen.more at gmail.com (Stephen More) Date: Mon, 6 Feb 2012 11:47:45 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX Message-ID: Currently there is no Configuration Guides for Juniper SRX. I have seen sample configs like: http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 But I am unable to get past phase 1. Does anyone know the current status ? -Thanks From mpaci1 at gmail.com Mon Feb 6 23:55:58 2012 From: mpaci1 at gmail.com (Mike Pacifico) Date: Mon, 6 Feb 2012 21:55:58 -0800 Subject: [vpn-help] No packets going through Watchguard Message-ID: Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From olli.henttonen at datapro.fi Tue Feb 7 21:35:10 2012 From: olli.henttonen at datapro.fi (Olli Henttonen) Date: Wed, 8 Feb 2012 03:35:10 +0000 Subject: [vpn-help] How to disable Windows 7 pre login? Message-ID: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> How to disable windows 7 pre login if not needed? Btw. Thanks for this great software! Regards, OLLI -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 04:35:13 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 11:35:13 +0100 Subject: [vpn-help] Run shrew withiout graphic interface Message-ID: Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.more at gmail.com Wed Feb 8 05:23:21 2012 From: stephen.more at gmail.com (Stephen More) Date: Wed, 8 Feb 2012 06:23:21 -0500 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: ?ikec On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: > Good day > > How do? run ikea without graphic interface for establish a vpn connection > between a linux server? and my router ? > > What command linux do i used ?far that ? > > Thank yoou and excuse me for bas english . > I am french man . > > > Best regards > > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > From jernej's-shrew at eternallybored.org Wed Feb 8 08:08:23 2012 From: jernej's-shrew at eternallybored.org (=?utf-8?Q?Jernej_Simon=C4=8Di=C4=8D?=) Date: Wed, 8 Feb 2012 15:08:23 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> Message-ID: <1498845072.20120208150823@eternallybored.org> On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > How to disable windows 7 pre login if not needed? Uninstall, the install again without the Credential provider component. -- < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > Food that tastes the best has the highest number of calories. -- Dieter's Law From aroper at bcsvoicedata.com Wed Feb 8 09:42:24 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:42:24 +0000 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC8098@CORPSERV.bcsvds.local> Jacques, You would not use Shrew in this instance. You would just set up a standard IPSec VPN connection between the Linux server and the router. The procedures for this vary depending on the Linux distribution and the type of router. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Jacques EESES Sent: Wednesday, February 08, 2012 5:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Run shrew withiout graphic interface Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 10:30:42 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 17:30:42 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <1498845072.20120208150823@eternallybored.org> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> <1498845072.20120208150823@eternallybored.org> Message-ID: error it's no for me jack 2012/2/8 Jernej Simon?i? > On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > > > How to disable windows 7 pre login if not needed? > > Uninstall, the install again without the Credential provider > component. > > -- > < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > > > Food that tastes the best has the highest number of calories. > -- Dieter's Law > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 8 09:40:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:40:40 +0000 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC807D@CORPSERV.bcsvds.local> Mike, It doesn't look like Phase 2 is being completed. Without Phase 2 negotiations completing you cannot build the tunnel. Check your Phase 2 proposals on the client and make sure they match with what the firewall is expecting. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mike Pacifico Sent: Tuesday, February 07, 2012 12:56 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] No packets going through Watchguard Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 <-> xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 ->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Tue Feb 14 17:47:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:47:13 -0600 Subject: [vpn-help] Mailing List Services Restored ... Message-ID: <4F3AF281.4010906@shrew.net> The Shrew Soft mailing lists went down for a few days. I believe everything is back up and running. Sorry for any inconvenience. -Matthew From mgrooms at shrew.net Tue Feb 14 17:52:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:52:30 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local> <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> Message-ID: <4F3AF3BE.8010603@shrew.net> On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is just > pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew From mgrooms at shrew.net Tue Feb 14 18:01:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:01:30 -0600 Subject: [vpn-help] Windows Client Login Screen and Shrew VPN Client In-Reply-To: <185431391.20120105172903@eternallybored.org> References: <20B2861F76CB724690F1809A616849052AA77FD8@CORPSERV.bcsvds.local> <185431391.20120105172903@eternallybored.org> Message-ID: <4F3AF5DA.7090104@shrew.net> On 1/5/2012 10:29 AM, Jernej Simon?i? wrote: > On Thursday, January 5, 2012, 15:37:48, Roper, Andrew wrote: > >> How do I make that session available at the login screen? > > Right-click it in Shrew and select Public. > And just to piggy back on this with some more info, the last beta build had a bug that prevented DNS lookups from working correctly with the login version of the client. You may have been lucky enough to have specified an IP address instead of a DNS name for your gateway :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:14:44 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:14:44 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> <1769885532.20120112233142@gmx.de> Message-ID: <4F3AF8F4.2020305@shrew.net> On 1/15/2012 9:06 PM, Kevin VPN wrote: > On 01/12/2012 05:31 PM, Thorsten Albrecht wrote: >> Hello Kevin, >> >> it still works after some reboots. Thanks for your support. BTW You >> are not >> the developer, aren't you? >> > > No, I'm not the developer. All that credit (and hopefully donations!) > goes to Matthew and the others who provide patches. I'm just a > user/believer of the software and help as much as I can on the list. And thank you so much! Your input on the mailing list has been nothing short of amazing! :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:17:04 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:17:04 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: <573634176.20111219140829@gmx.de> References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> Message-ID: <4F3AF980.6010603@shrew.net> On 12/19/2011 7:08 AM, Thorsten Albrecht wrote: > Hello Kevin, > > the solution was: first it was necessary (as I wrote) to disable the MS Virtual > WiFi Adapter to make Shrew VPN work. But Shrew VPN continued to work after > reenabling the Virtual Adapter again. So it was not necessary to > deinstall and reinstall everything. > Hmm. I'm a little sad to hear this is still an issue with 2.2.x. I have an idea on how to solve this problem but it will require another round of submissions to Winqual to get the drivers re-certified. Because of this, the fix will need to wait until a post 2.2.0 release. -Matthew From demi at intellipro.com Tue Feb 14 18:04:42 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 19:04:42 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AF3BE.8010603@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> How do I tell if I'm running in "direct adapter mode"? -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms Sent: Tuesday, February 14, 2012 6:53 PM To: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is > just pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:21:32 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:21:32 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> Message-ID: <4F3AFA8C.5050405@shrew.net> On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:29:17 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:29:17 -0600 Subject: [vpn-help] What is the different between windows and Mac version for shrew VPN? In-Reply-To: References: <20B2861F76CB724690F1809A616849052AA81946@CORPSERV.bcsvds.local> Message-ID: <4F3AFC5D.6080402@shrew.net> On 1/15/2012 8:58 PM, Kevin VPN wrote: > On 01/13/2012 10:37 PM, Jinyan Huang wrote: >> Both windows and Mac, I set MUT to 1380. I used CocoapacketAnalyzer >> to obtain some packet. But no hints for me. >> This is an interesting problem, especially since you stated that the OSX host worked in France but not in China. I'm sure you have thought of these, but I'll ask the questions anyway ... 1) Is this the same OSX laptop you used in both france and China? 2) Is this the same wired or wireless adapter used in both locations? 3) Have you tried connecting to the VPN using a different carrier? Without seeing the packet dump output, it's difficult to make a good guess as to what the problem may be. -Matthew From mgrooms at shrew.net Tue Feb 14 18:32:54 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:32:54 -0600 Subject: [vpn-help] Can same server config work for iPhone and Shrew? - Phase 1 trouble In-Reply-To: <20120119155146.GA5905@black.transpect.com> References: <20120119153144.GA5410@black.transpect.com> <20120119155146.GA5905@black.transpect.com> Message-ID: <4F3AFD36.1070501@shrew.net> On 1/19/2012 9:51 AM, Whit Blauvelt wrote: > On Thu, Jan 19, 2012 at 10:31:44AM -0500, Whit Blauvelt wrote: > >> Is Shrew's "Mutual PSK + XAuth" the equivalent of "xauth_psk_client" >> rather than "xauth_psk_server" on the racoon side? I have no idea what the >> difference between those two is ... > > Well, Googling it, it looks like the server should properly use > "xauth_psk_server," and the "_client" variant is only for (duh!) a remote > client. So that shouldn't be it. Although I'm just deducing that from > examples. Documentation is thin. > > Could there be some other setting necessary to get Shrew's "Mutual PSK + > XAuth" behavior to be accepted by racoon's "xauth_psk_server" expectations? > The Admin Guide has a lot of material related to configuring racoon / ipsec-tools as a vpn gateway for the vpn client ... http://www.shrew.net/static/help-2.1.x/vpnhelp.htm -Matthew From mgrooms at shrew.net Tue Feb 14 19:02:08 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:02:08 -0600 Subject: [vpn-help] Outlook interrupted In-Reply-To: References: <1041054682.20120126194525@eternallybored.org> Message-ID: <4F3B0410.9010601@shrew.net> On 1/26/2012 10:02 PM, Kevin VPN wrote: > > Hi Jernej, > > I'm disappointed that deleting the route actually works. I just tried > it. I would have thought (hoped!) that Shrew might watch for things > messing with the routes and reset them if they change. > > I'd think that would be a potential way for trojan to get into an > organization - wait for a tunnel to come up, enumerate the remote > network, add a non-tunneled route to it's C&C server and call home for > instructions. Sort of defeats one of the purposes of a full-tunnel VPN. :( > There is no mechanism that I'm aware of the can "lock" a route in the OS. You could have two processes fight over which routes it believes should be the correct routes for a given point in time. Having a route added or removed from your route table can happen at any point by a process with the correct privilege level. The only thing the client can really do is monitor the route table and potentially disconnect if it sees a change. > Does anyone know if this route hack can be done with other VPN clients > like Cisco or Juniper? > What do you want in a VPN client? IPsec security policies define source and destination IP networks and request or require that a transform be applied to the traffic pattern to encrypt or authenticate the content. It doesn't prescribe any particular methods to ensure that packets are allowed to originate from an authorized process. Further more, there is no distinction made between server or client insofar as IPsec protocols or vanilla IKE are concerned. For additional protection, a firewall and anti-malware software should be used to protect your machine. Otherwise it could be used as an attack vector to any remote network you may be connected to. Some VPN clients bundle these with their software ( cisco can push firewall rules to their VPN Client ) and some don't. The Shrew Soft client falls into the latter category. -Matthew From mgrooms at shrew.net Tue Feb 14 19:10:55 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:10:55 -0600 Subject: [vpn-help] [Vpn-help] Problems with Client Install or Uninstall ... In-Reply-To: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> References: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> Message-ID: <4F3B061F.80806@shrew.net> On 1/26/2012 3:01 PM, Peter Olivieri wrote: > I am receiving a message peer config failed when attempting to connect > to a VPN. This was working and I am not sure what was done as it is not > my computer. > > I went through each of the steps on the following page > > http://lists.shrew.net/pipermail/vpn-help/2008-May/000703.html > > rebooted and went through the install again. After completing the > install the configuration reappeared and I am still having the same issue. > > Anything you can suggest would be helpful. > The peer config failed message tends to happen when a version of the client program ( ipsecc.exe ) is talking to mismatched version of the IKE daemon ( iked.exe ). For example ( ver 2.1.7 vs ver 2.2.x ). Did you happen to copy ipsecc.exe somewhere instead of making a shortcut? Or have you searched your system to make sure there are not multiple copies of programs installed somehow in different locations? -Matthew From demi at intellipro.com Tue Feb 14 19:21:14 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 20:21:14 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AFA8C.5050405@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Yes, that's the mode I'm using. -----Original Message----- From: Matthew Grooms [mailto:mgrooms at shrew.net] Sent: Tuesday, February 14, 2012 7:22 PM To: Mark A. DeMichele Cc: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and >> then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the >> same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's >> router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 19:29:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:29:13 -0600 Subject: [vpn-help] INVALID-SPI Notification In-Reply-To: References: Message-ID: <4F3B0A69.2090200@shrew.net> On 1/31/2012 10:42 AM, S?bastien HELLE wrote: > Hi, > > I am currently using ShrewSoft VPN Client to connect to a Fortigate VPN. > The VPN is route-based, with Mutual RSA authentication. > > Every body using this VPN with shrewsoft client is often disconnected, > either partially (the client is still connected, but some routes are > unreachable) or totally (the client is disconnected). > > When I take a look at the client debug Trace utility (decode mode), I > have this : > > 12/01/31 17:09:47 DB : phase1 found > 12/01/31 17:09:47 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) > 12/01/31 17:09:47 ii : processing informational packet ( 76 bytes ) > 12/01/31 17:09:47 == : new informational iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 =< : cookies 3cada944dd48eeba:13485b109cc7cffd > 12/01/31 17:09:47 =< : message 4991d5d5 > 12/01/31 17:09:47 =< : decrypt iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 == : decrypt packet ( 76 bytes ) > 12/01/31 17:09:47 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > 4991d5d5 0000004c 0b000018 > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 00000010 00000001 0304000b > 12/01/31 17:09:47 0x : 5d004625 bec85867 fb6ada07 > 12/01/31 17:09:47 <= : trimmed packet padding ( 8 bytes ) > 12/01/31 17:09:47 <= : stored iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 7d379dfc 17b5a654 653d3ded 16a861fe > 12/01/31 17:09:47 << : hash payload > 12/01/31 17:09:47 << : notification payload > 12/01/31 17:09:47 == : informational hash_i ( computed ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 == : informational hash_c ( received ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 ii : informational hash verified > 12/01/31 17:09:47 ii : received peer INVALID-SPI notification > 12/01/31 17:09:47 ii : - 217.119.132.38:4500 > -> 192.168.30.103:4500 > > 12/01/31 17:09:47 ii : - ipsec-esp spi = 0x5d004625 > 12/01/31 17:09:47 ii : - data size 0 > 12/01/31 17:09:47 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) > 12/01/31 17:09:50 <- : recv NAT-T:IKE packet 217.119.132.38:4500 > -> 192.168.30.103:4500 > ( 76 bytes ) > 12/01/31 17:09:50 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > afdd4e70 0000004c 4295f33a > 12/01/31 17:09:50 0x : 1aeba2a3 8399c33e 5393a32f 26f4b98f 96eee83d > 3738e253 00269a9f b2f4bf2f > 12/01/31 17:09:50 0x : 70e8b563 ce6bb2aa 848a0774 > > The important part is the INVALID-SPI Notification from the peer. It > looks like Shrew client receive the info, but don't care of. I've seen > that the Cisco VPN Client has a functionnality invalid-spi-recovery. Is > there nothing like that in Shrew ? > After reading the RFC, an INVALID-SPI notification should only be sent in response to a IKE level message that includes an SPI that is thought to be invalid ( ie. received in a proposal or a notification payload ) ... http://www.faqs.org/rfcs/rfc2408.html What is happening right before this section in the error log, and what does the Fortigate log detail say regarding the sent notification? Any reason? Does it think the SA related to the SPI has expired? Do you have a lifetime mismatch between your gateway / client configuration? -Matthew From mgrooms at shrew.net Tue Feb 14 19:33:19 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:33:19 -0600 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: <4F3B0B5F.3010704@shrew.net> On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew From mgrooms at shrew.net Tue Feb 14 19:38:33 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:38:33 -0600 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: <4F3B0C99.4060601@shrew.net> On 2/2/2012 11:22 AM, mh at morxy.co.uk wrote: > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols specified > are supported > > Can anyone explain this error? I've tried googling and can't find any > definitive solution or cause. I can't use the ikea access manager to > connect to any remote VPN server, probably as a result of this. > (Meanwhile, the same VPN server works perfectly on my Windows XP laptop > with the same Shrew client.) > I believe this is coming from the Qt GUI library that ikea links to. Looks like quite a few users of Ubuntu have reported this issue. The most common solution I can see is upgrading your qt package. -Matthew From mgrooms at shrew.net Tue Feb 14 20:00:24 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:00:24 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Message-ID: <4F3B11B8.2000301@shrew.net> On 2/14/2012 7:21 PM, Mark A. DeMichele wrote: > Yes, that's the mode I'm using. > This improvement is most likely related to proper emulation of Large Segment Offload in 2.2.x. What happens is this: A packet is sometimes send down the NDIS driver stack with the expectation that the adapter will handle a specific task on behalf of the OS to increase throughput. However, the VPN Client can intercept and process packets before they reach the adapter. In 2.1.7, the client doesn't emulate any bypassed hardware features, so the only option is to disable it in the adapter properties ( or experience awful throughput due to malformed packets ). The problem isn't reported very often as most people use a virtual adapter mode which doesn't claim to support any hardware acceleration. In 2.2.x, the client emulates most of the common task offload features to avoid these kinds of issues. -Matthew From mgrooms at shrew.net Tue Feb 14 20:04:23 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:04:23 -0600 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> References: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Message-ID: <4F3B12A7.9040804@shrew.net> On 2/4/2012 7:23 AM, Loris Modenese wrote: > > Hi Kevin, > > I can confirm what Gergely said. > The problem it is related to the NAT-T and DPD code on both 2.1.7 and > 2.2.0 versions. > With NAT-T disabled or with a dial-up connection (public IP address) the > link is stable. > I've also notice that no matter the client it is configured (with or w/o > DPD and different timeout) > it keep on sending DPD every 30sec when NAT-T option is enabled for 10 > times then it always disconnect (about 5-5.5 min). > I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running > JunOS 10.4 with the same results. > Hmm, this doesn't sound good. Is the client initiating the DPD messages or responding to them ( or both )? Can you send me a sample of the log output with the IP addresses obscured? If the client is simply ignoring the DPD configuration option, that shouldn't be too hard to fix. -Matthew From mgrooms at shrew.net Tue Feb 14 20:05:39 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:05:39 -0600 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: References: Message-ID: <4F3B12F3.60201@shrew.net> On 2/6/2012 10:47 AM, Stephen More wrote: > Currently there is no Configuration Guides for Juniper SRX. > > I have seen sample configs like: > http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 > > But I am unable to get past phase 1. > > Does anyone know the current status ? > The status is that I don't have an SRX in my lab to test with. I may at some point in the future. What does your log output say? -Matthew From mgrooms at shrew.net Tue Feb 14 20:13:34 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:13:34 -0600 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <4F3B14CE.7050304@shrew.net> On 2/6/2012 11:55 PM, Mike Pacifico wrote: > Hello, > > Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, > imported the config file into the VPN client. According the the > watchguard, I am authenticated as an client, or am I? No packets are > being moved. > > I apologize in advance if I'm overlooking the obvious, but it's been a > very long day. > ... > 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) > 12/02/06 21:38:35 ii : building config attribute list > 12/02/06 21:38:35 ii : - IP4 Address > 12/02/06 21:38:35 ii : - Address Expiry > 12/02/06 21:38:35 ii : - IP4 Netamask > 12/02/06 21:38:35 ii : - IP4 DNS Server > 12/02/06 21:38:35 ii : - IP4 WINS Server > 12/02/06 21:38:35 ii : - IP4 Subnet > 12/02/06 21:38:35 == : new config iv ( 8 bytes ) > 12/02/06 21:38:35 ii : sending config pull request > 12/02/06 21:38:35 >> : hash payload > 12/02/06 21:38:35 >> : attribute payload > 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) > 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea > 12/02/06 21:38:35 >= : message 6a213b7c > 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) > 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) > 12/02/06 21:38:35 == : stored iv ( 8 bytes ) > 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) > 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 > It would appear that the client is requesting modecfg information but doesn't receive a response from the gateway. This would typically point to a configuration mismatch between the client and the server. You say you exported the .vpn file. Was that from another working client? -Matthew From mgrooms at shrew.net Tue Feb 14 20:15:25 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:15:25 -0600 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <4F3B153D.8020802@shrew.net> On 2/8/2012 5:23 AM, Stephen More wrote: > ikec > I just want to add that this is only available in the 2.2.x version. In the 2.1.7 version, ikec and ikea are actually Qt applications. In 2.2.x versions, they have been renamed to qikec and qikea with ikec being the command line client version. -Matthew > On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: >> Good day >> >> How do run ikea without graphic interface for establish a vpn connection >> between a linux server and my router ? >> >> What command linux do i used far that ? >> >> Thank yoou and excuse me for bas english . >> I am french man . >> >> >> Best regards >> >> >> _______________________________________________ >> vpn-help mailing list >> vpn-help at lists.shrew.net >> http://lists.shrew.net/mailman/listinfo/vpn-help >> > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From stephen.more at gmail.com Tue Feb 14 20:59:44 2012 From: stephen.more at gmail.com (Stephen More) Date: Tue, 14 Feb 2012 21:59:44 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: <4F3B12F3.60201@shrew.net> References: <4F3B12F3.60201@shrew.net> Message-ID: You can find sample configs and output from the SRX here: http://forums.juniper.net/t5/SRX-Services-Gateway/Troubleshooting-Shrew-and-SRX/td-p/128641 On Tue, Feb 14, 2012 at 9:05 PM, Matthew Grooms wrote: > On 2/6/2012 10:47 AM, Stephen More wrote: >> >> Currently there is no Configuration Guides for Juniper SRX. >> >> I have seen sample configs like: >> >> http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 >> >> But I am unable to get past phase 1. >> >> Does anyone know the current status ? >> > > The status is that I don't have an SRX in my lab to test with. I may at some > point in the future. What does your log output say? > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From matthias.paust at seetec.de Wed Feb 15 01:19:35 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Wed, 15 Feb 2012 07:19:35 +0000 Subject: [vpn-help] (no subject) In-Reply-To: <4F3B0B5F.3010704@shrew.net> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> <4F3B0B5F.3010704@shrew.net> Message-ID: <3DF319ED62CDA647A0CAE1018FB99B042229388C@seetec16.seetecDE> We've tested it with ShrewSoft version 2.1.5: there's no problem. Everything works fine... Regards, Matthias -----Urspr?ngliche Nachricht----- Von: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] Im Auftrag von Matthew Grooms Gesendet: Mittwoch, 15. Februar 2012 02:33 An: vpn-help at lists.shrew.net Betreff: Re: [vpn-help] (no subject) On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 19:31:22 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:31:22 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... Message-ID: <4F3C5C6A.2000300@shrew.net> All, For the longest time I thought there was no way to manually influence the order in which windows prioritizes adapter specific DNS servers. I ran across this solution the other day and wanted to share it with the mailing list. Apparently, the DNS server priority is directly related to binding order of the associated adapter ... http://support.microsoft.com/kb/311218 If you bump up the binding order of the adapter, the DNS servers that are associated with that adapter will be preferred over other adapters when performing name resolution. For example: By bumping up the Shrew Soft Virtual Adapter in the binding order, the DNS servers associated with that adapter will be preferred over other adapters set to a lower binding order ( when the VPN client is active ). Hope this helps someone, -Matthew From mgrooms at shrew.net Wed Feb 15 19:37:58 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:37:58 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C5DF6.10909@shrew.net> By the way, you shouldn't have to manually edit the registry like that the knowledge base article states. You should be able to re-order the adapters bindings in the "Advanced Settings" section of the Network Connections dialog ( hit the ALT button to see this in the menu under Windows Vista/7 ). Just wanted to make that clear. -Matthew On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > > Hope this helps someone, > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 20:07:49 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 20:07:49 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C64F5.2060306@shrew.net> On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > Crap. Now that I look at it closer, the Shrew Soft Virtual Adapter is hidden so it can't be easily re-ordered. I did find this solution but it's a command line tool ... http://archive.msdn.microsoft.com/nvspbind As a quick howto, you run the tool in a cmd window as root. First you find your adapter binding order for ms_tcpip ... >nvspbind.exe /o ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 cleaning up...finished (0) ... Local Area Connection* 12 is my Shrew Soft VPN Network Adapter. If I want to move it up one position in the network binding, I can use the following command line options ... >nvspbind.exe /+ "Local Area Connection* 12" ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. acquiring write lock...success Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 moving 'Local Area Connection* 12' above 'Local Area Connection* 11' enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 12 enabled: Local Area Connection* 11 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 'Local Area Connection* 12' found cleaning up...releasing write lock...success finished (0) ... Problem solved :) -Matthew From jcope at discovertravelandtours.com Mon Feb 20 07:35:00 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 13:35:00 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcope at discovertravelandtours.com Mon Feb 20 09:58:24 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 15:58:24 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA78A5D@EXVS02.SSP.local> Hi, We can see the packets leaving the client and hitting the firewall, what we can't see is the client accepting the returned packets from the firewall. I have other users using the same routers, DSL from same provider and same machine setup. We have an old XP laptop on site and that can connect so it looks to be something specific about this machines config (not the VPN config as that is standard). 2012-02-20 11:57:43 info IKE 217.41.45.141 Phase 1: Retransmission limit has been reached. 2012-02-20 11:57:35 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:57:35 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. 2012-02-20 11:56:54 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:56:54 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. Thanks James ________________________________ From: Roper, Andrew [mailto:aroper at bcsvoicedata.com] Sent: 20 February 2012 15:45 To: James Cope; vpn-help at lists.shrew.net Subject: RE: Shrew 2.1.7 & Windows 7 (64 bit) James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Mon Feb 20 09:45:22 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Mon, 20 Feb 2012 15:45:22 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Message-ID: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Mach at inco.at Mon Feb 20 16:15:53 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Mon, 20 Feb 2012 22:15:53 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband Message-ID: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer From aroper at bcsvoicedata.com Tue Feb 21 08:37:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 14:37:40 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From Rainer.Mach at inco.at Tue Feb 21 10:38:51 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Tue, 21 Feb 2012 16:38:51 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Message-ID: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From aroper at bcsvoicedata.com Tue Feb 21 11:21:42 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 17:21:42 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB098CF@CORPSERV.bcsvds.local> Is the firewall setup for Aggressive mode negotiations for that particular tunnel? -Andrew -----Original Message----- From: Mach Rainer [mailto:Rainer.Mach at inco.at] Sent: Tuesday, February 21, 2012 11:39 AM To: Roper, Andrew; 'vpn-help at lists.shrew.net' Subject: RE: Problems connecting Windows7 over Broadband Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From jrizk at hayesandassociates.com Tue Feb 21 10:33:47 2012 From: jrizk at hayesandassociates.com (Jack Rizk) Date: Tue, 21 Feb 2012 11:33:47 -0500 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established Message-ID: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn't. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 22 13:10:26 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 22 Feb 2012 19:10:26 +0000 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established In-Reply-To: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> References: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Message-ID: <168BE652-516E-410F-9F46-4DF58DD21225@bcsvoicedata.com> Jack, It makes total sense that it does not work in Safe Mode. Safe Mode disables networking and only enables minimum services for OS functionality. I would even suspect that you'd have issues in Safe Mode with Networking as other dependent services would be offline. If, however, you are suggesting that a normal reboot does not resolve the issue but booting into Safe Mode and then a normal boot does then that is particularly curious. For this I have no explanation. As for continued troubleshooting, it would be necessary to perform a debug on the Netvanta and look for clues there and on the client I would make sure there are no conflicting VPN clients installed, AV isn't interfering, drivers are up to date and the connection is stable. Running some debug logs on the client side would also help in narrowing down the problem. Regards, Andrew Sent from my iPhone On Feb 22, 2012, at 1:43 PM, "Jack Rizk" > wrote: Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn?t. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at davenjudy.org Sat Feb 25 23:58:29 2012 From: dave at davenjudy.org (David G. Miller) Date: Sat, 25 Feb 2012 22:58:29 -0700 Subject: [vpn-help] EL6 client? Message-ID: <4F49CA05.9060701@davenjudy.org> Hi List - I'm looking into whether there is a way to get the Shrew Soft VPN client working with Red Hat Enterprise Linux 6.X (or clones such as Scientific Linux or CentOS). I have a working configuration installed on a Fedora Core 16 system but I need it working on EL6. I noticed that folks who usually provide an RPM such as EPEL, rpmforge, ATrpms, etc. don't have one for EL6 which I'm taking as a hint that there is a deeper problem than just building the rpm. I also noticed that the client doesn't work on my development EL6 box regardless of whether I build from the archive available for download here or build from a backport of the source rpm from Fedora 16. Both of these approaches result in a clean build that installs, logs into my VPN server and appear to get packets back to the client but not back to the program such as ping or ssh that attempted to connect over the VPN. Has anyone looked into building a statically linked version of iked (the other pieces appear to work) under Fedora? Anyone succeed? Thanks, Dave "You can avoid reality, but you cannot avoid the consequences of avoiding reality." - Ayn Rand From matthias.paust at seetec.de Thu Feb 2 08:17:54 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Thu, 2 Feb 2012 14:17:54 +0000 Subject: [vpn-help] (no subject) Message-ID: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Problem: The VPN client is connected to my gateway (tunnel enabled) but no access to the remote network is possible. We are using FortiGate 80c (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client 2.1.7 for Windows. The problems occurred after updating the firewall to the new version. With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no problem. Attached debug logs. -------------- next part -------------- A non-text attachment was scrubbed... Name: shrewsoft_log.zip Type: application/x-zip-compressed Size: 9415 bytes Desc: shrewsoft_log.zip URL: From kvpn at live.com Thu Feb 2 20:53:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 21:53:54 -0500 Subject: [vpn-help] Cannot access VPN resources In-Reply-To: <4F2A9228.8020706@gmail.com> References: <4F2A9228.8020706@gmail.com> Message-ID: On 02/02/2012 08:39 AM, Daniele at Gmail wrote: > Hi Kevin, > I resolved my problem by these steps: > > * uninstall VPN client (last installed: version 2.2.0) > * drop all connections files > * reinstall VPN client (2.1.7) > * import my VPN configuration from CISCo pcf file > > Now the VPN works. > Thank you. > Daniele > > > > > Il 27/01/2012 04:47, Kevin VPN ha scritto: >> On 01/26/2012 08:38 AM, Daniele Comand wrote: >>> Phase 1 appears to connect and I get the 'Tunnel enabled' message, >>> however, >>> I cannot ping or access any remote IP addresses. >>> I tried both the client versions 2.1.7 and 2.2.0, with almost identical >>> results. >>>> From another Windows XP machine with a Cisco client I can connect. >>> In the IKED.log debug file I find this message: >>> "12/01/25 20:07:08!: Peer violates RFC number transform mismatch (1! >>> = 14)" >>> Can you help me to get the VPN works? >>> >>> VPN Client Version = 2.1.7 e 2.2.0 >>> Windows OS Version = Windows 7 64-bit >>> Gateway Make/Model = CISCO PIX >>> Gateway OS Version = unknown >>> >> >> Hi Daniele, >> >> The problem is that the Phase2 negotiation is failing. According to >> the iked.log you provided, Phase1, XAuth and client configuration >> succeed, but Phase2 fails. >> >> You'll need to contact the VPN gateway administrator to find out why >> Phase2 is failing. It is probably because some of the settings in the >> Shrew client do not match what the Cisco requires. >> >> iked.log: >> >> 12/01/25 20:07:08 ii : phase1 sa established >> ... >> 12/01/25 20:07:08 ii : received basic xauth request - >> 12/01/25 20:07:08 ii : - standard xauth username >> 12/01/25 20:07:08 ii : - standard xauth password >> 12/01/25 20:07:08 ii : sending xauth response for comand >> 12/01/25 20:07:08 ii : received xauth result - >> 12/01/25 20:07:08 ii : user comand authentication succeeded >> ... >> 12/01/25 20:07:08 ii : sending config pull request >> 12/01/25 20:07:08 ii : processing config packet ( 76 bytes ) >> 12/01/25 20:07:08 DB : config found >> 12/01/25 20:07:08 ii : received config pull response >> 12/01/25 20:07:08 ii : - IP4 Address = 192.168.61.6 >> ... >> 12/01/25 20:07:24 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:27 -> : resend 1 phase2 packet(s) [2/2] >> 10.168.89.206:500 -> ??.???.???.?:500 >> 12/01/25 20:07:29 ii : resend limit exceeded for phase2 exchange >> 12/01/25 20:07:29 ii : phase2 removal before expire time >> 12/01/25 20:07:29 DB : phase2 deleted ( obj count = 1 ) >> Great Daniele, thanks for reporting back! I've copied the list so that others who are having problems with PCF-related configurations can see what you did. By "dropped all connection files" I assume you mean that you went into the "Documents/Shrew Soft VPN/sites" directory and deleted the configuration files that were in there. Doing that would prevent Shrew from automatically importing them when you installed the client again, which would allow you to import the PCF file again. From kvpn at live.com Thu Feb 2 21:09:54 2012 From: kvpn at live.com (Kevin VPN) Date: Thu, 2 Feb 2012 22:09:54 -0500 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: On 02/02/2012 09:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > > Attached debug logs. > Hi Matthias, In general, everything looks good. Phase1 & Phase2 negotiations, and DHCP over IPSec configuration completes: 12/02/02 12:06:36 ii : phase1 sa established 12/02/02 12:06:36 ii : phase2 sa established 12/02/02 12:06:40 ii : reading DHCP reply options 12/02/02 12:06:40 ii : - message type = ack ( 192.168.123.53 ) From the looks of the policies, the VPN clients get an IP in the 192.168.0.0/16 private range and your internal network is in the 10.0.0.0/8 range. This means there is no overlap between the VPN clients and private hosts, which is good. However, this is received about 1.5 minutes after the connection is established, then Shrew tears the connection down. 12/02/02 12:08:25 !! : message type is invalid ( 0 ) I would look at the Fortigate logs to see if it decided to kill the connection for some reason. From l.modenese at gmail.com Sat Feb 4 07:23:10 2012 From: l.modenese at gmail.com (Loris Modenese) Date: Sat, 04 Feb 2012 14:23:10 +0100 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: References: Message-ID: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Hi Kevin, I can confirm what Gergely said. The problem it is related to the NAT-T and DPD code on both 2.1.7 and 2.2.0 versions. With NAT-T disabled or with a dial-up connection (public IP address) the link is stable. I've also notice that no matter the client it is configured (with or w/o DPD and different timeout) it keep on sending DPD every 30sec when NAT-T option is enabled for 10 times then it always disconnect (about 5-5.5 min). I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running JunOS 10.4 with the same results. Here my working config for JunOS 10.4 (NAT-T disabled) n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:300 n:network-frag-size:540 n:network-dpd-enable:0 n:client-banner-enable:0 n:network-notify-enable:0 n:client-wins-used:1 n:client-wins-auto:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-splitdns-used:1 n:client-splitdns-auto:1 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host:12.34.56.78 s:client-auto-mode:push s:client-iface:virtual s:network-natt-mode:disable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:any s:ident-client-data:vpnclient.domain.local b:auth-mutual-psk:xxxxxxxxxxxxxxxxx s:phase1-exchange:aggressive s:phase1-cipher:3des s:phase1-hash:md5 s:phase2-transform:esp-3des s:phase2-hmac:md5 s:ipcomp-transform:disabled n:phase2-pfsgroup:2 s:policy-level:auto s:policy-list-include:192.168.78.0 / 255.255.255.0 s:client-saved-username: Best regards Loris Modenese > On 07/05/2011 05:06 AM, Gergely Kiss wrote: >> Dear List! >> >> I'm having problems while connecting to a Juniper SRX210 firewall >> running JunOS 11.1R1.10. I'm using the latest stable Shrewsoft client >> (2.1.7) on Windows 7 (but the issue happens on Windows XP, too). >> >> If I try to connect from a device with a public IP-address, like a >> mobile broadband connection (without using NAT-T), everything works >> perfectly, but if I connect through a NAT device (Linksys WRT54GS), the >> connection works only for 6-7 minutes and then it terminates with no >> particular reason (the error message is: "session terminated by gateway"). >> > ... > >> I already tried debugging both ends, but I found nothing helpful in the >> logs (except some "config packet ignored" messages on the client). I >> already tried upgrading to the latest beta release (2.2.0-beta-1), but >> the issues still exists. >> > Hi Gergely, > > It might be that the Dead Peer Detection is somehow failing... that > usually is 5 minutes or so. When you did the debug trace, did you see > DPD messages (DPDV1-R-U-THERE) going back and forth? > > You could try disabling Dead Peer Detection in the Shrew site > configuration... > From mh at morxy.co.uk Thu Feb 2 11:22:09 2012 From: mh at morxy.co.uk (mh at morxy.co.uk) Date: Thu, 02 Feb 2012 17:22:09 +0000 Subject: [vpn-help] ikea startup: Session Management error Message-ID: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). $ iked ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.1.7 ## : Copyright 2010 Shrew Soft Inc. ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 $ ikea & Session management error: None of the authentication protocols specified are supported Can anyone explain this error? I've tried googling and can't find any definitive solution or cause. I can't use the ikea access manager to connect to any remote VPN server, probably as a result of this. (Meanwhile, the same VPN server works perfectly on my Windows XP laptop with the same Shrew client.) From stefan.bauer at cubewerk.de Sun Feb 5 05:21:03 2012 From: stefan.bauer at cubewerk.de (=?utf-8?Q?Stefan_Bauer?=) Date: Sun, 5 Feb 2012 12:21:03 +0100 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: -----Urspr?ngliche Nachricht----- Von: mh at morxy.co.uk Gesendet: Sa 04.02.2012 15:33 Betreff: [vpn-help] ikea startup: Session Management error An: vpn-help at lists.shrew.net; > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols > specified are supported Well either you specified an auth protocol that your local system is not supporting or the remote server. Stefan From stephen.more at gmail.com Mon Feb 6 10:47:45 2012 From: stephen.more at gmail.com (Stephen More) Date: Mon, 6 Feb 2012 11:47:45 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX Message-ID: Currently there is no Configuration Guides for Juniper SRX. I have seen sample configs like: http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 But I am unable to get past phase 1. Does anyone know the current status ? -Thanks From mpaci1 at gmail.com Mon Feb 6 23:55:58 2012 From: mpaci1 at gmail.com (Mike Pacifico) Date: Mon, 6 Feb 2012 21:55:58 -0800 Subject: [vpn-help] No packets going through Watchguard Message-ID: Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From olli.henttonen at datapro.fi Tue Feb 7 21:35:10 2012 From: olli.henttonen at datapro.fi (Olli Henttonen) Date: Wed, 8 Feb 2012 03:35:10 +0000 Subject: [vpn-help] How to disable Windows 7 pre login? Message-ID: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> How to disable windows 7 pre login if not needed? Btw. Thanks for this great software! Regards, OLLI -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 04:35:13 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 11:35:13 +0100 Subject: [vpn-help] Run shrew withiout graphic interface Message-ID: Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.more at gmail.com Wed Feb 8 05:23:21 2012 From: stephen.more at gmail.com (Stephen More) Date: Wed, 8 Feb 2012 06:23:21 -0500 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: ?ikec On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: > Good day > > How do? run ikea without graphic interface for establish a vpn connection > between a linux server? and my router ? > > What command linux do i used ?far that ? > > Thank yoou and excuse me for bas english . > I am french man . > > > Best regards > > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > From jernej's-shrew at eternallybored.org Wed Feb 8 08:08:23 2012 From: jernej's-shrew at eternallybored.org (=?utf-8?Q?Jernej_Simon=C4=8Di=C4=8D?=) Date: Wed, 8 Feb 2012 15:08:23 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> Message-ID: <1498845072.20120208150823@eternallybored.org> On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > How to disable windows 7 pre login if not needed? Uninstall, the install again without the Credential provider component. -- < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > Food that tastes the best has the highest number of calories. -- Dieter's Law From aroper at bcsvoicedata.com Wed Feb 8 09:42:24 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:42:24 +0000 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC8098@CORPSERV.bcsvds.local> Jacques, You would not use Shrew in this instance. You would just set up a standard IPSec VPN connection between the Linux server and the router. The procedures for this vary depending on the Linux distribution and the type of router. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Jacques EESES Sent: Wednesday, February 08, 2012 5:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Run shrew withiout graphic interface Good day How do run ikea without graphic interface for establish a vpn connection between a linux server and my router ? What command linux do i used far that ? Thank yoou and excuse me for bas english . I am french man . Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacques.eeses at wanadoo.fr Wed Feb 8 10:30:42 2012 From: jacques.eeses at wanadoo.fr (Jacques EESES) Date: Wed, 8 Feb 2012 17:30:42 +0100 Subject: [vpn-help] How to disable Windows 7 pre login? In-Reply-To: <1498845072.20120208150823@eternallybored.org> References: <23F1D05DF13E7046A5BCD1EB0E35B0D901F862@DB3PRD0502MB100.eurprd05.prod.outlook.com> <1498845072.20120208150823@eternallybored.org> Message-ID: error it's no for me jack 2012/2/8 Jernej Simon?i? > On Wednesday, February 8, 2012, 4:35:10, Olli Henttonen wrote: > > > How to disable windows 7 pre login if not needed? > > Uninstall, the install again without the Credential provider > component. > > -- > < Jernej Simon?i? ><><><><>< http://eternallybored.org/ > > > Food that tastes the best has the highest number of calories. > -- Dieter's Law > > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 8 09:40:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 8 Feb 2012 15:40:40 +0000 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <20B2861F76CB724690F1809A616849052AAC807D@CORPSERV.bcsvds.local> Mike, It doesn't look like Phase 2 is being completed. Without Phase 2 negotiations completing you cannot build the tunnel. Check your Phase 2 proposals on the client and make sure they match with what the firewall is expecting. Regards, Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mike Pacifico Sent: Tuesday, February 07, 2012 12:56 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] No packets going through Watchguard Hello, Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, imported the config file into the VPN client. According the the watchguard, I am authenticated as an client, or am I? No packets are being moved. I apologize in advance if I'm overlooking the obvious, but it's been a very long day. The following is the VPN trace: 12/02/06 21:37:52 ## : IKE Daemon, ver 2.1.7 12/02/06 21:37:52 ## : Copyright 2010 Shrew Soft Inc. 12/02/06 21:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008 12/02/06 21:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 12/02/06 21:37:52 ii : rebuilding vnet device list ... 12/02/06 21:37:52 ii : device ROOT\VNET\0000 disabled 12/02/06 21:37:52 ii : network process thread begin ... 12/02/06 21:37:52 ii : pfkey process thread begin ... 12/02/06 21:37:52 ii : ipc server process thread begin ... 12/02/06 21:38:33 ii : ipc client process thread begin ... 12/02/06 21:38:33 _VPN' message 12/02/06 21:38:33 <-> xx.xx.xx.xx:500 12/02/06 21:38:33 DB : f88412956c4b60da:0000000000000000 12/02/06 21:38:33 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:33 DB : phase1 added ( obj count = 1 ) 12/02/06 21:38:33 >> : security association payload 12/02/06 21:38:33 >> : - proposal #1 payload 12/02/06 21:38:33 >> : -- transform #1 payload 12/02/06 21:38:33 >> : key exchange payload 12/02/06 21:38:33 >> : nonce payload 12/02/06 21:38:33 >> : identification payload 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports XAUTH 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v00 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v01 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v02 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( draft v03 ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports nat-t ( rfc ) 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local supports DPDv1 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SHREW SOFT compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is NETSCREEN compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is SIDEWINDER compatible 12/02/06 21:38:33 >> : vendor id payload 12/02/06 21:38:33 ii : local is CISCO UNITY compatible 12/02/06 21:38:33 >= : cookies f88412956c4b60da:0000000000000000 12/02/06 21:38:33 >= : message 00000000 12/02/06 21:38:33 -> : send IKE packet 192.168.1.6:500 -> xx.xx.xx.xx:500 ( 468 bytes ) 12/02/06 21:38:33 DB : phase1 resend event scheduled ( ref count = 2 ) 12/02/06 21:38:33 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:33 DB : tunnel ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv IKE packet xx.xx.xx.xx:500 -> 192.168.1.6:500 ( 320 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 ii : processing phase1 packet ( 320 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 00000000 12/02/06 21:38:34 << : security association payload 12/02/06 21:38:34 << : - propsal #1 payload 12/02/06 21:38:34 << : -- transform #1 payload 12/02/06 21:38:34 ii : matched isakmp proposal #1 transform #1 12/02/06 21:38:34 ii : - transform = ike 12/02/06 21:38:34 ii : - cipher type = 3des 12/02/06 21:38:34 ii : - key length = default 12/02/06 21:38:34 ii : - hash type = sha1 12/02/06 21:38:34 ii : - dh group = modp-768 12/02/06 21:38:34 ii : - auth type = xauth-initiator-psk 12/02/06 21:38:34 ii : - life seconds = 86400 12/02/06 21:38:34 ii : - life kbytes = 0 12/02/06 21:38:34 << : key exchange payload 12/02/06 21:38:34 << : nonce payload 12/02/06 21:38:34 << : identification payload 12/02/06 21:38:34 ii : phase1 id target is any 12/02/06 21:38:34 ii : phase1 id match 12/02/06 21:38:34 ii : received = ipv4-host xx.xx.xx.xx 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports DPDv1 12/02/06 21:38:34 << : vendor id payload 12/02/06 21:38:34 ii : peer supports nat-t ( draft v02 ) 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : nat discovery payload 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 ii : nat discovery - local address is translated 12/02/06 21:38:34 ii : switching to src nat-t udp port 4500 12/02/06 21:38:34 ii : switching to dst nat-t udp port 4500 12/02/06 21:38:34 == : DH shared secret ( 96 bytes ) 12/02/06 21:38:34 == : SETKEYID ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_d ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_a ( 20 bytes ) 12/02/06 21:38:34 == : SETKEYID_e ( 20 bytes ) 12/02/06 21:38:34 == : cipher key ( 40 bytes ) 12/02/06 21:38:34 == : cipher iv ( 8 bytes ) 12/02/06 21:38:34 == : phase1 hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >> : nat discovery payload 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 00000000 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 100 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 DB : phase1 resend event canceled ( ref count = 1 ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx4500 ( 132 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : phase1 hash_r ( received ) ( 20 bytes ) 12/02/06 21:38:34 ii : phase1 sa established 12/02/06 21:38:34 ii : xx.xx.xx.xx:4500 <-> 192.168.1.6:4500 12/02/06 21:38:34 ii : f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : sending peer INITIAL-CONTACT notification 12/02/06 21:38:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 ii : - data size 0 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : notification payload 12/02/06 21:38:34 == : new informational hash ( 20 bytes ) 12/02/06 21:38:34 == : new informational iv ( 8 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message f653a002 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 80 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 5, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 DB : phase2 not found 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 116 bytes ) 12/02/06 21:38:34 DB : phase1 found 12/02/06 21:38:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:34 ii : processing config packet ( 116 bytes ) 12/02/06 21:38:34 DB : config not found 12/02/06 21:38:34 DB : tunnel ref increment ( ref count = 6, obj count = 1 ) 12/02/06 21:38:34 DB : config ref increment ( ref count = 1, obj count = 0 ) 12/02/06 21:38:34 DB : config added ( obj count = 1 ) 12/02/06 21:38:34 == : new config iv ( 8 bytes ) 12/02/06 21:38:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 =< : message 84d14434 12/02/06 21:38:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : decrypt packet ( 116 bytes ) 12/02/06 21:38:34 <= : trimmed packet padding ( 2 bytes ) 12/02/06 21:38:34 <= : stored iv ( 8 bytes ) 12/02/06 21:38:34 << : hash payload 12/02/06 21:38:34 << : attribute payload 12/02/06 21:38:34 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:34 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:34 ii : configure hash verified 12/02/06 21:38:34 ii : - xauth username 12/02/06 21:38:34 ii : - xauth password 12/02/06 21:38:34 ii : received basic xauth request - Please Enter Your User Name and Password : 12/02/06 21:38:34 ii : - standard xauth username 12/02/06 21:38:34 ii : - standard xauth password 12/02/06 21:38:34 ii : sending xauth response for 12/02/06 21:38:34 >> : hash payload 12/02/06 21:38:34 >> : attribute payload 12/02/06 21:38:34 == : new configure hash ( 20 bytes ) 12/02/06 21:38:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:34 >= : message 84d14434 12/02/06 21:38:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:34 == : encrypt packet ( 93 bytes ) 12/02/06 21:38:34 == : stored iv ( 8 bytes ) 12/02/06 21:38:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 132 bytes ) 12/02/06 21:38:34 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:34 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:35 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 100 bytes ) 12/02/06 21:38:35 DB : phase1 found 12/02/06 21:38:35 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:35 ii : processing config packet ( 100 bytes ) 12/02/06 21:38:35 DB : config found 12/02/06 21:38:35 DB : config ref increment ( ref count = 2, obj count = 1 ) 12/02/06 21:38:35 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 =< : message 84d14434 12/02/06 21:38:35 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : decrypt packet ( 100 bytes ) 12/02/06 21:38:35 <= : trimmed packet padding ( 4 bytes ) 12/02/06 21:38:35 <= : stored iv ( 8 bytes ) 12/02/06 21:38:35 << : hash payload 12/02/06 21:38:35 << : attribute payload 12/02/06 21:38:35 == : configure hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:35 == : configure hash_c ( computed ) ( 20 bytes ) 12/02/06 21:38:35 ii : configure hash verified 12/02/06 21:38:35 ii : received xauth result - 12/02/06 21:38:35 ii : user authentication succeeded 12/02/06 21:38:35 ii : sending xauth acknowledge 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 84d14434 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 60 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 92 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 ii : building config attribute list 12/02/06 21:38:35 ii : - IP4 Address 12/02/06 21:38:35 ii : - Address Expiry 12/02/06 21:38:35 ii : - IP4 Netamask 12/02/06 21:38:35 ii : - IP4 DNS Server 12/02/06 21:38:35 ii : - IP4 WINS Server 12/02/06 21:38:35 ii : - IP4 Subnet 12/02/06 21:38:35 == : new config iv ( 8 bytes ) 12/02/06 21:38:35 ii : sending config pull request 12/02/06 21:38:35 >> : hash payload 12/02/06 21:38:35 >> : attribute payload 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:35 >= : message 6a213b7c 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:35 == : stored iv ( 8 bytes ) 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) 12/02/06 21:38:35 DB : config ref decrement ( ref count = 1, obj count = 1 ) 12/02/06 21:38:35 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:40 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:45 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:38:49 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 >> : hash payload 12/02/06 21:38:49 >> : notification payload 12/02/06 21:38:49 == : new informational hash ( 20 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 >= : message 4fa00751 12/02/06 21:38:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:38:49 == : stored iv ( 8 bytes ) 12/02/06 21:38:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE sequence 25f03682 requested 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:38:49 DB : phase1 found 12/02/06 21:38:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:38:49 == : new informational iv ( 8 bytes ) 12/02/06 21:38:49 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 =< : message 87841a4f 12/02/06 21:38:49 =< : decrypt iv ( 8 bytes ) 12/02/06 21:38:49 == : decrypt packet ( 84 bytes ) 12/02/06 21:38:49 <= : stored iv ( 8 bytes ) 12/02/06 21:38:49 << : hash payload 12/02/06 21:38:49 << : notification payload 12/02/06 21:38:49 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:38:49 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:38:49 ii : informational hash verified 12/02/06 21:38:49 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:38:49 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:38:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:38:49 ii : - data size 4 12/02/06 21:38:49 ii : DPD ARE-YOU-THERE-ACK sequence 25f03682 accepted 12/02/06 21:38:49 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:38:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:50 -> : resend 1 config packet(s) 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 found 12/02/06 21:38:54 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:38:54 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:38:54 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:38:55 ii : resend limit exceeded for config exchange 12/02/06 21:38:55 DB : config deleted ( obj count = 0 ) 12/02/06 21:38:55 DB : tunnel ref decrement ( ref count = 5, obj count = 1 ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 >> : hash payload 12/02/06 21:39:04 >> : notification payload 12/02/06 21:39:04 == : new informational hash ( 20 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 >= : message c7f0488b 12/02/06 21:39:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:04 == : stored iv ( 8 bytes ) 12/02/06 21:39:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE sequence 25f03683 requested 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:04 DB : phase1 found 12/02/06 21:39:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:04 == : new informational iv ( 8 bytes ) 12/02/06 21:39:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 =< : message fbc22a40 12/02/06 21:39:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:04 <= : stored iv ( 8 bytes ) 12/02/06 21:39:04 << : hash payload 12/02/06 21:39:04 << : notification payload 12/02/06 21:39:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:04 ii : informational hash verified 12/02/06 21:39:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:04 ii : - data size 4 12/02/06 21:39:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03683 accepted 12/02/06 21:39:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:14 DB : phase1 found 12/02/06 21:39:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 >> : hash payload 12/02/06 21:39:19 >> : notification payload 12/02/06 21:39:19 == : new informational hash ( 20 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 >= : message b292a263 12/02/06 21:39:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:19 == : stored iv ( 8 bytes ) 12/02/06 21:39:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE sequence 25f03684 requested 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:19 DB : phase1 found 12/02/06 21:39:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:19 == : new informational iv ( 8 bytes ) 12/02/06 21:39:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 =< : message c92ea38f 12/02/06 21:39:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:19 <= : stored iv ( 8 bytes ) 12/02/06 21:39:19 << : hash payload 12/02/06 21:39:19 << : notification payload 12/02/06 21:39:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:19 ii : informational hash verified 12/02/06 21:39:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:19 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:19 ii : - data size 4 12/02/06 21:39:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03684 accepted 12/02/06 21:39:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:34 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 >> : hash payload 12/02/06 21:39:34 >> : notification payload 12/02/06 21:39:34 == : new informational hash ( 20 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 >= : message 275ea992 12/02/06 21:39:34 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:34 == : stored iv ( 8 bytes ) 12/02/06 21:39:34 -> : send NAT-T:IKE packet 192.168.1.6:4500 ->xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE sequence 25f03685 requested 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:34 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:34 DB : phase1 found 12/02/06 21:39:34 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:34 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:34 == : new informational iv ( 8 bytes ) 12/02/06 21:39:34 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 =< : message 8d1e702e 12/02/06 21:39:34 =< : decrypt iv ( 8 bytes ) 12/02/06 21:39:34 == : decrypt packet ( 84 bytes ) 12/02/06 21:39:34 <= : stored iv ( 8 bytes ) 12/02/06 21:39:34 << : hash payload 12/02/06 21:39:34 << : notification payload 12/02/06 21:39:34 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:39:34 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:39:34 ii : informational hash verified 12/02/06 21:39:34 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:39:34 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:39:34 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:34 ii : - data size 4 12/02/06 21:39:34 ii : DPD ARE-YOU-THERE-ACK sequence 25f03685 accepted 12/02/06 21:39:34 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:39:34 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:39:49 ii : - 192.168.1.6:4500 -> 12.249.128.94:4500 12/02/06 21:39:49 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 ii : - data size 4 12/02/06 21:39:49 >> : hash payload 12/02/06 21:39:49 >> : notification payload 12/02/06 21:39:49 == : new informational hash ( 20 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:39:49 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:39:49 >= : message 0dd7dfcb 12/02/06 21:39:49 >= : encrypt iv ( 8 bytes ) 12/02/06 21:39:49 == : encrypt packet ( 84 bytes ) 12/02/06 21:39:49 == : stored iv ( 8 bytes ) 12/02/06 21:39:49 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:39:49 ii : DPD ARE-YOU-THERE sequence 25f03686 requested 12/02/06 21:39:49 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:39:49 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:39:49 DB : phase1 found 12/02/06 21:39:49 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:39:49 ii : processing informational packet ( 84 bytes ) 12/02/06 21:39:49 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:04 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 >> : hash payload 12/02/06 21:40:04 >> : notification payload 12/02/06 21:40:04 == : new informational hash ( 20 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 >= : message 30a04be5 12/02/06 21:40:04 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:04 == : stored iv ( 8 bytes ) 12/02/06 21:40:04 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE sequence 25f03687 requested 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:04 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:04 DB : phase1 found 12/02/06 21:40:04 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:04 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:04 == : new informational iv ( 8 bytes ) 12/02/06 21:40:04 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 =< : message b1407db0 12/02/06 21:40:04 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:04 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:04 <= : stored iv ( 8 bytes ) 12/02/06 21:40:04 << : hash payload 12/02/06 21:40:04 << : notification payload 12/02/06 21:40:04 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:04 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:04 ii : informational hash verified 12/02/06 21:40:04 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:04 ii : - xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:04 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:04 ii : - data size 4 12/02/06 21:40:04 ii : DPD ARE-YOU-THERE-ACK sequence 25f03687 accepted 12/02/06 21:40:04 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:04 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:14 DB : phase1 found 12/02/06 21:40:14 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:14 -> : send NAT-T:KEEP-ALIVE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:14 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : sending peer DPDV1-R-U-THERE notification 12/02/06 21:40:19 ii : - 192.168.1.6:4500 -> xx.xx.xx.xx:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 >> : hash payload 12/02/06 21:40:19 >> : notification payload 12/02/06 21:40:19 == : new informational hash ( 20 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 >= : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 >= : message 211c1463 12/02/06 21:40:19 >= : encrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : encrypt packet ( 84 bytes ) 12/02/06 21:40:19 == : stored iv ( 8 bytes ) 12/02/06 21:40:19 -> : send NAT-T:IKE packet 192.168.1.6:4500 -> xx.xx.xx.xx:4500 ( 116 bytes ) 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE sequence 25f03688 requested 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) 12/02/06 21:40:19 <- : recv NAT-T:IKE packet xx.xx.xx.xx:4500 -> 192.168.1.6:4500 ( 84 bytes ) 12/02/06 21:40:19 DB : phase1 found 12/02/06 21:40:19 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) 12/02/06 21:40:19 ii : processing informational packet ( 84 bytes ) 12/02/06 21:40:19 == : new informational iv ( 8 bytes ) 12/02/06 21:40:19 =< : cookies f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 =< : message bcdd000f 12/02/06 21:40:19 =< : decrypt iv ( 8 bytes ) 12/02/06 21:40:19 == : decrypt packet ( 84 bytes ) 12/02/06 21:40:19 <= : stored iv ( 8 bytes ) 12/02/06 21:40:19 << : hash payload 12/02/06 21:40:19 << : notification payload 12/02/06 21:40:19 == : informational hash_i ( computed ) ( 20 bytes ) 12/02/06 21:40:19 == : informational hash_c ( received ) ( 20 bytes ) 12/02/06 21:40:19 ii : informational hash verified 12/02/06 21:40:19 ii : received peer DPDV1-R-U-THERE-ACK notification 12/02/06 21:40:19 ii : -xx.xx.xx.xx:4500 -> 192.168.1.6:4500 12/02/06 21:40:19 ii : - isakmp spi = f88412956c4b60da:93e25c78b27cfdea 12/02/06 21:40:19 ii : - data size 4 12/02/06 21:40:19 ii : DPD ARE-YOU-THERE-ACK sequence 25f03688 accepted 12/02/06 21:40:19 ii : next tunnel DPD request in 15 secs for peer xx.xx.xx.xx:4500 12/02/06 21:40:19 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgrooms at shrew.net Tue Feb 14 17:47:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:47:13 -0600 Subject: [vpn-help] Mailing List Services Restored ... Message-ID: <4F3AF281.4010906@shrew.net> The Shrew Soft mailing lists went down for a few days. I believe everything is back up and running. Sorry for any inconvenience. -Matthew From mgrooms at shrew.net Tue Feb 14 17:52:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 17:52:30 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local> <64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> Message-ID: <4F3AF3BE.8010603@shrew.net> On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is just > pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew From mgrooms at shrew.net Tue Feb 14 18:01:30 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:01:30 -0600 Subject: [vpn-help] Windows Client Login Screen and Shrew VPN Client In-Reply-To: <185431391.20120105172903@eternallybored.org> References: <20B2861F76CB724690F1809A616849052AA77FD8@CORPSERV.bcsvds.local> <185431391.20120105172903@eternallybored.org> Message-ID: <4F3AF5DA.7090104@shrew.net> On 1/5/2012 10:29 AM, Jernej Simon?i? wrote: > On Thursday, January 5, 2012, 15:37:48, Roper, Andrew wrote: > >> How do I make that session available at the login screen? > > Right-click it in Shrew and select Public. > And just to piggy back on this with some more info, the last beta build had a bug that prevented DNS lookups from working correctly with the login version of the client. You may have been lucky enough to have specified an IP address instead of a DNS name for your gateway :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:14:44 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:14:44 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> <1769885532.20120112233142@gmx.de> Message-ID: <4F3AF8F4.2020305@shrew.net> On 1/15/2012 9:06 PM, Kevin VPN wrote: > On 01/12/2012 05:31 PM, Thorsten Albrecht wrote: >> Hello Kevin, >> >> it still works after some reboots. Thanks for your support. BTW You >> are not >> the developer, aren't you? >> > > No, I'm not the developer. All that credit (and hopefully donations!) > goes to Matthew and the others who provide patches. I'm just a > user/believer of the software and help as much as I can on the list. And thank you so much! Your input on the mailing list has been nothing short of amazing! :) -Matthew From mgrooms at shrew.net Tue Feb 14 18:17:04 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:17:04 -0600 Subject: [vpn-help] failing with WLAN connection on Win7 x64 [Shrew 2.2.0] In-Reply-To: <573634176.20111219140829@gmx.de> References: <1418139373.20111208161336@gmx.de> <95080473BAB1554287F90ED71398FAD201737736@boga.bjginc.com> <1384881807.20111213131114@gmx.de> <573634176.20111219140829@gmx.de> Message-ID: <4F3AF980.6010603@shrew.net> On 12/19/2011 7:08 AM, Thorsten Albrecht wrote: > Hello Kevin, > > the solution was: first it was necessary (as I wrote) to disable the MS Virtual > WiFi Adapter to make Shrew VPN work. But Shrew VPN continued to work after > reenabling the Virtual Adapter again. So it was not necessary to > deinstall and reinstall everything. > Hmm. I'm a little sad to hear this is still an issue with 2.2.x. I have an idea on how to solve this problem but it will require another round of submissions to Winqual to get the drivers re-certified. Because of this, the fix will need to wait until a post 2.2.0 release. -Matthew From demi at intellipro.com Tue Feb 14 18:04:42 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 19:04:42 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AF3BE.8010603@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> How do I tell if I'm running in "direct adapter mode"? -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms Sent: Tuesday, February 14, 2012 6:53 PM To: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: > I don't believe you for being skeptical. I'm a programmer and I > understand where you're coming from. > > I just did as you requested and was very methodical about it. Here's > what I did. > > 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > again with a public address outside the VPN. > VPN Upload Speed: ~450KB/sec. > Non-VPN Upload Speed: ~550KB/sec > > 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > profile (it's nice it remembers all that between uninstalls and > installs BTW). Same urls and same files to upload. > VPN Upload Speed: ~12KB/sec. > Non-VPN Upload Speed: ~550KB/sec. > > The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is > just pretty slow. > > I had tried 2.1.6 the other day with the same result. I hadn't gone > back any further since the 2.2 fixed the problem. Also both of my > Windows 7 64 bit machines seem to have this problem. Maybe it's router > related? > > I have a Belkin N600HD router. > Are you running in a direct adapter mode? I fixed a problem related to hardware task offload but I can't remember if that was in 2.2.x or the 2.1.7 branch. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:21:32 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:21:32 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> Message-ID: <4F3AFA8C.5050405@shrew.net> On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 18:29:17 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:29:17 -0600 Subject: [vpn-help] What is the different between windows and Mac version for shrew VPN? In-Reply-To: References: <20B2861F76CB724690F1809A616849052AA81946@CORPSERV.bcsvds.local> Message-ID: <4F3AFC5D.6080402@shrew.net> On 1/15/2012 8:58 PM, Kevin VPN wrote: > On 01/13/2012 10:37 PM, Jinyan Huang wrote: >> Both windows and Mac, I set MUT to 1380. I used CocoapacketAnalyzer >> to obtain some packet. But no hints for me. >> This is an interesting problem, especially since you stated that the OSX host worked in France but not in China. I'm sure you have thought of these, but I'll ask the questions anyway ... 1) Is this the same OSX laptop you used in both france and China? 2) Is this the same wired or wireless adapter used in both locations? 3) Have you tried connecting to the VPN using a different carrier? Without seeing the packet dump output, it's difficult to make a good guess as to what the problem may be. -Matthew From mgrooms at shrew.net Tue Feb 14 18:32:54 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 18:32:54 -0600 Subject: [vpn-help] Can same server config work for iPhone and Shrew? - Phase 1 trouble In-Reply-To: <20120119155146.GA5905@black.transpect.com> References: <20120119153144.GA5410@black.transpect.com> <20120119155146.GA5905@black.transpect.com> Message-ID: <4F3AFD36.1070501@shrew.net> On 1/19/2012 9:51 AM, Whit Blauvelt wrote: > On Thu, Jan 19, 2012 at 10:31:44AM -0500, Whit Blauvelt wrote: > >> Is Shrew's "Mutual PSK + XAuth" the equivalent of "xauth_psk_client" >> rather than "xauth_psk_server" on the racoon side? I have no idea what the >> difference between those two is ... > > Well, Googling it, it looks like the server should properly use > "xauth_psk_server," and the "_client" variant is only for (duh!) a remote > client. So that shouldn't be it. Although I'm just deducing that from > examples. Documentation is thin. > > Could there be some other setting necessary to get Shrew's "Mutual PSK + > XAuth" behavior to be accepted by racoon's "xauth_psk_server" expectations? > The Admin Guide has a lot of material related to configuring racoon / ipsec-tools as a vpn gateway for the vpn client ... http://www.shrew.net/static/help-2.1.x/vpnhelp.htm -Matthew From mgrooms at shrew.net Tue Feb 14 19:02:08 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:02:08 -0600 Subject: [vpn-help] Outlook interrupted In-Reply-To: References: <1041054682.20120126194525@eternallybored.org> Message-ID: <4F3B0410.9010601@shrew.net> On 1/26/2012 10:02 PM, Kevin VPN wrote: > > Hi Jernej, > > I'm disappointed that deleting the route actually works. I just tried > it. I would have thought (hoped!) that Shrew might watch for things > messing with the routes and reset them if they change. > > I'd think that would be a potential way for trojan to get into an > organization - wait for a tunnel to come up, enumerate the remote > network, add a non-tunneled route to it's C&C server and call home for > instructions. Sort of defeats one of the purposes of a full-tunnel VPN. :( > There is no mechanism that I'm aware of the can "lock" a route in the OS. You could have two processes fight over which routes it believes should be the correct routes for a given point in time. Having a route added or removed from your route table can happen at any point by a process with the correct privilege level. The only thing the client can really do is monitor the route table and potentially disconnect if it sees a change. > Does anyone know if this route hack can be done with other VPN clients > like Cisco or Juniper? > What do you want in a VPN client? IPsec security policies define source and destination IP networks and request or require that a transform be applied to the traffic pattern to encrypt or authenticate the content. It doesn't prescribe any particular methods to ensure that packets are allowed to originate from an authorized process. Further more, there is no distinction made between server or client insofar as IPsec protocols or vanilla IKE are concerned. For additional protection, a firewall and anti-malware software should be used to protect your machine. Otherwise it could be used as an attack vector to any remote network you may be connected to. Some VPN clients bundle these with their software ( cisco can push firewall rules to their VPN Client ) and some don't. The Shrew Soft client falls into the latter category. -Matthew From mgrooms at shrew.net Tue Feb 14 19:10:55 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:10:55 -0600 Subject: [vpn-help] [Vpn-help] Problems with Client Install or Uninstall ... In-Reply-To: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> References: <79BA81FD3A1C994D87A4DB9F1B6A4D6D0761FE30@LENNON.karpautomotive.local> Message-ID: <4F3B061F.80806@shrew.net> On 1/26/2012 3:01 PM, Peter Olivieri wrote: > I am receiving a message peer config failed when attempting to connect > to a VPN. This was working and I am not sure what was done as it is not > my computer. > > I went through each of the steps on the following page > > http://lists.shrew.net/pipermail/vpn-help/2008-May/000703.html > > rebooted and went through the install again. After completing the > install the configuration reappeared and I am still having the same issue. > > Anything you can suggest would be helpful. > The peer config failed message tends to happen when a version of the client program ( ipsecc.exe ) is talking to mismatched version of the IKE daemon ( iked.exe ). For example ( ver 2.1.7 vs ver 2.2.x ). Did you happen to copy ipsecc.exe somewhere instead of making a shortcut? Or have you searched your system to make sure there are not multiple copies of programs installed somehow in different locations? -Matthew From demi at intellipro.com Tue Feb 14 19:21:14 2012 From: demi at intellipro.com (Mark A. DeMichele) Date: Tue, 14 Feb 2012 20:21:14 -0500 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <4F3AFA8C.5050405@shrew.net> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> Message-ID: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Yes, that's the mode I'm using. -----Original Message----- From: Matthew Grooms [mailto:mgrooms at shrew.net] Sent: Tuesday, February 14, 2012 7:22 PM To: Mark A. DeMichele Cc: vpn-help at lists.shrew.net Subject: Re: [vpn-help] Windows 7 64bit Slow VPN On 2/14/2012 6:04 PM, Mark A. DeMichele wrote: > How do I tell if I'm running in "direct adapter mode"? > Ahh, sorry. Direct adapter mode is when you select the "Use an existing adapter ... " option under "Adapter Mode" in the General settings page of the site configuration. I should have been more clear. -Matthew > -----Original Message----- > From: vpn-help-bounces at lists.shrew.net > [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Matthew Grooms > Sent: Tuesday, February 14, 2012 6:53 PM > To: vpn-help at lists.shrew.net > Subject: Re: [vpn-help] Windows 7 64bit Slow VPN > > On 1/19/2012 8:25 AM, Mark A. DeMichele wrote: >> I don't believe you for being skeptical. I'm a programmer and I >> understand where you're coming from. >> >> I just did as you requested and was very methodical about it. Here's >> what I did. >> >> 1. Using the 2.2beta2 version, I uploaded using a VPN address and >> then > >> again with a public address outside the VPN. >> VPN Upload Speed: ~450KB/sec. >> Non-VPN Upload Speed: ~550KB/sec >> >> 2. I uninstalled 2.2beta version and installed 2.1.7. I used the >> same > >> profile (it's nice it remembers all that between uninstalls and >> installs BTW). Same urls and same files to upload. >> VPN Upload Speed: ~12KB/sec. >> Non-VPN Upload Speed: ~550KB/sec. >> >> The higher rates vary a lot +/- 50KB/sec., but the slow VPN rate is >> just pretty slow. >> >> I had tried 2.1.6 the other day with the same result. I hadn't gone >> back any further since the 2.2 fixed the problem. Also both of my >> Windows 7 64 bit machines seem to have this problem. Maybe it's >> router > >> related? >> >> I have a Belkin N600HD router. >> > > Are you running in a direct adapter mode? I fixed a problem related to > hardware task offload but I can't remember if that was in 2.2.x or the > 2.1.7 branch. > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Tue Feb 14 19:29:13 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:29:13 -0600 Subject: [vpn-help] INVALID-SPI Notification In-Reply-To: References: Message-ID: <4F3B0A69.2090200@shrew.net> On 1/31/2012 10:42 AM, S?bastien HELLE wrote: > Hi, > > I am currently using ShrewSoft VPN Client to connect to a Fortigate VPN. > The VPN is route-based, with Mutual RSA authentication. > > Every body using this VPN with shrewsoft client is often disconnected, > either partially (the client is still connected, but some routes are > unreachable) or totally (the client is disconnected). > > When I take a look at the client debug Trace utility (decode mode), I > have this : > > 12/01/31 17:09:47 DB : phase1 found > 12/01/31 17:09:47 DB : phase1 ref increment ( ref count = 4, obj count = 1 ) > 12/01/31 17:09:47 ii : processing informational packet ( 76 bytes ) > 12/01/31 17:09:47 == : new informational iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 =< : cookies 3cada944dd48eeba:13485b109cc7cffd > 12/01/31 17:09:47 =< : message 4991d5d5 > 12/01/31 17:09:47 =< : decrypt iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 310ab985 d070eb7b b6855596 a6e634d8 > 12/01/31 17:09:47 == : decrypt packet ( 76 bytes ) > 12/01/31 17:09:47 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > 4991d5d5 0000004c 0b000018 > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 00000010 00000001 0304000b > 12/01/31 17:09:47 0x : 5d004625 bec85867 fb6ada07 > 12/01/31 17:09:47 <= : trimmed packet padding ( 8 bytes ) > 12/01/31 17:09:47 <= : stored iv ( 16 bytes ) > 12/01/31 17:09:47 0x : 7d379dfc 17b5a654 653d3ded 16a861fe > 12/01/31 17:09:47 << : hash payload > 12/01/31 17:09:47 << : notification payload > 12/01/31 17:09:47 == : informational hash_i ( computed ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 == : informational hash_c ( received ) ( 20 bytes ) > 12/01/31 17:09:47 0x : afcb164b 10c9e5d6 b49f1177 d368dc15 a84dee09 > 12/01/31 17:09:47 ii : informational hash verified > 12/01/31 17:09:47 ii : received peer INVALID-SPI notification > 12/01/31 17:09:47 ii : - 217.119.132.38:4500 > -> 192.168.30.103:4500 > > 12/01/31 17:09:47 ii : - ipsec-esp spi = 0x5d004625 > 12/01/31 17:09:47 ii : - data size 0 > 12/01/31 17:09:47 DB : phase1 ref decrement ( ref count = 3, obj count = 1 ) > 12/01/31 17:09:50 <- : recv NAT-T:IKE packet 217.119.132.38:4500 > -> 192.168.30.103:4500 > ( 76 bytes ) > 12/01/31 17:09:50 0x : 3cada944 dd48eeba 13485b10 9cc7cffd 08100501 > afdd4e70 0000004c 4295f33a > 12/01/31 17:09:50 0x : 1aeba2a3 8399c33e 5393a32f 26f4b98f 96eee83d > 3738e253 00269a9f b2f4bf2f > 12/01/31 17:09:50 0x : 70e8b563 ce6bb2aa 848a0774 > > The important part is the INVALID-SPI Notification from the peer. It > looks like Shrew client receive the info, but don't care of. I've seen > that the Cisco VPN Client has a functionnality invalid-spi-recovery. Is > there nothing like that in Shrew ? > After reading the RFC, an INVALID-SPI notification should only be sent in response to a IKE level message that includes an SPI that is thought to be invalid ( ie. received in a proposal or a notification payload ) ... http://www.faqs.org/rfcs/rfc2408.html What is happening right before this section in the error log, and what does the Fortigate log detail say regarding the sent notification? Any reason? Does it think the SA related to the SPI has expired? Do you have a lifetime mismatch between your gateway / client configuration? -Matthew From mgrooms at shrew.net Tue Feb 14 19:33:19 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:33:19 -0600 Subject: [vpn-help] (no subject) In-Reply-To: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> Message-ID: <4F3B0B5F.3010704@shrew.net> On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew From mgrooms at shrew.net Tue Feb 14 19:38:33 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 19:38:33 -0600 Subject: [vpn-help] ikea startup: Session Management error In-Reply-To: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> References: <20120202172209.10511lhrgchmieyp@cleopatra.secure.kualo.net> Message-ID: <4F3B0C99.4060601@shrew.net> On 2/2/2012 11:22 AM, mh at morxy.co.uk wrote: > I'm running Ubuntu 11.10 and installed Shrew VPN Client 2.1.7 using > Ubuntu's package manager (ike-qtgui 2.1.7+dfsg-1build1). > > $ iked > ii : created ike socket 0.0.0.0:500 > ii : created natt socket 0.0.0.0:4500 > ## : IKE Daemon, ver 2.1.7 > ## : Copyright 2010 Shrew Soft Inc. > ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 > > $ ikea & > Session management error: None of the authentication protocols specified > are supported > > Can anyone explain this error? I've tried googling and can't find any > definitive solution or cause. I can't use the ikea access manager to > connect to any remote VPN server, probably as a result of this. > (Meanwhile, the same VPN server works perfectly on my Windows XP laptop > with the same Shrew client.) > I believe this is coming from the Qt GUI library that ikea links to. Looks like quite a few users of Ubuntu have reported this issue. The most common solution I can see is upgrading your qt package. -Matthew From mgrooms at shrew.net Tue Feb 14 20:00:24 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:00:24 -0600 Subject: [vpn-help] Windows 7 64bit Slow VPN In-Reply-To: <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> References: <64D2176F91A2884DA4ECAA5B9C2815CE0258C58F@SERVER2003.ipro.local><64D2176F91A2884DA4ECAA5B9C2815CE0258C5A5@SERVER2003.ipro.local> <4F3AF3BE.8010603@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C720@SERVER2003.ipro.local> <4F3AFA8C.5050405@shrew.net> <64D2176F91A2884DA4ECAA5B9C2815CE0258C721@SERVER2003.ipro.local> Message-ID: <4F3B11B8.2000301@shrew.net> On 2/14/2012 7:21 PM, Mark A. DeMichele wrote: > Yes, that's the mode I'm using. > This improvement is most likely related to proper emulation of Large Segment Offload in 2.2.x. What happens is this: A packet is sometimes send down the NDIS driver stack with the expectation that the adapter will handle a specific task on behalf of the OS to increase throughput. However, the VPN Client can intercept and process packets before they reach the adapter. In 2.1.7, the client doesn't emulate any bypassed hardware features, so the only option is to disable it in the adapter properties ( or experience awful throughput due to malformed packets ). The problem isn't reported very often as most people use a virtual adapter mode which doesn't claim to support any hardware acceleration. In 2.2.x, the client emulates most of the common task offload features to avoid these kinds of issues. -Matthew From mgrooms at shrew.net Tue Feb 14 20:04:23 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:04:23 -0600 Subject: [vpn-help] Juniper SRX210 NAT-T problems In-Reply-To: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> References: <4f2d2fda.d0770e0a.0162.ffff97f5@mx.google.com> Message-ID: <4F3B12A7.9040804@shrew.net> On 2/4/2012 7:23 AM, Loris Modenese wrote: > > Hi Kevin, > > I can confirm what Gergely said. > The problem it is related to the NAT-T and DPD code on both 2.1.7 and > 2.2.0 versions. > With NAT-T disabled or with a dial-up connection (public IP address) the > link is stable. > I've also notice that no matter the client it is configured (with or w/o > DPD and different timeout) > it keep on sending DPD every 30sec when NAT-T option is enabled for 10 > times then it always disconnect (about 5-5.5 min). > I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running > JunOS 10.4 with the same results. > Hmm, this doesn't sound good. Is the client initiating the DPD messages or responding to them ( or both )? Can you send me a sample of the log output with the IP addresses obscured? If the client is simply ignoring the DPD configuration option, that shouldn't be too hard to fix. -Matthew From mgrooms at shrew.net Tue Feb 14 20:05:39 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:05:39 -0600 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: References: Message-ID: <4F3B12F3.60201@shrew.net> On 2/6/2012 10:47 AM, Stephen More wrote: > Currently there is no Configuration Guides for Juniper SRX. > > I have seen sample configs like: > http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 > > But I am unable to get past phase 1. > > Does anyone know the current status ? > The status is that I don't have an SRX in my lab to test with. I may at some point in the future. What does your log output say? -Matthew From mgrooms at shrew.net Tue Feb 14 20:13:34 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:13:34 -0600 Subject: [vpn-help] No packets going through Watchguard In-Reply-To: References: Message-ID: <4F3B14CE.7050304@shrew.net> On 2/6/2012 11:55 PM, Mike Pacifico wrote: > Hello, > > Just installed a watchguard XTM 510 4.2.1. Exported the the .vpn, > imported the config file into the VPN client. According the the > watchguard, I am authenticated as an client, or am I? No packets are > being moved. > > I apologize in advance if I'm overlooking the obvious, but it's been a > very long day. > ... > 12/02/06 21:38:35 DB : config resend event scheduled ( ref count = 2 ) > 12/02/06 21:38:35 ii : building config attribute list > 12/02/06 21:38:35 ii : - IP4 Address > 12/02/06 21:38:35 ii : - Address Expiry > 12/02/06 21:38:35 ii : - IP4 Netamask > 12/02/06 21:38:35 ii : - IP4 DNS Server > 12/02/06 21:38:35 ii : - IP4 WINS Server > 12/02/06 21:38:35 ii : - IP4 Subnet > 12/02/06 21:38:35 == : new config iv ( 8 bytes ) > 12/02/06 21:38:35 ii : sending config pull request > 12/02/06 21:38:35 >> : hash payload > 12/02/06 21:38:35 >> : attribute payload > 12/02/06 21:38:35 == : new configure hash ( 20 bytes ) > 12/02/06 21:38:35 >= : cookies f88412956c4b60da:93e25c78b27cfdea > 12/02/06 21:38:35 >= : message 6a213b7c > 12/02/06 21:38:35 >= : encrypt iv ( 8 bytes ) > 12/02/06 21:38:35 == : encrypt packet ( 84 bytes ) > 12/02/06 21:38:35 == : stored iv ( 8 bytes ) > 12/02/06 21:38:35 DB : config resend event canceled ( ref count = 1 ) > 12/02/06 21:38:35 -> : send NAT-T:IKE packet 192.168.1.6:4500 > It would appear that the client is requesting modecfg information but doesn't receive a response from the gateway. This would typically point to a configuration mismatch between the client and the server. You say you exported the .vpn file. Was that from another working client? -Matthew From mgrooms at shrew.net Tue Feb 14 20:15:25 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Tue, 14 Feb 2012 20:15:25 -0600 Subject: [vpn-help] Run shrew withiout graphic interface In-Reply-To: References: Message-ID: <4F3B153D.8020802@shrew.net> On 2/8/2012 5:23 AM, Stephen More wrote: > ikec > I just want to add that this is only available in the 2.2.x version. In the 2.1.7 version, ikec and ikea are actually Qt applications. In 2.2.x versions, they have been renamed to qikec and qikea with ikec being the command line client version. -Matthew > On Wed, Feb 8, 2012 at 5:35 AM, Jacques EESES wrote: >> Good day >> >> How do run ikea without graphic interface for establish a vpn connection >> between a linux server and my router ? >> >> What command linux do i used far that ? >> >> Thank yoou and excuse me for bas english . >> I am french man . >> >> >> Best regards >> >> >> _______________________________________________ >> vpn-help mailing list >> vpn-help at lists.shrew.net >> http://lists.shrew.net/mailman/listinfo/vpn-help >> > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From stephen.more at gmail.com Tue Feb 14 20:59:44 2012 From: stephen.more at gmail.com (Stephen More) Date: Tue, 14 Feb 2012 21:59:44 -0500 Subject: [vpn-help] Status of Shrew and Juniper SRX In-Reply-To: <4F3B12F3.60201@shrew.net> References: <4F3B12F3.60201@shrew.net> Message-ID: You can find sample configs and output from the SRX here: http://forums.juniper.net/t5/SRX-Services-Gateway/Troubleshooting-Shrew-and-SRX/td-p/128641 On Tue, Feb 14, 2012 at 9:05 PM, Matthew Grooms wrote: > On 2/6/2012 10:47 AM, Stephen More wrote: >> >> Currently there is no Configuration Guides for Juniper SRX. >> >> I have seen sample configs like: >> >> http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/m-p/76176/highlight/true#M9010 >> >> But I am unable to get past phase 1. >> >> Does anyone know the current status ? >> > > The status is that I don't have an SRX in my lab to test with. I may at some > point in the future. What does your log output say? > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From matthias.paust at seetec.de Wed Feb 15 01:19:35 2012 From: matthias.paust at seetec.de (Matthias Paust) Date: Wed, 15 Feb 2012 07:19:35 +0000 Subject: [vpn-help] (no subject) In-Reply-To: <4F3B0B5F.3010704@shrew.net> References: <3DF319ED62CDA647A0CAE1018FB99B0422287F8B@seetec16.seetecDE> <4F3B0B5F.3010704@shrew.net> Message-ID: <3DF319ED62CDA647A0CAE1018FB99B042229388C@seetec16.seetecDE> We've tested it with ShrewSoft version 2.1.5: there's no problem. Everything works fine... Regards, Matthias -----Urspr?ngliche Nachricht----- Von: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] Im Auftrag von Matthew Grooms Gesendet: Mittwoch, 15. Februar 2012 02:33 An: vpn-help at lists.shrew.net Betreff: Re: [vpn-help] (no subject) On 2/2/2012 8:17 AM, Matthias Paust wrote: > Problem: > > The VPN client is connected to my gateway (tunnel enabled) but no > access to the remote network is possible. We are using FortiGate 80c > (fw v4.0,build0511,120110 (MR3 Patch 4)) and ShrewSoft VPN Client > 2.1.7 for Windows. > > The problems occurred after updating the firewall to the new version. > With fw version v4.0,build0328,110718 (MR2 Patch 8) there was no > problem. > The IKE session looks healthy and it looks like there are NAT-T ESP packets moving back and forth. I would double check your firewall config and log output. There should be a clue in there somewhere. -Matthew _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 19:31:22 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:31:22 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... Message-ID: <4F3C5C6A.2000300@shrew.net> All, For the longest time I thought there was no way to manually influence the order in which windows prioritizes adapter specific DNS servers. I ran across this solution the other day and wanted to share it with the mailing list. Apparently, the DNS server priority is directly related to binding order of the associated adapter ... http://support.microsoft.com/kb/311218 If you bump up the binding order of the adapter, the DNS servers that are associated with that adapter will be preferred over other adapters when performing name resolution. For example: By bumping up the Shrew Soft Virtual Adapter in the binding order, the DNS servers associated with that adapter will be preferred over other adapters set to a lower binding order ( when the VPN client is active ). Hope this helps someone, -Matthew From mgrooms at shrew.net Wed Feb 15 19:37:58 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 19:37:58 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C5DF6.10909@shrew.net> By the way, you shouldn't have to manually edit the registry like that the knowledge base article states. You should be able to re-order the adapters bindings in the "Advanced Settings" section of the Network Connections dialog ( hit the ALT button to see this in the menu under Windows Vista/7 ). Just wanted to make that clear. -Matthew On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > > Hope this helps someone, > > -Matthew > _______________________________________________ > vpn-help mailing list > vpn-help at lists.shrew.net > http://lists.shrew.net/mailman/listinfo/vpn-help From mgrooms at shrew.net Wed Feb 15 20:07:49 2012 From: mgrooms at shrew.net (Matthew Grooms) Date: Wed, 15 Feb 2012 20:07:49 -0600 Subject: [vpn-help] Priority for Adapter Specific DNS Servers ... In-Reply-To: <4F3C5C6A.2000300@shrew.net> References: <4F3C5C6A.2000300@shrew.net> Message-ID: <4F3C64F5.2060306@shrew.net> On 2/15/2012 7:31 PM, Matthew Grooms wrote: > All, > > For the longest time I thought there was no way to manually influence > the order in which windows prioritizes adapter specific DNS servers. I > ran across this solution the other day and wanted to share it with the > mailing list. Apparently, the DNS server priority is directly related to > binding order of the associated adapter ... > > http://support.microsoft.com/kb/311218 > > If you bump up the binding order of the adapter, the DNS servers that > are associated with that adapter will be preferred over other adapters > when performing name resolution. For example: By bumping up the Shrew > Soft Virtual Adapter in the binding order, the DNS servers associated > with that adapter will be preferred over other adapters set to a lower > binding order ( when the VPN client is active ). > Crap. Now that I look at it closer, the Shrew Soft Virtual Adapter is hidden so it can't be easily re-ordered. I did find this solution but it's a command line tool ... http://archive.msdn.microsoft.com/nvspbind As a quick howto, you run the tool in a cmd window as root. First you find your adapter binding order for ms_tcpip ... >nvspbind.exe /o ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 cleaning up...finished (0) ... Local Area Connection* 12 is my Shrew Soft VPN Network Adapter. If I want to move it up one position in the network binding, I can use the following command line options ... >nvspbind.exe /+ "Local Area Connection* 12" ms_tcpip Hyper-V Network VSP Bind Application 6.1.7725.0. Copyright (c) Microsoft Corporation. All rights reserved. acquiring write lock...success Protocols: {5D9F4D1D-F5B3-48BA-85AD-9B44176DD0C8} "ms_tcpip" "Internet Protocol Version 4 (TCP/IPv4)": enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 11 enabled: Local Area Connection* 12 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 moving 'Local Area Connection* 12' above 'Local Area Connection* 11' enabled: Local Area Connection 4 enabled: Local Area Connection 3 enabled: Local Area Connection* 12 enabled: Local Area Connection* 11 enabled: Local Area Connection 2 enabled: Local Area Connection enabled: VMware Network Adapter VMnet1 enabled: VMware Network Adapter VMnet8 'Local Area Connection* 12' found cleaning up...releasing write lock...success finished (0) ... Problem solved :) -Matthew From jcope at discovertravelandtours.com Mon Feb 20 07:35:00 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 13:35:00 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcope at discovertravelandtours.com Mon Feb 20 09:58:24 2012 From: jcope at discovertravelandtours.com (James Cope) Date: Mon, 20 Feb 2012 15:58:24 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> Message-ID: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA78A5D@EXVS02.SSP.local> Hi, We can see the packets leaving the client and hitting the firewall, what we can't see is the client accepting the returned packets from the firewall. I have other users using the same routers, DSL from same provider and same machine setup. We have an old XP laptop on site and that can connect so it looks to be something specific about this machines config (not the VPN config as that is standard). 2012-02-20 11:57:43 info IKE 217.41.45.141 Phase 1: Retransmission limit has been reached. 2012-02-20 11:57:35 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:57:35 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. 2012-02-20 11:56:54 info IKE 217.41.45.141 phase 1:The symmetric crypto key has been generated successfully. 2012-02-20 11:56:54 info IKE 217.41.45.141 Phase 1: Responder starts AGGRESSIVE mode negotiations. Thanks James ________________________________ From: Roper, Andrew [mailto:aroper at bcsvoicedata.com] Sent: 20 February 2012 15:45 To: James Cope; vpn-help at lists.shrew.net Subject: RE: Shrew 2.1.7 & Windows 7 (64 bit) James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Mon Feb 20 09:45:22 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Mon, 20 Feb 2012 15:45:22 +0000 Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) In-Reply-To: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> References: <6EA20D93E385BE40A5E09F8BA9EF2A28133EA787E0@EXVS02.SSP.local> Message-ID: <20B2861F76CB724690F1809A616849052AB046EC@CORPSERV.bcsvds.local> James, I would suggest getting packet captures to see what is going on. I would gather them on the client and at the gateway. If you see the packets leaving the client and arriving at the gateway then the client is not at issue. Then, you will need to enable logging on both the gateway and the corporate VPN endpoint to see if the packets are arriving there and what the disposition is of those packets. Without further data, it is difficult to speculate what is occurring. -Andrew From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net Subject: [vpn-help] Shrew 2.1.7 & Windows 7 (64 bit) Hi, I have a user who has successfully been connecting up to our office for several months without issue. He's now not been able to connect for just under 2 weeks. He has had sporadic problems connecting occassionally but this is a long term period of inactivity now. Each time it comes back with Negotiation timeout occurred. We have tried on another machine at his location and that can connect so router/dsl/firewall are all functioning ok. We have tried both reinstalling Shrew from scratch and performing a system restore on the PC, neither of which have resolved. All 3rd party software has also been disabled. in MSCONFIG as well as the AV and firewall software. This machine does not have a wireless adaptor in so there is no virtual wifi miniport to remove. Is anyone aware of any further issues at play here? Thanks James ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rainer.Mach at inco.at Mon Feb 20 16:15:53 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Mon, 20 Feb 2012 22:15:53 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband Message-ID: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer From aroper at bcsvoicedata.com Tue Feb 21 08:37:40 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 14:37:40 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From Rainer.Mach at inco.at Tue Feb 21 10:38:51 2012 From: Rainer.Mach at inco.at (Mach Rainer) Date: Tue, 21 Feb 2012 16:38:51 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> Message-ID: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From aroper at bcsvoicedata.com Tue Feb 21 11:21:42 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Tue, 21 Feb 2012 17:21:42 +0000 Subject: [vpn-help] Problems connecting Windows7 over Broadband In-Reply-To: <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> References: <712F8F4B2628F7409D1A65C426B26385068E06DE@Mail11.inco.loc> <20B2861F76CB724690F1809A616849052AB0939F@CORPSERV.bcsvds.local> <712F8F4B2628F7409D1A65C426B26385068E0F98@Mail11.inco.loc> Message-ID: <20B2861F76CB724690F1809A616849052AB098CF@CORPSERV.bcsvds.local> Is the firewall setup for Aggressive mode negotiations for that particular tunnel? -Andrew -----Original Message----- From: Mach Rainer [mailto:Rainer.Mach at inco.at] Sent: Tuesday, February 21, 2012 11:39 AM To: Roper, Andrew; 'vpn-help at lists.shrew.net' Subject: RE: Problems connecting Windows7 over Broadband Hi Andrew, no change. The LogFile on the FW says: Feb 21 17:35:24 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:24 racoon: ERROR: no configuration found for 178.115.x.y. (<-- that's the IP I got from the mobile provider) Feb 21 17:35:19 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:19 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:15 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:15 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:13 racoon: ERROR: failed to begin ipsec sa negotication. Feb 21 17:35:13 racoon: ERROR: no configuration found for 178.115.x.y. Feb 21 17:35:12 racoon: INFO: begin Identity Protection mode. regards, rainer -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Roper, Andrew Sent: Tuesday, February 21, 2012 3:38 PM To: Mach Rainer; 'vpn-help at lists.shrew.net' Subject: Re: [vpn-help] Problems connecting Windows7 over Broadband Rainer, Try turning off NAT-T when using the WWAN connection. Regards, Andrew -----Original Message----- From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mach Rainer Sent: Monday, February 20, 2012 5:16 PM To: 'vpn-help at lists.shrew.net' Subject: [vpn-help] Problems connecting Windows7 over Broadband Hi! I installed the Shrew Soft Client (first 2.1.7 stable and now 2.2.0-b2) on my Windows 7 64 Bit Laptop and configured it to connect to a PFSense 2.0.1 Firewall. It works fine when the laptop is connected via LAN or via WLAN (WLAN=802.11a/b). But when the laptop is connected via Mobile Broadband (with a SIM Card from a mobile phone provider) the Shrew Soft Client gets connected, but I can't get any traffic through the tunnel (e.g. ping). I tried it with different mobile provider, no change. And I tried it also with different Mobile Broadband Adapters (one is internal in my Laptop and I got 2 mobile USB Adapters) -it does also not work. But when I put the SIM Card to my IPhone and use tethering (WLAN between Laptop and IPhone) the VPN works! So I think the problem is not the provider. In the archive of the mailing list I found the suggestion to disable a virtual Adapter, but there is no unused virtual adapter (and this should be fixed in 2.2.0) Do you have any suggestions? regards, rainer _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help From jrizk at hayesandassociates.com Tue Feb 21 10:33:47 2012 From: jrizk at hayesandassociates.com (Jack Rizk) Date: Tue, 21 Feb 2012 11:33:47 -0500 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established Message-ID: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn't. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aroper at bcsvoicedata.com Wed Feb 22 13:10:26 2012 From: aroper at bcsvoicedata.com (Roper, Andrew) Date: Wed, 22 Feb 2012 19:10:26 +0000 Subject: [vpn-help] Issues with passing traffic after VPN tunnel is established In-Reply-To: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> References: <5D4E714A21D444B1B0DE5FE8A0D9C464@jrizkhayesass> Message-ID: <168BE652-516E-410F-9F46-4DF58DD21225@bcsvoicedata.com> Jack, It makes total sense that it does not work in Safe Mode. Safe Mode disables networking and only enables minimum services for OS functionality. I would even suspect that you'd have issues in Safe Mode with Networking as other dependent services would be offline. If, however, you are suggesting that a normal reboot does not resolve the issue but booting into Safe Mode and then a normal boot does then that is particularly curious. For this I have no explanation. As for continued troubleshooting, it would be necessary to perform a debug on the Netvanta and look for clues there and on the client I would make sure there are no conflicting VPN clients installed, AV isn't interfering, drivers are up to date and the connection is stable. Running some debug logs on the client side would also help in narrowing down the problem. Regards, Andrew Sent from my iPhone On Feb 22, 2012, at 1:43 PM, "Jack Rizk" > wrote: Hi, We have a user that has a laptop with Windows 7 Professional on it. They have the Shrew VPN Client 2.17. The VPN gateway that they are connecting to is an Adtran Netvanta 3430 firewall. The connection works sometimes and other times it doesn?t. When it fails, it states that the tunnel is enabled, but you cannot pass traffic. On the Netvanta side, it states that IKE is up, but IPSEC is down. The last time we had issues with it, we tried to connect with a different windows 7 PC and it connected. Then we booted up in safe mode with the original PC that failed the first time. It was unable to connect when it was in safe mode, but when we took it out of safe mode, it could connect. Any ideas? Thanks, Jack Jack Rizk Network Engineer Hayes and Associates 336-969-1871 x108 jrizk at hayesandassociates.com _______________________________________________ vpn-help mailing list vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at davenjudy.org Sat Feb 25 23:58:29 2012 From: dave at davenjudy.org (David G. Miller) Date: Sat, 25 Feb 2012 22:58:29 -0700 Subject: [vpn-help] EL6 client? Message-ID: <4F49CA05.9060701@davenjudy.org> Hi List - I'm looking into whether there is a way to get the Shrew Soft VPN client working with Red Hat Enterprise Linux 6.X (or clones such as Scientific Linux or CentOS). I have a working configuration installed on a Fedora Core 16 system but I need it working on EL6. I noticed that folks who usually provide an RPM such as EPEL, rpmforge, ATrpms, etc. don't have one for EL6 which I'm taking as a hint that there is a deeper problem than just building the rpm. I also noticed that the client doesn't work on my development EL6 box regardless of whether I build from the archive available for download here or build from a backport of the source rpm from Fedora 16. Both of these approaches result in a clean build that installs, logs into my VPN server and appear to get packets back to the client but not back to the program such as ping or ssh that attempted to connect over the VPN. Has anyone looked into building a statically linked version of iked (the other pieces appear to work) under Fedora? Anyone succeed? Thanks, Dave "You can avoid reality, but you cannot avoid the consequences of avoiding reality." - Ayn Rand