[vpn-help] -12 against ipsec-tools 0.6.6

Peter Eisch peter at boku.net
Wed Aug 9 11:38:50 CDT 2006 

I’ll see if I can test some more configurations, but here is my simplest
test.  

## : IPSEC Daemon, Aug  6 2006
## : Copyright 2005 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : rebuilding interface list ...
ii : interface IP=10.1.200.165, MTU=1500 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
ii : peer config message received
DB : ipsec peer not found
ii : local address selected for peer
ii : 10.1.200.165 ( CNet PRO200WL PCI Fast Ethernet Adapter - Packet
Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : '\Documents and Settings\peter\Desktop\certs\ca.crt' loaded
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 10.1.200.165:500 <-> 10.1.101.26:500
DB : 43dc7d87141edc41:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 10.1.101.26:500 ( 344 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 396 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, processing complete packet
<< : security association payload
ii : matched phase1 proposal
ii : - protocol     = isakmp
ii : - transform    = ike
ii : - key length   = default
ii : - cipher type  = 3des
ii : - hash type    = md5
ii : - dh group     = modp-1024
ii : - auth type    = hybrid-initiator-rsa
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
<< : certificate payload
<< : signature payload
<< : vendor id payload
ii : peer supports XAUTH
<< : vendor id payload
ii : peer supports UNITY
<< : cert request payload
<< : vendor id payload
ii : peer supports NAT-T RFC
<< : nat discovery payload
<< : nat discovery payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : hash payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 68 bytes )
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=cow.visionshareinc.com/emailAddress=peter.eisch at visionshareinc.c
om
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=vpnca.visionshareinc.com/emailAddress=peter.eisch at visionshareinc
.com
== : phase1 hash_r ( computed ) ( 16 bytes )
== : phase1 hash_r ( received ) ( 16 bytes )
II | phase1 sa established
II | 10.1.200.165:500 <-> 10.1.101.26:500
II | 43dc7d87141edc41:df266e207a5fc429
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 76 bytes )
II | sent peer notification, INITIAL-CONTACT
II | 10.1.200.165 -> 10.1.101.26
II | isakmp spi = 43dc7d87141edc41:df266e207a5fc429
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 76 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received xauth request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 84 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
ii : sent xauth reply with 'rocky' credentials
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 68 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received xauth result
ii : user authentication succeeded
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 56 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 60 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config added
== : new phase2 iv ( 8 bytes )
ii : determining required modecfg attributes
ii : - IP4 Address
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - IP4 DNS Suffix
ii : - Split DNS Domains
ii : - IP4 WINS Server
ii : - IP4 Split Network Include List
ii : - IP4 Split Network Exclude List
ii : sending isakmp config request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 88 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 92 bytes )
DB : config dereferenced ( ref count = 0, config count = 2 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 3, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received isakmp config reply
ii : - IP4 Address = 10.1.202.0
ii : - IP4 Netmask = 255.255.255.0
ii : - IP4 DNS Server = 10.1.100.126
ii : - IP4 WINS Server = 10.1.100.126
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
!! : invalid hash size ( -11753 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
!! : invalid hash size ( 15762 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
!! : invalid hash size ( 18079 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
!! : invalid hash size ( 30324 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
ii : re-costed existing default route
!! : unable to locate adapter index.
!! : unable to locate adapter index.
!! : unable to locate adapter index.
DB : phase1 sa found
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : ip packet resend timed out
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP discover
ii : responding to VNet DHCP packet ...
ii : - message type DHCP offer
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP request
ii : responding to VNet DHCP packet ...
ii : - message type DHCP acknowledge
ii : added host route for remote peer
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
ii : inspecting VNet DHCP packet ...
!! : DHCP message type is invalid ( 8 )
ii : inspecting VNet DHCP packet ...
!! : DHCP message type is invalid ( 8 )

***** At this point the client shows: 
 

***** The logs on the server report:

 cow# /etc/rc.d/racoon start
Starting racoon.
Aug  9 11:25:33 cow racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net) 
Aug  9 11:25:33 cow racoon: INFO: @(#)This product linked OpenSSL 0.9.7d 17
Mar 2004 (http://www.openssl.org/) 
cow# Aug  9 11:25:33 cow racoon: INFO: 10.1.101.26[4500] used as isakmp port
(fd=8) 
Aug  9 11:25:33 cow racoon: INFO: 10.1.101.26[4500] used for NAT-T 
Aug  9 11:25:33 cow racoon: INFO: 10.1.101.26[500] used as isakmp port
(fd=9) 
Aug  9 11:25:33 cow racoon: INFO: 10.1.101.26[500] used for NAT-T 
Aug  9 11:28:02 cow racoon: INFO: respond new phase 1 negotiation:
10.1.101.26[500]<=>10.1.200.165[500] 
Aug  9 11:28:02 cow racoon: INFO: begin Aggressive mode. 
Aug  9 11:28:02 cow racoon: INFO: received Vendor ID: CISCO-UNITY 
Aug  9 11:28:02 cow racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Aug  9 11:28:02 cow racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02  
Aug  9 11:28:02 cow racoon: INFO: received Vendor ID: RFC 3947 
Aug  9 11:28:02 cow racoon: INFO: received broken Microsoft ID:
FRAGMENTATION 
Aug  9 11:28:02 cow racoon: INFO: Selected NAT-T version: RFC 3947 
Aug  9 11:28:02 cow racoon: oakley_dh_generate(MODP1024): 0.017753
Aug  9 11:28:02 cow racoon: oakley_dh_compute(MODP1024): 0.020346
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=128):
0.000087
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=145):
0.000020
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=161):
0.000021
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=161):
0.000021
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=1):
0.000019
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=16):
0.000020
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=521):
0.000023
Aug  9 11:28:02 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=40): 0.000144
Aug  9 11:28:02 cow racoon: INFO: NAT not detected  
Aug  9 11:28:02 cow racoon: INFO: No SIG was passed, but hybrid auth is
enabled 
Aug  9 11:28:02 cow racoon: phase1(???): 0.000897
Aug  9 11:28:02 cow racoon: phase1(Aggressive): 0.562699
Aug  9 11:28:02 cow racoon: INFO: Sending Xauth request 
Aug  9 11:28:02 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=24):
0.000024
Aug  9 11:28:02 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=48): 0.000068
Aug  9 11:28:02 cow racoon: INFO: ISAKMP-SA established
10.1.101.26[500]-10.1.200.165[500] spi:43dc7d87141edc41:df266e207a5fc429 
Aug  9 11:28:03 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=48): 0.000068
Aug  9 11:28:03 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=32):
0.000026
Aug  9 11:28:03 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=56): 0.000072
Aug  9 11:28:03 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=36):
0.000026
Aug  9 11:28:03 cow racoon: INFO: Using port 0 
Aug  9 11:28:03 cow racoon: INFO: login succeeded for user "rocky" 
Aug  9 11:28:03 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=16):
0.000023
Aug  9 11:28:03 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=40): 0.000069
Aug  9 11:28:04 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=32): 0.000071
Aug  9 11:28:04 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=12):
0.000027
Aug  9 11:28:04 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000070
Aug  9 11:28:04 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000025
Aug  9 11:28:04 cow racoon: WARNING: Ignored attribute 28678 
Aug  9 11:28:04 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000020
Aug  9 11:28:04 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000055
Aug  9 11:28:09 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000080
Aug  9 11:28:09 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000026
Aug  9 11:28:09 cow racoon: WARNING: Ignored attribute 28678 
Aug  9 11:28:09 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000019
Aug  9 11:28:09 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000060
Aug  9 11:28:15 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000076
Aug  9 11:28:15 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000029
Aug  9 11:28:15 cow racoon: WARNING: Ignored attribute 28678 
Aug  9 11:28:15 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000020
Aug  9 11:28:15 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000056
Aug  9 11:28:21 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000074
Aug  9 11:28:21 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000025
Aug  9 11:28:21 cow racoon: WARNING: Ignored attribute 28678 
Aug  9 11:28:21 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000020
Aug  9 11:28:21 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000109
Aug  9 11:28:27 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000088
Aug  9 11:28:27 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000027
Aug  9 11:28:27 cow racoon: WARNING: Ignored attribute 28678 
Aug  9 11:28:27 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000020
Aug  9 11:28:27 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000064


 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 23817 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 21878 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: application/octet-stream
Size: 24197 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: application/octet-stream
Size: 22139 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cow.visionshareinc.com.vpn
Type: application/octet-stream
Size: 763 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060809/69906ba1/attachment-0005.obj>

More information about the vpn-help mailing list