[vpn-help] Frag issue with 1.1b1

Peter Eisch peter at boku.net
Tue Aug 29 12:34:59 CDT 2006 

It's back -- but different.



# phase 1
remote anonymous {
        exchange_mode main,aggressive;
        ca_type x509 "ca.crt";
        certificate_type x509 "cow.visionshareinc.com.crt"
"cow.visionshareinc.com.key";
        my_identifier asn1dn;
        proposal_check claim;
        lifetime time 24 hour;
#        generate_policy on;
        generate_policy unique; # for after 0.6.6
        nat_traversal on;
        dpd_delay 20;
        ike_frag on;
#       esp_frag 1024;
        doi ipsec_doi;

        # static clients
         proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }

        # for OS X, shrew (rsasig)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }

        # cisco clients
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method hybrid_rsa_server;
                dh_group 2;
        }
        # works with racoon
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method hybrid_rsa_server;
                dh_group 2;
        }


        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method hybrid_rsa_server;
                dh_group 2;
        }

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

mode_cfg {
        network4 10.1.202.1;
        pool_size 253;
        netmask4 255.255.255.0;
        auth_source radius;
        conf_source radius;
        accounting radius;
        banner "/etc/racoon/motd";
        dns4 10.1.100.126;
        wins4 10.1.100.126;
        pfs_group 2;
}              

# phase 2
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_md5, hmac_sha1;
        compression_algorithm deflate;
}

____________________________


2006-08-29 12:24:21: DEBUG: ===
2006-08-29 12:24:21: DEBUG: 560 bytes message received from
10.1.200.170[500] to 10.1.101.26[500]
2006-08-29 12:24:21: DEBUG:
951894fd 229ccc8c 00000000 00000000 84100400 00000000 00000230 00000214
00010100 951894fd 229ccc8c 00000000 00000000 01100400 00000000 00000223
04000038 00000001 00000001 0000002c 01010001 00000024 01010000 80010005
80020002 80040002 80030003 800b0001 000c0004 00015180 0a000084 638b90e5
5c5653ac af0fa240 7f052591 f2754a5a 5f4c2f0c 8bdfcf26 a6aa95a2 2fa8fd67
ece7e45a cf068f3a 8aa36c49 54ab328d 15a2a246 4c668c17 2499c40c adc8a2fa
55e7898e 78f9ada7 879cb21c 35332b34 8b2c19bf a5182c54 099bc511 54e76859
38292930 54f9eec8 63c5a6b0 c479e322 fd89c3bc 213189d5 abc91af3 05000018
ec5a427f ec73356a 2a73630b ca34a337 a6d9d29f 0d0000cb 09000000 3081c031
0b300906 03550406 13025553 31123010 06035504 0813094d 696e6e65 736f7461
31143012 06035504 07130b4d 696e6e65 61706f6c 6973311a 30180603 55040a13
11566973 696f6e53 68617265 2c20496e 632e3119 30170603 55040b13 104d616e
61676564 20536572 76696365 73312130 1f060355 04031318 70637670 6e2e7669
73696f6e 73686172 65696e63 2e636f6d 312d302b 06092a86 4886f70d 01090116
1e706574 65722e65 69736368 40766973 696f6e73 68617265 696e632e 636f6d0d
00001412 f5f28c45 7168a970 2d9fe274 cc01000d 00001490 cb80913e bb696e08
6381b5ec 427b1f0d 0000144a 131c8107 0358455c 5728f20e 95452f0d 00001840
48b7d56e bce88525 e7de7f00 d6c2d380
2006-08-29 12:24:21: DEBUG: anonymous configuration selected for
10.1.200.170.
2006-08-29 12:24:21: DEBUG: ===
2006-08-29 12:24:21: INFO: respond new phase 1 negotiation:
10.1.101.26[500]<=>10.1.200.170[500]
2006-08-29 12:24:21: INFO: begin Aggressive mode.
2006-08-29 12:24:21: DEBUG: begin.
2006-08-29 12:24:21: DEBUG: seen nptype=132(ike frag)
2006-08-29 12:24:21: DEBUG: succeed.
2006-08-29 12:24:21: ERROR: received invalid next payload type 132,
expecting 1.
2006-08-29 12:24:21: ERROR: failed to process packet.

2006-08-29 12:24:39: DEBUG: ===
2006-08-29 12:24:39: DEBUG: 59 bytes message received from
10.1.200.170[500]
to 10.1.101.26[500]
2006-08-29 12:24:39: DEBUG:
951894fd 229ccc8c 00000000 00000000 84100400 00000000 0000003b 0000001f
00010201 00000000 000014af cad71368 a1f1c96b 8696fc77 570100
2006-08-29 12:24:39: DEBUG: anonymous configuration selected for
10.1.200.170.
2006-08-29 12:24:39: DEBUG: ===
2006-08-29 12:24:39: INFO: respond new phase 1 negotiation:
10.1.101.26[500]<=>10.1.200.170[500]
2006-08-29 12:24:39: INFO: begin Aggressive mode.
2006-08-29 12:24:39: DEBUG: begin.
2006-08-29 12:24:39: DEBUG: seen nptype=132(ike frag)
2006-08-29 12:24:39: DEBUG: succeed.
2006-08-29 12:24:39: ERROR: received invalid next payload type 132,
expecting 1.
2006-08-29 12:24:39: ERROR: failed to process packet.

Others looked pretty much exactly like the above.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile.txt
Type: application/octet-stream
Size: 1966 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060829/001b862f/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cow rsasig.vpn
Type: application/octet-stream
Size: 984 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060829/001b862f/attachment-0003.obj>

More information about the vpn-help mailing list