[vpn-help] -12 against ipsec-tools 0.6.6

Peter Eisch peter at boku.net
Thu Aug 10 10:22:04 CDT 2006


Below is the log with the newer rc2 client.  It still won't route over the
VPN though.  Further below is the racoon log corresponding to this log.

peter 


## : IPSEC Daemon, Aug  9 2006
## : Copyright 2005 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened 'dump-prv.cap'
ii : rebuilding interface list ...
ii : interface IP=10.1.200.165, MTU=1500 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added 
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
ii : peer config message received
DB : ipsec peer not found
ii : local address selected for peer
ii : 10.1.200.165 ( CNet PRO200WL PCI Fast Ethernet Adapter - Packet
Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : '\Documents and Settings\peter\Desktop\certs\ca.crt' loaded
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 10.1.200.165:500 <-> 10.1.101.26:500
DB : a46096a2a59b67e9:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : key exchange payload
>> : nonce payload 
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 10.1.101.26:500 ( 344 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 396 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, processing complete packet
<< : security association payload
ii : matched phase1 proposal
ii : - protocol     = isakmp
ii : - transform    = ike
ii : - key length   = default
ii : - cipher type  = 3des
ii : - hash type    = md5
ii : - dh group     = modp-1024
ii : - auth type    = hybrid-initiator-rsa
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : key exchange payload
<< : nonce payload 
<< : identification payload
<< : certificate payload
<< : signature payload
<< : vendor id payload
ii : peer supports XAUTH
<< : vendor id payload
ii : peer supports UNITY
<< : cert request payload
<< : vendor id payload
ii : peer supports NAT-T RFC
<< : nat discovery payload
<< : nat discovery payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : hash payload 
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 68 bytes )
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed 
Services/CN=cow.visionshareinc.com/emailAddress=peter.eisch at visionshareinc.c
om

ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed 
Services/CN=vpnca.visionshareinc.com/emailAddress=peter.eisch at visionshareinc
.com

== : phase1 hash_r ( computed ) ( 16 bytes )
== : phase1 hash_r ( received ) ( 16 bytes )
II | phase1 sa established
II | 10.1.200.165:500 <-> 10.1.101.26:500
II | a46096a2a59b67e9:458425255c2ae9d0
>> : hash payload 
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 76 bytes )
II | sent peer notification, INITIAL-CONTACT
II | 10.1.200.165 -> 10.1.101.26
II | isakmp spi = a46096a2a59b67e9:458425255c2ae9d0
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 76 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added 
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
<< : hash payload 
<< : attribute payload
ii : received xauth request
>> : hash payload 
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 84 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
ii : sent xauth reply with 'rocky' credentials
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 68 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added 
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
<< : hash payload 
<< : attribute payload
ii : received xauth result
ii : user authentication succeeded
>> : hash payload 
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 56 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 60 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config added 
== : new phase2 iv ( 8 bytes )
ii : determining required modecfg attributes
ii : - IP4 Address 
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - IP4 DNS Suffix
ii : - Split DNS Domains
ii : - IP4 WINS Server
ii : - IP4 Split Network Include List
ii : - IP4 Split Network Exclude List
ii : sending isakmp config request
>> : hash payload 
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 88 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 92 bytes )
DB : config dereferenced ( ref count = 0, config count = 2 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 3, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found 
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload 
<< : attribute payload
ii : received isakmp config reply
ii : - IP4 Address = 10.1.202.0
ii : - IP4 Netmask = 255.255.255.0
ii : - IP4 DNS Server = 10.1.100.126
ii : - IP4 WINS Server = 10.1.100.126
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
ii : re-costed existing default route
DB : phase1 sa found
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP discover
ii : responding to VNet DHCP packet ...
ii : - message type DHCP offer
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP request
ii : responding to VNet DHCP packet ...
ii : - message type DHCP acknowledge
ii : added host route for remote peer
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
DB : phase2 sa not found
DB : phase2 sa not found
DB : phase1 sa found
DB : new phase2 sa ( IPSEC initiator )
DB : phase2 sa added
== : new phase2 iv ( 8 bytes )
>> : hash payload 
>> : security association payload
>> : nonce payload 
>> : key exchange payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( computed ) ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 288 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 292 bytes )
ii : rebuilding interface list ...
ii : interface IP=10.1.202.0, MTU=1500 active
ii : interface IP=10.1.200.165, MTU=1500 active
ii : 2 adapter(s) active
DB : phase2 sa dereferenced ( ref count = 0, phase2 count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii | outbound packet has been queued
ii | no mature sa found for 10.1.202.0 -> 224.0.0.22
<- : recv IKE packet from 10.1.101.26:500 ( 292 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 292 bytes )
== : stored iv ( 8 bytes )
<< : hash payload 
<< : security association payload
ii : matched phase2 proposal
ii : - protocol     = ipsec-esp
ii : - encap mode   = tunnel
ii : - transform    = esp-3des
ii : - key length   = default
ii : - auth type    = hmac-md5
ii : - pfs dh group = modp-1024
ii : - life seconds = 3600
ii : - life kbytes  = 0
<< : nonce payload 
<< : key exchange payload
<< : identification payload
<< : identification payload
== : phase2 hash_r ( computed ) ( 16 bytes )
== : phase2 hash_r ( received ) ( 16 bytes )
II | phase2 sa established
II | 10.1.200.165:500 <-> 10.1.101.26:500
II | outbound spi = 0x03162d0a
II | inbound  spi = 0x1c0d5e24
== : pfs dh shared secret ( 128 bytes )
== : inbound spi key data ( 48 bytes )
== : outbound spi key data ( 48 bytes )
ii | outbound packet has been de-queued
-> : send ESP packet to 10.1.101.26 ( 76 bytes )
== : phase2 hash_p ( computed ) ( 16 bytes )
>> : hash payload 
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 48 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 52 bytes )
DB : phase2 sa dereferenced ( ref count = 0, phase2 count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )

C:\Documents and Settings\peter>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : kids-41f5c3e72d
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : domain.com
        Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet
Adap 
ter 
        Physical Address. . . . . . . . . : 00-08-A1-04-4E-06
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.200.165
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.1.200.254
        DHCP Server . . . . . . . . . . . : 10.1.200.254
        DNS Servers . . . . . . . . . . . : 10.1.100.126
        Primary WINS Server . . . . . . . : 10.1.100.126
        Lease Obtained. . . . . . . . . . : Thursday, August 10, 2006
10:01:17 A 
M 
        Lease Expires . . . . . . . . . . : Thursday, August 10, 2006
10:01:17 P 
M 

Ethernet adapter {8CF6038B-68CC-4B13-84CF-235C36FE9E46}:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Shrew Soft Virtual Adapter -
Packet 
Scheduler Miniport 
        Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.202.0
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.1.202.0
        DHCP Server . . . . . . . . . . . : 10.1.101.26
        DNS Servers . . . . . . . . . . . : 10.1.100.126
        Primary WINS Server . . . . . . . : 10.1.100.126
        Lease Obtained. . . . . . . . . . : Thursday, August 10, 2006
10:15:21 A 
M 
        Lease Expires . . . . . . . . . . : Thursday, August 10, 2006
10:25:21 A 
M 

C:\Documents and Settings\peter>





cow# /etc/rc.d/racoon start
Starting racoon.
Aug 10 09:59:05 cow racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
cow# Aug 10 09:59:05 cow racoon: INFO: @(#)This product linked OpenSSL
0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Aug 10 09:59:05 cow racoon: INFO: 10.1.101.26[4500] used as isakmp port
(fd=8) 
Aug 10 09:59:05 cow racoon: INFO: 10.1.101.26[4500] used for NAT-T
Aug 10 09:59:05 cow racoon: INFO: 10.1.101.26[500] used as isakmp port
(fd=9) 
Aug 10 09:59:05 cow racoon: INFO: 10.1.101.26[500] used for NAT-T
Aug 10 10:15:08 cow racoon: INFO: respond new phase 1 negotiation:
10.1.101.26[500]<=>10.1.200.165[500]
Aug 10 10:15:08 cow racoon: INFO: begin Aggressive mode.
Aug 10 10:15:08 cow racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 10 10:15:08 cow racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Aug 10 10:15:08 cow racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Aug 10 10:15:08 cow racoon: INFO: received Vendor ID: RFC 3947
Aug 10 10:15:08 cow racoon: INFO: received broken Microsoft ID:
FRAGMENTATION 
Aug 10 10:15:08 cow racoon: INFO: Selected NAT-T version: RFC 3947
Aug 10 10:15:08 cow racoon: oakley_dh_generate(MODP1024): 0.017758
Aug 10 10:15:08 cow racoon: oakley_dh_compute(MODP1024): 0.021337
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=128):
0.000092
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=145):
0.000025
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=161):
0.000025
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=161):
0.000023
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=1):
0.000022
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=16):
0.000023
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=521):
0.000026
Aug 10 10:15:08 cow racoon: INFO: Adding remote and local NAT-D payloads.
Aug 10 10:15:08 cow racoon: INFO: Hashing 10.1.200.165[500] with algo #1
Aug 10 10:15:08 cow racoon: INFO: Hashing 10.1.101.26[500] with algo #1
Aug 10 10:15:08 cow racoon: phase1(agg R msg1): 0.058153
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=40): 0.000136
Aug 10 10:15:08 cow racoon: INFO: NAT not detected
Aug 10 10:15:08 cow racoon: INFO: No SIG was passed, but hybrid auth is
enabled 
Aug 10 10:15:08 cow racoon: phase1(???): 0.000623
Aug 10 10:15:08 cow racoon: phase1(Aggressive): 0.076871
Aug 10 10:15:08 cow racoon: INFO: Sending Xauth request
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=24):
0.000023
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=48): 0.000061
Aug 10 10:15:08 cow racoon: INFO: ISAKMP-SA established
10.1.101.26[500]-10.1.200.165[500] spi:a46096a2a59b67e9:458425255c2ae9d0
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=48): 0.000065
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=32):
0.000026
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=56): 0.000058
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=36):
0.000022
Aug 10 10:15:08 cow racoon: INFO: Using port 0
Aug 10 10:15:08 cow racoon: INFO: login succeeded for user "rocky"
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=16):
0.000022
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=40): 0.000051
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=32): 0.000058
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=12):
0.000025
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=64): 0.000062
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000025
Aug 10 10:15:08 cow racoon: WARNING: Ignored attribute 28678
Aug 10 10:15:08 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=44):
0.000023
Aug 10 10:15:08 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=64): 0.000062
Aug 10 10:15:22 cow racoon: INFO: respond new phase 2 negotiation:
10.1.101.26[500]<=>10.1.200.165[500]
Aug 10 10:15:22 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=264): 0.000120
Aug 10 10:15:22 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=244):
0.000029
Aug 10 10:15:22 cow racoon: INFO: no policy found, try to generate the
policy : 10.1.202.0/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 10 10:15:22 cow racoon: phase2(???): 0.000948
Aug 10 10:15:22 cow racoon: oakley_dh_generate(MODP1024): 0.017588
Aug 10 10:15:22 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=260):
0.000028
Aug 10 10:15:22 cow racoon: alg_oakley_encdef_encrypt(3des klen=192
size=264): 0.000090
Aug 10 10:15:22 cow racoon: phase2(quick R msg1): 0.018413
Aug 10 10:15:23 cow /netbsd: IPv4 ESP input: no key association found for
spi 51784970
Aug 10 10:15:23 cow racoon: alg_oakley_encdef_decrypt(3des klen=192
size=24): 0.000070
Aug 10 10:15:23 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=41):
0.000033
Aug 10 10:15:23 cow racoon: oakley_dh_compute(MODP1024): 0.020474
Aug 10 10:15:23 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=169):
0.000023
Aug 10 10:15:23 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=185):
0.000021
Aug 10 10:15:23 cow last message repeated 2 times
Aug 10 10:15:23 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=169):
0.000021
Aug 10 10:15:23 cow racoon: alg_oakley_hmacdef_one(hmac_md5 size=185):
0.000021
Aug 10 10:15:23 cow last message repeated 2 times
Aug 10 10:15:23 cow racoon: phase2(???): 0.021538
Aug 10 10:15:23 cow racoon: INFO: IPsec-SA established: ESP/Tunnel
10.1.200.165[0]->10.1.101.26[0] spi=51784970(0x3162d0a)
Aug 10 10:15:23 cow racoon: phase2(quick): 1155222923.037855
Aug 10 10:15:23 cow racoon: INFO: IPsec-SA established: ESP/Tunnel
10.1.101.26[0]->10.1.200.165[0] spi=470638116(0x1c0d5e24)
Aug 10 10:15:23 cow racoon: ERROR: such policy does not already exist:
"10.1.202.0/32[0] 0.0.0.0/0[0] proto=any dir=in"
[end]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060810/186fc872/attachment-0002.html>


More information about the vpn-help mailing list