[vpn-help] -12 against ipsec-tools 0.6.6
Brian Jones
brian at boku.net
Thu Aug 10 13:12:02 CDT 2006
With the same test, doing "route add 0.0.0.0 mask 0.0.0.0 10.1.202.2 metric
20" on windows sent all my packets over the tunnel.
With the Cisco client it adds this route by default:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.202.2 10.1.202.2 1
-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Peter Eisch
Sent: Thursday, August 10, 2006 12:46 PM
To: 'Matthew Grooms'
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] -12 against ipsec-tools 0.6.6
No difference. The pool is now like you describe in mode_cfg. This is the
first/only client connected to it. The Network tab in the client shows:
Packets Sent: 1
Packets Received: 0
Bytes Sent: 40
Bytes Received: 0
Connected
...
IKE | ESP
1 Established
Check out the metrick in the 'route print' below...
C:\Documents and Settings\peter>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : kids-41f5c3e72d
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : visionshareinc.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : visionshareinc.com
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet
Adap
ter
Physical Address. . . . . . . . . : 00-08-A1-04-4E-06
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.200.165
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.200.254
DHCP Server . . . . . . . . . . . : 10.1.200.254
DNS Servers . . . . . . . . . . . : 10.1.100.126
Primary WINS Server . . . . . . . : 10.1.100.126
Lease Obtained. . . . . . . . . . : Thursday, August 10, 2006
12:16:49 P
M
Lease Expires . . . . . . . . . . : Friday, August 11, 2006 12:16:49
AM
Ethernet adapter {D4BE1643-E7E7-4D9D-9D72-48958AB6024E}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter -
Packet
Scheduler Miniport
Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.202.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.202.1
DHCP Server . . . . . . . . . . . : 10.1.101.26
DNS Servers . . . . . . . . . . . : 10.1.100.126
Primary WINS Server . . . . . . . : 10.1.100.126
Lease Obtained. . . . . . . . . . : Thursday, August 10, 2006
12:40:14 P
M
Lease Expires . . . . . . . . . . : Thursday, August 10, 2006
12:50:14 P
M
C:\Documents and Settings\peter>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 08 a1 04 4e 06 ...... CNet PRO200WL PCI Fast Ethernet Adapter -
Packet
Scheduler Miniport
0x10004 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter - Packet
Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.200.254 10.1.200.165 21
0.0.0.0 0.0.0.0 10.1.202.1 10.1.202.1 30
10.1.101.26 255.255.255.255 10.1.200.254 10.1.200.165 20
10.1.200.0 255.255.255.0 10.1.200.165 10.1.200.165 20
10.1.200.165 255.255.255.255 127.0.0.1 127.0.0.1 20
10.1.202.0 255.255.255.0 10.1.202.1 10.1.202.1 30
10.1.202.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.1.200.165 10.1.200.165 20
10.255.255.255 255.255.255.255 10.1.202.1 10.1.202.1 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.1.200.165 10.1.200.165 20
224.0.0.0 240.0.0.0 10.1.202.1 10.1.202.1 30
255.255.255.255 255.255.255.255 10.1.200.165 10.1.200.165 1
255.255.255.255 255.255.255.255 10.1.202.1 10.1.202.1 1
Default Gateway: 10.1.200.254
===========================================================================
Persistent Routes:
None
C:\Documents and Settings\peter>
## : IPSEC Daemon, Aug 9 2006
## : Copyright 2005 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened 'dump-prv.cap'
ii : rebuilding interface list ...
ii : interface IP=10.1.200.165, MTU=1500 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
ii : peer config message received
DB : ipsec peer not found
ii : local address selected for peer
ii : 10.1.200.165 ( CNet PRO200WL PCI Fast Ethernet Adapter - Packet
Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : '\Documents and Settings\peter\Desktop\certs\ca.crt' loaded
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 10.1.200.165:500 <-> 10.1.101.26:500
DB : 8e5261528e5f517a:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 10.1.101.26:500 ( 344 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 396 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, processing complete packet
<< : security association payload
ii : matched phase1 proposal
ii : - protocol = isakmp
ii : - transform = ike
ii : - key length = default
ii : - cipher type = 3des
ii : - hash type = md5
ii : - dh group = modp-1024
ii : - auth type = hybrid-initiator-rsa
ii : - life seconds = 86400
ii : - life kbytes = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
<< : certificate payload
<< : signature payload
<< : vendor id payload
ii : peer supports XAUTH
<< : vendor id payload
ii : peer supports UNITY
<< : cert request payload
<< : vendor id payload
ii : peer supports NAT-T RFC
<< : nat discovery payload
<< : nat discovery payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : hash payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 68 bytes )
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=cow.visionshareinc.com/emailAddress=peter.eisch at visionshareinc.c
om
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=vpnca.visionshareinc.com/emailAddress=peter.eisch at visionshareinc
.com
== : phase1 hash_r ( computed ) ( 16 bytes )
== : phase1 hash_r ( received ) ( 16 bytes )
II | phase1 sa established
II | 10.1.200.165:500 <-> 10.1.101.26:500
II | 8e5261528e5f517a:c6856e171964cc7e
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 76 bytes )
II | sent peer notification, INITIAL-CONTACT
II | 10.1.200.165 -> 10.1.101.26
II | isakmp spi = 8e5261528e5f517a:c6856e171964cc7e
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 76 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received xauth request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 84 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
ii : sent xauth reply with 'rocky' credentials
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 68 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 68 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received xauth result
ii : user authentication succeeded
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 56 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 60 bytes )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config added
== : new phase2 iv ( 8 bytes )
ii : determining required modecfg attributes
ii : - IP4 Address
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - IP4 DNS Suffix
ii : - Split DNS Domains
ii : - IP4 WINS Server
ii : - IP4 Split Network Include List
ii : - IP4 Split Network Exclude List
ii : sending isakmp config request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 88 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 92 bytes )
DB : config dereferenced ( ref count = 0, config count = 2 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 3, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 92 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
ii : received isakmp config reply
ii : - IP4 Address = 10.1.202.1
ii : - IP4 Netmask = 255.255.255.0
ii : - IP4 DNS Server = 10.1.100.126
ii : - IP4 WINS Server = 10.1.100.126
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
ii : re-costed existing default route
DB : phase1 sa found
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP discover
ii : responding to VNet DHCP packet ...
ii : - message type DHCP offer
ii : inspecting VNet DHCP packet ...
ii : - message type DHCP request
ii : responding to VNet DHCP packet ...
ii : - message type DHCP acknowledge
ii : added host route for remote peer
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
DB : phase2 sa not found
DB : phase2 sa not found
DB : phase1 sa found
DB : new phase2 sa ( IPSEC initiator )
DB : phase2 sa added
== : new phase2 iv ( 8 bytes )
>> : hash payload
>> : security association payload
>> : nonce payload
>> : key exchange payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( computed ) ( 16 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 288 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 292 bytes )
ii : rebuilding interface list ...
ii : interface IP=10.1.202.1, MTU=1500 active
ii : interface IP=10.1.200.165, MTU=1500 active
ii : 2 adapter(s) active
DB : phase2 sa dereferenced ( ref count = 0, phase2 count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii | outbound packet has been queued
ii | no mature sa found for 10.1.202.1 -> 224.0.0.22
<- : recv IKE packet from 10.1.101.26:500 ( 292 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 292 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : security association payload
ii : matched phase2 proposal
ii : - protocol = ipsec-esp
ii : - encap mode = tunnel
ii : - transform = esp-3des
ii : - key length = default
ii : - auth type = hmac-md5
ii : - pfs dh group = modp-1024
ii : - life seconds = 3600
ii : - life kbytes = 0
<< : nonce payload
<< : key exchange payload
<< : identification payload
<< : identification payload
== : phase2 hash_r ( computed ) ( 16 bytes )
== : phase2 hash_r ( received ) ( 16 bytes )
II | phase2 sa established
II | 10.1.200.165:500 <-> 10.1.101.26:500
II | outbound spi = 0x0592d70a
II | inbound spi = 0x1c0d5e24
== : pfs dh shared secret ( 128 bytes )
== : inbound spi key data ( 48 bytes )
== : outbound spi key data ( 48 bytes )
ii | outbound packet has been de-queued
-> : send ESP packet to 10.1.101.26 ( 76 bytes )
== : phase2 hash_p ( computed ) ( 16 bytes )
>> : hash payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 48 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to 10.1.101.26:500 ( 52 bytes )
DB : phase2 sa dereferenced ( ref count = 0, phase2 count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : - address 224.0.0.22 to network 0.0.0.0/0.0.0.0, match
DB : phase2 sa found
-> : send ESP packet to 10.1.101.26 ( 76 bytes )
DB : phase2 sa dereferenced ( ref count = 0, phase2 count = 1 )
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list