[vpn-help] -12 against ipsec-tools 0.6.6
Peter Eisch
peter at boku.net
Thu Jul 27 12:49:37 CDT 2006
> -----Original Message-----
> From: Matthew Grooms [mailto:mgrooms at shrew.net]
> Sent: Thursday, July 27, 2006 11:08 AM
> To: Peter Eisch
> Cc: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] -12 against ipsec-tools 0.6.6
>
> Peter Eisch wrote:
> > This is closer. We get the ISAKMP config from the server
> > (10.1.202.0/24,
> > etc.) but it doesn't seem to get ack'd. The server never
> adds the SA
> > entries, nor does the client seem to. At this point we just wither
> > and all the routing still goes out the "normal" path.
> (Again: Hybrid
> > 3des/md5/dh group 2; 3des/md5/pf 2. Server config has not changed,
> > client config
> > attached.)
> >
>
> It looks like its working properly. The problem appears to be
> that the client is configured to request a split network list ...
>
> > ii : determining required modecfg attributes > ii : - IP4
> Address > ii : - IP4 Netamask > ii : - IP4 DNS Server > ii
> : - IP4 DNS Suffix > ii : - Split DNS Domains > ii : - IP4
> WINS Server > ii : - IP4 Split Network Include List > ii :
> - IP4 Split Network Exclude List > ii : sending isakmp config request
>
> .... but none are being returned ...
>
> > ii : received isakmp config reply
> > ii : - IP4 Address = 10.1.202.0
> > ii : - IP4 Netmask = 255.255.255.0
> > ii : - IP4 DNS Server = 10.1.100.126
> > ii : - IP4 WINS Server = 10.1.100.126
>
> ... I probably need to add a check for this and spit an
> warning out in the client feedback window.
>
> The problem is most likely due to no split network
> configuration being defined in your modecfg section ...
>
> mode_cfg {
> network4 10.1.202.0;
> pool_size 255;
> netmask4 255.255.255.0;
> auth_source system;
> dns4 10.1.100.126;
> wins4 10.1.100.126;
> # default_domain "visionshareinc.com";
> banner "/etc/racoon/motd";
> pfs_group 2;
> }
>
> ... If you are attempting to access the 10.1.100.0/24
> network, you need to add a statement to your modecfg section
> like so ...
>
> split_network include 10.1.100.0/24;
>
How about I go little different direction and put the server on a different
LAN where no servers linger? I moved it to 10.1.101.26. All other
config/environment information remains the same.
> ... The alternative is to configure the client to force all
> traffic across the tunnel. However, configuring split
> tunneling is the recommended method of configuration. The
> cisco client was probably working because it defaults to
> forcing all traffic if no split network config is returned.
> Please let me know how this works out for you.
>
The cisco client removes the default gateway from the ethernet interface.
With the shrew client:
C:\Documents and Settings\peisch>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : merom
Primary Dns Suffix . . . . . . . : VSI
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : VSI
visionshareinc.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : visionshareinc.com
Description . . . . . . . . . . . : Realtek RTL8029(AS) PCI Ethernet
A
pter
Physical Address. . . . . . . . . : 00-BF-1C-5F-0C-6D
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.200.170
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.200.254
DHCP Server . . . . . . . . . . . : 10.1.200.254
DNS Servers . . . . . . . . . . . : 10.1.100.126
Primary WINS Server . . . . . . . : 10.1.100.126
Lease Obtained. . . . . . . . . . : Thursday, July 27, 2006 9:25:28
AM
Lease Expires . . . . . . . . . . : Thursday, July 27, 2006 9:25:28
PM
Ethernet adapter {901E94FB-B991-43ED-94C5-5F5008CB13E2}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter -
Packe
Scheduler Miniport
Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.202.0
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.1.101.26
DNS Servers . . . . . . . . . . . : 10.1.100.126
Primary WINS Server . . . . . . . : 10.1.100.126
Lease Obtained. . . . . . . . . . : Thursday, July 27, 2006 11:29:51
A
Lease Expires . . . . . . . . . . : Thursday, July 27, 2006 11:39:51
A
C:\Documents and Settings\peisch>
It keeps the def gw on the ethernet. Is this intentional? Again, the
server never logs the requisite:
ERROR: such policy does not already exist: .....
Log of the connect is below.
> Also, If you have a chance, I would be interested to hear if
> the client still works with the ca.crt moved back to the
> original location or if it was the updated client that fixed
> the problem.
>
Yes, this is fixed.
Current log of a hybrid connections:
## : IPSEC Daemon, Jul 26 2006
## : Copyright 2005 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : rebuilding interface list ...
ii : interface IP=10.1.200.170, MTU=1500 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
ii : peer config message received
DB : ipsec peer not found
ii : local address selected for peer
ii : 10.1.200.170 ( Realtek RTL8029(AS) PCI Ethernet Adapter - Packet
Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : '\Documents and Settings\peisch\Desktop\certs\ca.crt' loaded
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 10.1.200.170:500 <-> 10.1.101.26:500
DB : 004c7fce9ea80e7f:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 10.1.101.26:500 ( 344 bytes ) =
0x : 004c7fce 9ea80e7f 00000000 00000000 01100400 00000000 00000158 04000038
0x : 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020001
0x : 80040002 8003fadd 800b0001 000c0004 00015180 0a000084 b3571603 cad48a32
0x : b8da302e 3165a2c9 d8605bff 46d27363 446b739a 0a6303fa 09915d85 f5a94359
0x : c7b9425a 65e65bee 15332aac 4b29d642 e8a39718 ae4f4054 86e3555d fb8b6918
0x : e0d6c567 86864662 8be902fa ae042a0e 179a7c55 9bae1693 7e2c20ea c578f756
0x : 1edd2c4c 04d362ba 8b1ac232 a2b0cfc9 30d107bc 99bdefd4 05000018 b235486b
0x : 5f1d0321 c68a0e44 cd5f15e2 1f27c402 0d000008 09000000 0d000014 12f5f28c
0x : 457168a9 702d9fe2 74cc0100 0d00000c 09002689 dfd6b712 0d000014 90cb8091
0x : 3ebb696e 086381b5 ec427b1f 0d000014 4a131c81 07035845 5c5728f2 0e95452f
0x : 00000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 84100400 00000000 00000224 00000208
0x : 00010100 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 01100400 00000000 00000768
0x : 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 80010005
0x : 80020001 80040002 8003fadd 800b0001 000c0004 00015180 0a000084 d3c7210c
0x : 99835369 6c5a0d87 5de125a2 c23537aa 96b8b293 e2901c2f c07f12d0 a2be7802
0x : a34006b5 83c2ce40 c9832f06 037c8b7c a3ab417c b6279daa da736320 f025b9f0
0x : 787b95ab b0546670 7994c94f edbc7139 31cbd668 999b126a db5eca3f 192fbc6d
0x : c105e68b b6929ac6 b30753e7 aafe28be 3a78e302 17d5eba6 8ffc55fb 05000014
0x : f7d904cf e576a626 935355f4 07464818 060000c9 09000000 3081be31 0b300906
0x : 03550406 13025553 31123010 06035504 0813094d 696e6e65 736f7461 31143012
0x : 06035504 07130b4d 696e6e65 61706f6c 6973311a 30180603 55040a13 11566973
0x : 696f6e53 68617265 2c20496e 632e3119 30170603 55040b13 104d616e 61676564
0x : 20536572 76696365 73311f30 1d060355 04031316 636f772e 76697369 6f6e7368
0x : 61726569 6e632e63 6f6d312d 302b0609 2a864886 f70d0109 01161e70 65746572
0x : 2e656973 63684076 6973696f 6e736861 7265696e 632e636f 6d090004 ce043082
0x : 04c53082 03ada003 02010202 0100300d 06092a86 4886f70d 01010405 003081c0
0x : 310b3009 06035504 06130255 53311230 10060355 04081309 4d696e6e 65736f74
0x : 61311430
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 84100400 00000000 00000224 00000208
0x : 00010200 12060355 0407130b 4d696e6e 6561706f 6c697331 1a301806 0355040a
0x : 13115669 73696f6e 53686172 652c2049 6e632e31 19301706 0355040b 13104d61
0x : 6e616765 64205365 72766963 65733121 301f0603 55040313 1876706e 63612e76
0x : 6973696f 6e736861 7265696e 632e636f 6d312d30 2b06092a 864886f7 0d010901
0x : 161e7065 7465722e 65697363 68407669 73696f6e 73686172 65696e63 2e636f6d
0x : 301e170d 30363037 32353134 34343030 5a170d30 38313030 32313434 3430305a
0x : 3081be31 0b300906 03550406 13025553 31123010 06035504 0813094d 696e6e65
0x : 736f7461 31143012 06035504 07130b4d 696e6e65 61706f6c 6973311a 30180603
0x : 55040a13 11566973 696f6e53 68617265 2c20496e 632e3119 30170603 55040b13
0x : 104d616e 61676564 20536572 76696365 73311f30 1d060355 04031316 636f772e
0x : 76697369 6f6e7368 61726569 6e632e63 6f6d312d 302b0609 2a864886 f70d0109
0x : 01161e70 65746572 2e656973 63684076 6973696f 6e736861 7265696e 632e636f
0x : 6d30819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100b2cc
0x : 8ce039fd d0c2fdb9 78711471 55f74801 136f3132 97a902db d9fe4a9e 6bd962b9
0x : 482e3b61 66a678c0 4c0aeea1 008570ae 22f66d12 d2aadce1 e2897553 5b68d0b2
0x : f526685d 015b1c94 87400e9e 6ac6f3b1 e2206ebd 34491354 ee77be23 cf40cc89
0x : 4c09b9ad
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 548 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 84100400 00000000 00000224 00000208
0x : 00010300 12ba2bea 0bdc11c1 5f233d95 2e3cc46c b3486110 d13b8cdf 4f450203
0x : 010001a3 82014c30 82014830 09060355 1d130402 3000302c 06096086 480186f8
0x : 42010d04 1f161d4f 70656e53 534c2047 656e6572 61746564 20436572 74696669
0x : 63617465 301d0603 551d0e04 16041422 a34c4b79 ad1af1ed c0f28a27 acea5378
0x : 56479d30 81ed0603 551d2304 81e53081 e2801485 ce35c882 035a3bef 4712c789
0x : ba3502bc 747f0ba1 81c6a481 c33081c0 310b3009 06035504 06130255 53311230
0x : 10060355 04081309 4d696e6e 65736f74 61311430 12060355 0407130b 4d696e6e
0x : 6561706f 6c697331 1a301806 0355040a 13115669 73696f6e 53686172 652c2049
0x : 6e632e31 19301706 0355040b 13104d61 6e616765 64205365 72766963 65733121
0x : 301f0603 55040313 1876706e 63612e76 6973696f 6e736861 7265696e 632e636f
0x : 6d312d30 2b06092a 864886f7 0d010901 161e7065 7465722e 65697363 68407669
0x : 73696f6e 73686172 65696e63 2e636f6d 82010030 0d06092a 864886f7 0d010104
0x : 05000382 01010031 db0702f8 970004e5 f98858a4 ee09631f e7a6bda0 383e6826
0x : 933019b6 145ba11c c96bf589 144954d9 c6e789b3 9f36f5f2 21a46c2f 9ff25b32
0x : ff41a738 82150233 244f3829 df0d80b7 55e7d145 939c1ca7 ad9b868b 86ddef90
0x : 4372fc5e d7a2b839 780c6e7d 598fb9dc 7998f3f7 b496dbda 871baffe 1884f26b
0x : 25a4ddad
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 396 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 84100400 00000000 0000018c 00000170
0x : 00010401 703c8486 b3b7e928 24ca02c6 a8b087a5 4d4c64df f195d841 cb49c87b
0x : 448bc4df 9ddbaf95 5ade6728 ac548905 e463979c 23e99a73 3ad3f82a b80287fa
0x : 8318fb7d 8d051037 240a3760 1e746bc7 ea934963 e84c504c a877d650 aeebd24c
0x : 9df54cd2 6c785665 84393014 31dad71c 9a23d786 7646ecdc fbeafd56 c85c893a
0x : e159c30a 11b35d0d 0000849f af5b38c0 7517c1f8 1fce7716 c73a876f b719533d
0x : 9fe06d85 f9497bb3 c1dc1afc c94b8aa1 9acca3fa e9a6bd41 b7c26287 03cf5b08
0x : 26fe7be9 d11272bd 36405fd4 d6bc0a18 7ba68fa7 80e017b3 ad459787 2c5a671a
0x : 77711083 1b99b675 0d8e2692 288c013b 491a3b85 37dd3480 4aac1d9b f209894e
0x : 03e990e2 a905b665 a13e8f0d 00000c09 002689df d6b71207 00001412 f5f28c45
0x : 7168a970 2d9fe274 cc01000d 00000504 14000014 4a131c81 07035845 5c5728f2
0x : 0e95452f 14000014 cc183a08 8b240378 7c40165c 553e9edf 00000014 d3e105ae
0x : b4ab12c2 f1e6ce4f 46701fe4
DB : ipsec peer found
DB : phase1 sa found
<< : fragment payload
ii : ike fragment received, processing complete packet
<< : security association payload
ii : matched phase1 proposal
ii : - protocol = isakmp
ii : - transform = ike
ii : - key length = default
ii : - cipher type = 3des
ii : - hash type = md5
ii : - dh group = modp-1024
ii : - auth type = hybrid-initiator-rsa
ii : - life seconds = 86400
ii : - life kbytes = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
<< : certificate payload
<< : signature payload
<< : vendor id payload
ii : peer supports XAUTH
<< : vendor id payload
ii : peer supports UNITY
<< : cert request payload
<< : vendor id payload
ii : peer supports NAT-T RFC
<< : nat discovery payload
<< : nat discovery payload
== : DH shared secret ( 128 bytes ) =
0x : dff677cc 79e15089 8ba273d9 a80f9d5e 117e09d4 3206e24c d00b835e 26c917fd
0x : 592e1009 c2e70816 a6de769c fff457bf bc28cfcb 4293be30 798aa46b 4ba2d6ed
0x : d1acf2b8 b3c954ea 303698b4 2c90defe 054541af 7d7992d3 18fa6650 d35195c5
0x : 1d554bb7 33335b42 7b9a4089 09eb0476 a3b17f63 f85acde9 859e0563 c4c2b9f9
== : SETKEYID ( 16 bytes ) =
0x : a91a9a68 19b27de8 53b72fca 4490ddfd
== : SETKEYID_d ( 16 bytes ) =
0x : 8fe581b2 eb58a9c2 64bde35c 0f3c993b
== : SETKEYID_a ( 16 bytes ) =
0x : d916b9ef edad4dfa 874c6d47 a2cff65d
== : SETKEYID_e ( 16 bytes ) =
0x : 84e64622 e37d8f78 36254870 e263a0d6
== : cipher key ( 32 bytes ) =
0x : bd89b6d1 b407a722 7f79d391 5420436d 150aeb80 5976184d 67c824b3 f0125a38
== : cipher iv ( 8 bytes ) =
0x : d151554e cd6044d5
== : phase1 hash_i ( computed ) ( 16 bytes ) =
0x : 00050c79 3285bbb6 f2d936c4 f3eb6c23
>> : hash payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes ) =
0x : d151554e cd6044d5
=> : encrypt packet ( 68 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100401 00000000 00000030 00000014
0x : 00050c79 3285bbb6 f2d936c4 f3eb6c23 00000014 cc183a08 8b240378 7c40165c
0x : 553e9edf
== : stored iv ( 8 bytes ) =
0x : 719a998d c26c4dad
-> : send IKE packet to 10.1.101.26:500 ( 68 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100401 00000000 00000044 a1485b7f
0x : 12e59ee2 f1b068d8 39907b2b de4b6cb6 3162fd6e 0bf8d93b 42ccc097 719a998d
0x : c26c4dad
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=cow.visionshareinc.com/emailAddress=peter.eisch at visionshareinc.c
om
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=US/ST=Minnesota/L=Minneapolis/O=VisionShare,
Inc./OU=Managed
Services/CN=vpnca.visionshareinc.com/emailAddress=peter.eisch at visionshareinc
.com
== : phase1 hash_r ( computed ) ( 16 bytes ) =
0x : 6dff08af 721c75fe 16b255f2 b017c808
== : phase1 hash_r ( received ) ( 16 bytes ) =
0x : 6dff08af 721c75fe 16b255f2 b017c808
II | phase1 sa established
II | 10.1.200.170:500 <-> 10.1.101.26:500
II | 4c7fce9ea80e7f:deb6e4a4d0fb36f3
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes ) =
0x : 876a9415 bf24c12f 7727e9a7 e772e674
== : new phase2 iv ( 8 bytes ) =
0x : 7b9d1702 a0611a2a
>= : encrypt iv ( 8 bytes ) =
0x : 7b9d1702 a0611a2a
=> : encrypt packet ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100501 84be2329 0000004c 0b000014
0x : 876a9415 bf24c12f 7727e9a7 e772e674 0000001c 00000001 01106002 004c7fce
0x : 9ea80e7f deb6e4a4 d0fb36f3
== : stored iv ( 8 bytes ) =
0x : a3e8f1f5 c6fecafc
-> : send IKE packet to 10.1.101.26:500 ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100501 84be2329 0000004c 47f70f1b
0x : e3e1416e 9c3a0d57 0d9dc1ee a12450ed 887e5739 06ba8d44 0e2b3d98 dc6feb2b
0x : fec89f0f a3e8f1f5 c6fecafc
II | sent peer notification, INITIAL-CONTACT
II | 10.1.200.170 -> 10.1.101.26
II | isakmp spi = 004c7fce9ea80e7f:deb6e4a4d0fb36f3
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 8956de1c 0000004c b4c28967
0x : 5c451605 ea946cbf 5f80747c 0b521d0f 60ca9fdb eab10a4e 8b1847f3 078b93ee
0x : fc7a6db4 4148b674 cb221e5d
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes ) =
0x : c35583e4 d8101cbe
=< : decrypt iv ( 8 bytes ) =
0x : c35583e4 d8101cbe
<= : decrypt packet ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 8956de1c 0000004c 0e000014
0x : d70e02ed c189545e 6eceb6a5 bb1e60ff 00000014 0100daf5 c0880000 40890000
0x : 408a0000 a4909ea8 94b5aa07
== : stored iv ( 8 bytes ) =
0x : 4148b674 cb221e5d
<< : hash payload
<< : attribute payload
ii : received xauth request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes ) =
0x : f2d87145 18e5e87e eeaf8788 072be16e
>= : encrypt iv ( 8 bytes ) =
0x : 4148b674 cb221e5d
=> : encrypt packet ( 80 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 8956de1c 00000050 0e000014
0x : f2d87145 18e5e87e eeaf8788 072be16e 00000020 0200daf5 c0880000 40890005
0x : 726f636b 79408a00 07706574 65727077
== : stored iv ( 8 bytes ) =
0x : 3ed9b273 159d6334
-> : send IKE packet to 10.1.101.26:500 ( 84 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 8956de1c 00000054 52152519
0x : 1817ce67 935dd6a4 48234ed3 b36bdce6 2d0bbc28 6fbb200e 9129c0f9 8de06ade
0x : 46fa2da0 3d4843cb 733e6bb5 3ed9b273 159d6334
DB : config dereferenced ( ref count = 0, config count = 1 )
ii : sent xauth reply with 'rocky' credentials
DB : config deleted
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 68 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 946b2867 00000044 d39e7d67
0x : 112637b6 b9a49a23 a0f696e0 4cbdbc57 207bea47 00178f17 99d71f6b 6c161635
0x : 94cd78b8
DB : ipsec peer found
DB : phase1 sa found
DB : config not found
DB : config added
== : new phase2 iv ( 8 bytes ) =
0x : ab9934da b713562f
=< : decrypt iv ( 8 bytes ) =
0x : ab9934da b713562f
<= : decrypt packet ( 68 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 946b2867 00000044 0e000014
0x : 282e2868 1ccbcbc1 d16381af 256c251f 0000000c 0300daf5 c08f0001 dceca2ea
0x : d698da07
== : stored iv ( 8 bytes ) =
0x : 6c161635 94cd78b8
<< : hash payload
<< : attribute payload
ii : received xauth result
ii : user authentication succeeded
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes ) =
0x : 99d1c929 8e873d17 b9935fcf a0848189
>= : encrypt iv ( 8 bytes ) =
0x : 6c161635 94cd78b8
=> : encrypt packet ( 56 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 946b2867 00000038 0e000014
0x : 99d1c929 8e873d17 b9935fcf a0848189 00000008 0400daf5
== : stored iv ( 8 bytes ) =
0x : 073e59ed 026a9405
-> : send IKE packet to 10.1.101.26:500 ( 60 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 946b2867 0000003c a5a788f3
0x : e61b30b4 5e043a18 dc99c5a0 51f3f56d 0a1e8546 073e59ed 026a9405
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : config added
== : new phase2 iv ( 8 bytes ) =
0x : 2eb67106 59f1fabf
ii : determining required modecfg attributes
ii : - IP4 Address
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - IP4 DNS Suffix
ii : - Split DNS Domains
ii : - IP4 WINS Server
ii : - IP4 Split Network Include List
ii : - IP4 Split Network Exclude List
ii : sending isakmp config request
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes ) =
0x : 1c8cc28f 0c4055ff 7332e2e4 15042ea2
>= : encrypt iv ( 8 bytes ) =
0x : 2eb67106 59f1fabf
=> : encrypt packet ( 88 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 00000058 0e000014
0x : 1c8cc28f 0c4055ff 7332e2e4 15042ea2 00000028 01005290 00010000 00020000
0x : 00030000 70020000 70030000 00040000 70040000 70060000
== : stored iv ( 8 bytes ) =
0x : 62d13380 aeec6073
-> : send IKE packet to 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c add39a24
0x : e05f31cc 3826fbd5 361c9dba 8185cdad a6fa2dd1 adf3f525 1c417a5e 77a9a172
0x : e5877d42 af1212ab 27ec7a87 66545adf e97c6cd7 62d13380 aeec6073
DB : config dereferenced ( ref count = 0, config count = 2 )
DB : config deleted
DB : tunnel dereferenced ( ref count = 3, tunnel count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 694033e6
0x : a5009a5c 6030c0b7 96bdf306 005bbf3b 864c18be 9d9402f1 85bc0193 7b285921
0x : 8af47ca6 fded5129 39790967 cd318393 26b5944e 9a89214a 10dc9f2d
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes ) =
0x : 62d13380 aeec6073
<= : decrypt packet ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 0e000014
0x : ed3d9dfb 2615418c 9e6554fe 1b35866a 00000028 02005290 00010004 0a01ca01
0x : 00020004 ffffff00 00030004 0a01647e 00040004 0a01647e d08bef03
== : stored iv ( 8 bytes ) =
0x : 9a89214a 10dc9f2d
<< : hash payload
<< : attribute payload
ii : received isakmp config reply
ii : - IP4 Address = 10.1.202.1
ii : - IP4 Netmask = 255.255.255.0
ii : - IP4 DNS Server = 10.1.100.126
ii : - IP4 WINS Server = 10.1.100.126
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
DB : phase1 sa found
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
ii : rebuilding interface list ...
ii : skipping interface with null address
ii : interface IP=10.1.200.170, MTU=1500 active
ii : 1 adapter(s) active
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 694033e6
0x : a5009a5c 6030c0b7 96bdf306 005bbf3b 864c18be 9d9402f1 85bc0193 7b285921
0x : 8af47ca6 fded5129 39790967 cd318393 26b5944e 9ce02fbc 1826615f
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes ) =
0x : 9a89214a 10dc9f2d
<= : decrypt packet ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c f65812de
0x : 530d62a5 2615418c 9e6554fe 1b35866a 00000028 02005290 00010004 0a01ca01
0x : 00020004 ffffff00 00030004 0a01647e 00040004 0a01647e bd87d503
== : stored iv ( 8 bytes ) =
0x : 9ce02fbc 1826615f
<< : hash payload
!! : invalid hash size ( 4826 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : inspecting VNet DHCP packet ...
ii : - xid = 2425811848
ii : - secs = 0
ii : - flags = 0000
ii : - ciaddr = 0.0.0.0
ii : - yiaddr = 0.0.0.0
ii : - siaddr = 0.0.0.0
ii : - giaddr = 0.0.0.0
ii : - chaddr = aa:aa:aa:aa:aa:00
ii : - message type DHCP discover
ii : - unknown option ( 74 )
ii : - clientid, 7 bytes
ii : - hostname 'merom'
ii : - class/vendor id, 8 bytes ( ignored )
ii : - requested options
ii : - subnet mask
ii : - dns suffix
ii : - default router
ii : - dns server
ii : - netbios name server
ii : - netbios node type
ii : - netbios over TCP scope
ii : - perform router discover
ii : - static routes
!! : - unknown option ( f9 )
ii : - vendor specific data
ii : responding to VNet DHCP packet ...
ii : - xid = 2425811848
ii : - secs = 0
ii : - flags = 0000
ii : - ciaddr = 0.0.0.0
ii : - yiaddr = 10.1.202.1
ii : - siaddr = 0.0.0.0
ii : - giaddr = 0.0.0.0
ii : - chaddr = aa:aa:aa:aa:aa:00
ii : - message type DHCP offer
ii : - server address 10.1.101.26
ii : - lease period 600 seconds
ii : - subnet mask 255.255.255.0
ii : - dns server 10.1.100.126
ii : - netbios name server 10.1.100.126
ii : inspecting VNet DHCP packet ...
ii : - xid = 2425811848
ii : - secs = 0
ii : - flags = 0000
ii : - ciaddr = 0.0.0.0
ii : - yiaddr = 0.0.0.0
ii : - siaddr = 0.0.0.0
ii : - giaddr = 0.0.0.0
ii : - chaddr = aa:aa:aa:aa:aa:00
ii : - message type DHCP request
ii : - clientid, 7 bytes
ii : - unknown option ( 32 )
ii : - unknown option ( 36 )
ii : - hostname 'merom'
ii : - unknown option ( 51 )
ii : - class/vendor id, 8 bytes ( ignored )
ii : - requested options
ii : - subnet mask
ii : - dns suffix
ii : - default router
ii : - dns server
ii : - netbios name server
ii : - netbios node type
ii : - netbios over TCP scope
ii : - perform router discover
ii : - static routes
!! : - unknown option ( f9 )
ii : - vendor specific data
ii : responding to VNet DHCP packet ...
ii : - xid = 2425811848
ii : - secs = 0
ii : - flags = 0000
ii : - ciaddr = 0.0.0.0
ii : - yiaddr = 10.1.202.1
ii : - siaddr = 0.0.0.0
ii : - giaddr = 0.0.0.0
ii : - chaddr = aa:aa:aa:aa:aa:00
ii : - message type DHCP acknowledge
ii : - server address 10.1.101.26
ii : - lease period 600 seconds
ii : - subnet mask 255.255.255.0
ii : - dns server 10.1.100.126
ii : - netbios name server 10.1.100.126
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
ii : inspecting VNet ARP request ...
DB : phase2 sa not found
DB : phase2 sa not found
DB : phase1 sa found
XX | unable to process outbound packet
XX | no policy found for 10.1.202.1 -> 224.0.0.22
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
XX | unable to process outbound packet
XX | no mature sa found for 10.1.202.1 -> 224.0.0.22
DB : phase2 sa not found
DB : phase2 sa not found
DB : phase1 sa found
XX | unable to process outbound packet
XX | no policy found for 10.1.202.1 -> 224.0.0.22
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
XX | unable to process outbound packet
XX | no mature sa found for 10.1.202.1 -> 224.0.0.22
ii : rebuilding interface list ...
ii : interface IP=10.1.202.1, MTU=1500 active
ii : interface IP=10.1.200.170, MTU=1500 active
ii : 2 adapter(s) active
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 694033e6
0x : a5009a5c 6030c0b7 96bdf306 005bbf3b 864c18be 9d9402f1 85bc0193 7b285921
0x : 8af47ca6 fded5129 39790967 cd318393 26b5944e f0d588d0 d26fa19d
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes ) =
0x : 9ce02fbc 1826615f
<= : decrypt packet ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c f0311c28
0x : 5bf79cd7 2615418c 9e6554fe 1b35866a 00000028 02005290 00010004 0a01ca01
0x : 00020004 ffffff00 00030004 0a01647e 00040004 0a01647e b2ee8603
== : stored iv ( 8 bytes ) =
0x : f0d588d0 d26fa19d
<< : hash payload
!! : invalid hash size ( 7204 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 694033e6
0x : a5009a5c 6030c0b7 96bdf306 005bbf3b 864c18be 9d9402f1 85bc0193 7b285921
0x : 8af47ca6 fded5129 39790967 cd318393 26b5944e 6516bfcc 9d6c6b95
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes ) =
0x : f0d588d0 d26fa19d
<= : decrypt packet ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 9c04bb44
0x : 91be5c15 2615418c 9e6554fe 1b35866a 00000028 02005290 00010004 0a01ca01
0x : 00020004 ffffff00 00030004 0a01647e 00040004 0a01647e a2d8e203
== : stored iv ( 8 bytes ) =
0x : 6516bfcc 9d6c6b95
<< : hash payload
!! : invalid hash size ( -17600 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : resending ip packet
<- : recv IKE packet from 10.1.101.26:500 ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 694033e6
0x : a5009a5c 6030c0b7 96bdf306 005bbf3b 864c18be 9d9402f1 85bc0193 7b285921
0x : 8af47ca6 fded5129 39790967 cd318393 26b5944e 41db05c9 fb9f7d2a
DB : ipsec peer found
DB : phase1 sa found
DB : config found
=< : decrypt iv ( 8 bytes ) =
0x : 6516bfcc 9d6c6b95
<= : decrypt packet ( 92 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100601 aed66ce1 0000005c 09c78c58
0x : debd961d 2615418c 9e6554fe 1b35866a 00000028 02005290 00010004 0a01ca01
0x : 00020004 ffffff00 00030004 0a01647e 00040004 0a01647e c59eab03
== : stored iv ( 8 bytes ) =
0x : 41db05c9 fb9f7d2a
<< : hash payload
!! : invalid hash size ( -29612 != 16 )
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : ip packet resend timed out
ii : tunnel enable message received
ii : bringing down tunnel ...
DB : removing all tunnel refrences
ii : client recv thread exit ...
DB : config deleted
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes ) =
0x : 3ed2b01c 29f74ea9 1d8d14c9 716fecfc
== : new phase2 iv ( 8 bytes ) =
0x : cae74ea4 5ccd636e
>= : encrypt iv ( 8 bytes ) =
0x : cae74ea4 5ccd636e
=> : encrypt packet ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100501 bbf1f149 0000004c 0c000014
0x : 3ed2b01c 29f74ea9 1d8d14c9 716fecfc 0000001c 00000001 01100001 004c7fce
0x : 9ea80e7f deb6e4a4 d0fb36f3
== : stored iv ( 8 bytes ) =
0x : c0c2cbd5 f3577481
-> : send IKE packet to 10.1.101.26:500 ( 76 bytes ) =
0x : 004c7fce 9ea80e7f deb6e4a4 d0fb36f3 08100501 bbf1f149 0000004c 3946fc07
0x : e670152f b87b40d5 f0ad34af 0a40233b f402a0c8 9482dd3a 4be3acb3 c8260e78
0x : 00d6ab7b c0c2cbd5 f3577481
ii : rebuilding interface list ...
ii : interface IP=10.1.200.170, MTU=1500 active
ii : 1 adapter(s) active
II | sent peer SA DELETE message
II | 10.1.200.170 -> 10.1.101.26
II | isakmp spi = 004c7fce9ea80e7f:deb6e4a4d0fb36f3
DB : phase1 sa deleted before expire time
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
ii : deleted vnet device 'ROOT\VNET\0000'
DB : tunnel deleted ( tunnel count = 0 )
ii : client ctrl thread exit ...
More information about the vpn-help
mailing list