[vpn-help] Problem Connecting to Commercial Gateway ...
Kimmo Koivisto
kkoivisto at gmail.com
Thu Mar 2 14:28:58 CST 2006
Matthew Grooms kirjoitti viestissään (lähetysaika Thursday 02 March 2006
04:42):
> This product was designed to work with ipsec-tools and has not been
> tested with other vpn gateway products. However, I appreciate you taking
> the time to run these tests. I just want you to understand why there are
> so many bugs being found ;)
Yep, hopely Shrew VPN will work against other VPNs too :)
> I believe phase1 and phase2 should hopefully complete without issue.
Not completely, see attached log file :)
"phase2 sa rejected, responder quick mode hash invalid"
and after this I pinged and ipsecd dies.
> The bad news is that I think the notification payload may be to inform
> us that the remote peer ( your commercial gw ) doesn't understand the
> modecfg packet we sent. Lets find out;)
I know that it does not understand, but why are we sending it? I have
configured all settings as fixed and there is nothing to get with mode
config. Is there any option to prevent mode config?
But it is not the problem, I can see from the remote gateway that it
established the phase2 sa, problem is that ipsecd dies when I try to ping
host which is defined to the sa.
Notification payload should be only for phase2 lifetime, at least I can see
that when I use openswan as a client.
Best Regards
Kimmo
-------------- next part --------------
## : IPSEC Daemon, Mar 1 2006
## : Copyright 2005 ShrewSoft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : rebuilding interface list ...
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
ii : peer config message received
ii : local address selected for peer
ii : 172.26.1.3 ( Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter - Packet Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : 'ca2.pem' loaded
ii : client keyfile message received
ii : 'user.pem' loaded
ii : client keyfile message received
ii : 'userkey.pem' loaded
ii : policy config message received
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is identity protect
DB : 172.26.1.3:500 <-> 1.2.3.4:500
DB : 01f3ed445de44cd0:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 1.2.3.4:500 ( 128 bytes )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 1.2.3.4:500 ( 236 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : security association payload
ii : unexpected spi data, 8 bytes
ii : matched phase1 proposal
ii : - protocol = isakmp
ii : - transform = ike
ii : - key length = 128 bits
ii : - cipher type = aes
ii : - hash type = sha1
ii : - dh group = modp-1024
ii : - auth type = sig-rsa
ii : - life seconds = 5700
ii : - life kbytes = 0
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : peer supports NAT-T
>> : key exchange payload
>> : nonce payload
-> : send IKE packet to 1.2.3.4:500 ( 184 bytes )
<- : recv IKE packet from 1.2.3.4:500 ( 650 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : key exchange payload
<< : nonce payload
<< : cert request payload
<< : invalid cert request size
<- : recv IKE packet from 1.2.3.4:500 ( 650 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : ignoring duplicate key excahnge payload
!! : unprocessed phase1 payload data
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 16 bytes )
== : cipher iv ( 16 bytes )
>> : identification payload
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : certificate payload
>> : signature payload
>> : cert request payload
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 752 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet to 1.2.3.4:500 ( 764 bytes )
<- : recv IKE packet from 1.2.3.4:500 ( 748 bytes )
DB : ipsec peer found
DB : phase1 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 748 bytes )
== : stored iv ( 16 bytes )
<< : identification payload
<< : certificate payload
<< : signature payload
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=FI/O=1/CN=2
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=FI/O=1/CN=2
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
II | phase1 sa established
II | 172.26.1.3:500 <-> 1.2.3.4:500
II | 1f3ed445de44cd0:fe739c38c5002991
>> : hash payload
>> : notification payload
II | sent peer notification, INITIAL-CONTACT
II | 172.26.1.3 -> 1.2.3.4
II | message id = 690208388
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 16 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet to 1.2.3.4:500 ( 92 bytes )
DB : config added
== : new phase2 iv ( 16 bytes )
ii : sent isakmp config request
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
ii : inspecting VNet DHCP request ...
ii : option unknown ( 74 )
ii : option unknown ( 3d )
ii : option clientid = 'laptop'
ii : option unknown ( 3c )
ii : option unknown ( 37 )
ii : responding to DHCP discover
ii : inspecting VNet DHCP request ...
ii : option unknown ( 3d )
ii : option unknown ( 32 )
ii : option unknown ( 36 )
ii : option clientid = 'laptop'
ii : option unknown ( 51 )
ii : option unknown ( 3c )
ii : option unknown ( 37 )
ii : responding to DHCP request
ii : inspecting VNet ARP request ...
ii : configuring tunnel securtiy policies
DB : new phase2 sa ( IPSEC initiator )
DB : phase2 sa added
== : new phase2 iv ( 16 bytes )
>> : hash payload
>> : security association payload
>> : nonce payload
>> : key exchange payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( computed ) ( 20 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 296 bytes )
== : stored iv ( 16 bytes )
ii : rebuilding interface list ...
ii : interface IP=10.10.10.10, MTU=1500 active
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 2 adapter(s) active
-> : send IKE packet to 1.2.3.4:500 ( 300 bytes )
ii : routing remote net 192.168.10.0/255.255.255.0
ii : inspecting VNet ARP request ...
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
<< : security association payload
ii : matched phase2 proposal
ii : - protocol = ipsec-esp
ii : - encap mode = tunnel
ii : - transform = esp-aes
ii : - key length = 128 bits
ii : - auth type = hmac-sha
ii : - pfs dh group = modp-1024
ii : - life seconds = 3600
ii : - life kbytes = 0
<< : nonce payload
<< : key exchange payload
<< : identification payload
<< : identification payload
<< : notification payload
II | received peer notification, RESPONDER-LIFETIME
II | 1.2.3.4 -> 172.26.1.3
II | ipsec-esp spi = 0xdd106b1b
!! : unprocessed phase2 payload data
== : phase2 hash_r ( computed ) ( 20 bytes )
== : phase2 hash_r ( received ) ( 20 bytes )
II | phase2 sa rejected, responder quick mode hash invalid
II | 172.26.1.3:500 <-> 1.2.3.4:500
ii : inspecting VNet ARP request ...
DB : phase2 sa deleted
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
ii : rebuilding interface list ...
ii : interface IP=10.10.10.10, MTU=1500 active
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 2 adapter(s) active
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa not found
DB : new phase2 sa ( IPSEC responder )
DB : phase2 sa added
== : new phase2 iv ( 16 bytes )
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
!! : invalid hash size
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
!! : invalid hash size
ii : inspecting VNet ARP request ...
ii : responding to VNet ARP request for 192.168.10.10
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : ignoring duplicate hash payload
!! : unprocessed phase2 payload data
== : phase2 hash_p ( computed ) ( 20 bytes )
== : phase2 hash_p ( received ) ( 0 bytes )
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
-------------- next part --------------
## : IPSEC Daemon, Mar 1 2006
## : Copyright 2005 ShrewSoft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : rebuilding interface list ...
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
ii : peer config message received
ii : local address selected for peer
ii : 172.26.1.3 ( Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter - Packet Scheduler Miniport )
ii : user credentials message received
ii : client keyfile message received
ii : 'ca2.pem' loaded
ii : client keyfile message received
ii : 'user.pem' loaded
ii : client keyfile message received
ii : 'userkey.pem' loaded
ii : policy config message received
ii : tunnel enable message received
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is identity protect
DB : 172.26.1.3:500 <-> 1.2.3.4:500
DB : 01f3ed445de44cd0:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to 1.2.3.4:500 ( 128 bytes )
ii : vnet inf 'C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.inf'
<- : recv IKE packet from 1.2.3.4:500 ( 236 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : security association payload
ii : unexpected spi data, 8 bytes
ii : matched phase1 proposal
ii : - protocol = isakmp
ii : - transform = ike
ii : - key length = 128 bits
ii : - cipher type = aes
ii : - hash type = sha1
ii : - dh group = modp-1024
ii : - auth type = sig-rsa
ii : - life seconds = 5700
ii : - life kbytes = 0
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : unknown vendor id
( 16 bytes )
<< : vendor id payload
ii : peer supports NAT-T
>> : key exchange payload
>> : nonce payload
-> : send IKE packet to 1.2.3.4:500 ( 184 bytes )
<- : recv IKE packet from 1.2.3.4:500 ( 650 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : key exchange payload
<< : nonce payload
<< : cert request payload
<< : invalid cert request size
<- : recv IKE packet from 1.2.3.4:500 ( 650 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : ignoring duplicate key excahnge payload
!! : unprocessed phase1 payload data
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 16 bytes )
== : cipher iv ( 16 bytes )
>> : identification payload
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : certificate payload
>> : signature payload
>> : cert request payload
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 752 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet to 1.2.3.4:500 ( 764 bytes )
<- : recv IKE packet from 1.2.3.4:500 ( 748 bytes )
DB : ipsec peer found
DB : phase1 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 748 bytes )
== : stored iv ( 16 bytes )
<< : identification payload
<< : certificate payload
<< : signature payload
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/C=FI/O=1/CN=2
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=FI/O=1/CN=2
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
II | phase1 sa established
II | 172.26.1.3:500 <-> 1.2.3.4:500
II | 1f3ed445de44cd0:fe739c38c5002991
>> : hash payload
>> : notification payload
II | sent peer notification, INITIAL-CONTACT
II | 172.26.1.3 -> 1.2.3.4
II | message id = 690208388
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 16 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet to 1.2.3.4:500 ( 92 bytes )
DB : config added
== : new phase2 iv ( 16 bytes )
ii : sent isakmp config request
ii : created vnet device 'ROOT\VNET\0000'
ii : client recv thread begin ...
ii : inspecting VNet DHCP request ...
ii : option unknown ( 74 )
ii : option unknown ( 3d )
ii : option clientid = 'laptop'
ii : option unknown ( 3c )
ii : option unknown ( 37 )
ii : responding to DHCP discover
ii : inspecting VNet DHCP request ...
ii : option unknown ( 3d )
ii : option unknown ( 32 )
ii : option unknown ( 36 )
ii : option clientid = 'laptop'
ii : option unknown ( 51 )
ii : option unknown ( 3c )
ii : option unknown ( 37 )
ii : responding to DHCP request
ii : inspecting VNet ARP request ...
ii : configuring tunnel securtiy policies
DB : new phase2 sa ( IPSEC initiator )
DB : phase2 sa added
== : new phase2 iv ( 16 bytes )
>> : hash payload
>> : security association payload
>> : nonce payload
>> : key exchange payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( computed ) ( 20 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 296 bytes )
== : stored iv ( 16 bytes )
ii : rebuilding interface list ...
ii : interface IP=10.10.10.10, MTU=1500 active
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 2 adapter(s) active
-> : send IKE packet to 1.2.3.4:500 ( 300 bytes )
ii : routing remote net 192.168.10.0/255.255.255.0
ii : inspecting VNet ARP request ...
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
<< : security association payload
ii : matched phase2 proposal
ii : - protocol = ipsec-esp
ii : - encap mode = tunnel
ii : - transform = esp-aes
ii : - key length = 128 bits
ii : - auth type = hmac-sha
ii : - pfs dh group = modp-1024
ii : - life seconds = 3600
ii : - life kbytes = 0
<< : nonce payload
<< : key exchange payload
<< : identification payload
<< : identification payload
<< : notification payload
II | received peer notification, RESPONDER-LIFETIME
II | 1.2.3.4 -> 172.26.1.3
II | ipsec-esp spi = 0xdd106b1b
!! : unprocessed phase2 payload data
== : phase2 hash_r ( computed ) ( 20 bytes )
== : phase2 hash_r ( received ) ( 20 bytes )
II | phase2 sa rejected, responder quick mode hash invalid
II | 172.26.1.3:500 <-> 1.2.3.4:500
ii : inspecting VNet ARP request ...
DB : phase2 sa deleted
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
ii : rebuilding interface list ...
ii : interface IP=10.10.10.10, MTU=1500 active
ii : skipping interface with null address
ii : interface IP=172.26.1.3, MTU=1500 active
ii : skipping interface with null address
ii : 2 adapter(s) active
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa not found
DB : new phase2 sa ( IPSEC responder )
DB : phase2 sa added
== : new phase2 iv ( 16 bytes )
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
!! : invalid hash size
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : hash payload
!! : invalid hash size
ii : inspecting VNet ARP request ...
ii : responding to VNet ARP request for 192.168.10.10
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
<- : recv IKE packet from 1.2.3.4:500 ( 332 bytes )
DB : ipsec peer found
DB : phase1 sa found
DB : phase2 sa found
=< : decrypt iv ( 16 bytes )
<= : decrypt packet ( 332 bytes )
== : stored iv ( 16 bytes )
<< : ignoring duplicate hash payload
!! : unprocessed phase2 payload data
== : phase2 hash_p ( computed ) ( 20 bytes )
== : phase2 hash_p ( received ) ( 0 bytes )
DB : phase2 sa not found
ACTION | unable to process outbound packet
REASON | no outbound spi for peer 1.2.3.4
More information about the vpn-help
mailing list