[Vpn-help] vpn-release-1.1 communicate with racoon problem

Thu Nov 23 21:26:33 CST 2006

verify_cert on

#
Date/Time Priority Process Message

1 Nov 23 03:24:27  info  racoon  INFO: @(#)ipsec-tools 0.6.6 (
http://ipsec-tools.sourceforge.net)
2 Nov 23 03:24:27  info  racoon  INFO: @(#)This product linked OpenSSL
0.9.7l 28 Sep 2006 (http://www.openssl.org/)
3 Nov 23 03:24:27  info  racoon  INFO: 192.168.1.1[4500] used as isakmp port
(fd=7)
4 Nov 23 03:24:27  info  racoon  INFO: 192.168.1.1[4500] used for NAT-T
5 Nov 23 03:24:27  info  racoon  INFO: 192.168.1.1[500] used as isakmp port
(fd=8)
6 Nov 23 03:24:27  info  racoon  INFO: 192.168.1.1[500] used for NAT-T
7 Nov 23 03:24:27  info  racoon  INFO: 192.168.20.133[4500] used as isakmp
port (fd=9)
8 Nov 23 03:24:27  info  racoon  INFO: 192.168.20.133[4500] used for NAT-T

9 Nov 23 03:24:27  info  racoon  INFO: 192.168.20.133[500] used as isakmp
port (fd=10)
10 Nov 23 03:24:27  info  racoon  INFO: 192.168.20.133[500] used for NAT-T

11 Nov 23 03:24:27  info  racoon  INFO: 192.168.2.1[4500] used as isakmp
port (fd=11)
12 Nov 23 03:24:27  info  racoon  INFO: 192.168.2.1[4500] used for NAT-T

13 Nov 23 03:24:27  info  racoon  INFO: 192.168.2.1[500] used as isakmp port
(fd=12)
14 Nov 23 03:24:27  info  racoon  INFO: 192.168.2.1[500] used for NAT-T
15 Nov 23 03:24:48  info  racoon  INFO: respond new phase 1 negotiation:
192.168.20.133[500]<=>192.168.20.240[500]
16 Nov 23 03:24:48  info  racoon  INFO: begin Aggressive mode.
17 Nov 23 03:24:48  info  racoon  INFO: received Vendor ID: CISCO-UNITY
18 Nov 23 03:24:48  info  racoon  INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
19 Nov 23 03:24:48  info  racoon  INFO: received Vendor ID: RFC 3947

20 Nov 23 03:24:48  info  racoon  INFO: received broken Microsoft ID:
FRAGMENTATION
21 Nov 23 03:24:48  info  racoon  INFO: received Vendor ID: DPD
22 Nov 23 03:24:48  info  racoon  INFO: Selected NAT-T version: RFC 3947

23 Nov 23 03:24:48  info  racoon  INFO: Adding remote and local NAT-D
payloads.
24 Nov 23 03:24:48  info  racoon  INFO: Hashing 192.168.20.240[500] with
algo #2
25 Nov 23 03:24:48  info  racoon  INFO: Hashing 192.168.20.133[500] with
algo #2
26 Nov 23 03:24:48  info  racoon  INFO: NAT not detected
27 Nov 23 03:24:48  err  racoon  ERROR: CRL has expired(12) at depth:0
SubjectName:/C=CN/O=1121/CN=1121/OU=1164073705U45625AE98F64A
28 Nov 23 03:24:48  err  racoon  ERROR: the peer's certificate is not
verified.
29 Nov 23 03:24:48  err  racoon  ERROR: ignore information because ISAKMP-SA
has not been established yet.
30 Nov 23 03:24:48  info  racoon  WARNING: Short payload

2006/11/23, Matthew Grooms <mgrooms at shrew.net>:
>
> Zhao,
>
> Thanks for trying out the VPN Client. If you see esp packets being
> emitted from the client ( passing both phase1 and phase2 ), it is very
> likely close to working.
>
> To start, it would be a good idea to reconfigure your client address
> range to start with .1 instead of .0 as this can cause problems. I will
> see if I can sneak in an ipsec-tools fix to prevent this from happening
> before we branch for 0.7.
>
> For example ...
>
> mode_cfg {
>         pool_size 253;
>         network4 192.168.1.1;
>         netmask4 255.255.255.0;
>         dns4 192.168.20.1;
>         auth_source system;
> }
>
> Also, does your debian gateway have selinux or a firewall like iptables
> installed? As for the certificate verification not working, could you
> run racoon with the -d option and forward me the relevant debug output
> regarding this issue.
>
> Thanks,
>
> -Matthew
>

-- 
Best regards,

Tongyi ,Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061124/4d4e46bd/attachment-0002.html>