[Vpn-help] vpn-release-1.1 communicate with racoon problem
Zhao Tongyi
zhaotongyi at gmail.com
Thu Nov 23 21:26:33 CST 2006
verify_cert on
#
Date/Time Priority Process Message
1 Nov 23 03:24:27 info racoon INFO: @(#)ipsec-tools 0.6.6 (
http://ipsec-tools.sourceforge.net)
2 Nov 23 03:24:27 info racoon INFO: @(#)This product linked OpenSSL
0.9.7l 28 Sep 2006 (http://www.openssl.org/)
3 Nov 23 03:24:27 info racoon INFO: 192.168.1.1[4500] used as isakmp port
(fd=7)
4 Nov 23 03:24:27 info racoon INFO: 192.168.1.1[4500] used for NAT-T
5 Nov 23 03:24:27 info racoon INFO: 192.168.1.1[500] used as isakmp port
(fd=8)
6 Nov 23 03:24:27 info racoon INFO: 192.168.1.1[500] used for NAT-T
7 Nov 23 03:24:27 info racoon INFO: 192.168.20.133[4500] used as isakmp
port (fd=9)
8 Nov 23 03:24:27 info racoon INFO: 192.168.20.133[4500] used for NAT-T
9 Nov 23 03:24:27 info racoon INFO: 192.168.20.133[500] used as isakmp
port (fd=10)
10 Nov 23 03:24:27 info racoon INFO: 192.168.20.133[500] used for NAT-T
11 Nov 23 03:24:27 info racoon INFO: 192.168.2.1[4500] used as isakmp
port (fd=11)
12 Nov 23 03:24:27 info racoon INFO: 192.168.2.1[4500] used for NAT-T
13 Nov 23 03:24:27 info racoon INFO: 192.168.2.1[500] used as isakmp port
(fd=12)
14 Nov 23 03:24:27 info racoon INFO: 192.168.2.1[500] used for NAT-T
15 Nov 23 03:24:48 info racoon INFO: respond new phase 1 negotiation:
192.168.20.133[500]<=>192.168.20.240[500]
16 Nov 23 03:24:48 info racoon INFO: begin Aggressive mode.
17 Nov 23 03:24:48 info racoon INFO: received Vendor ID: CISCO-UNITY
18 Nov 23 03:24:48 info racoon INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
19 Nov 23 03:24:48 info racoon INFO: received Vendor ID: RFC 3947
20 Nov 23 03:24:48 info racoon INFO: received broken Microsoft ID:
FRAGMENTATION
21 Nov 23 03:24:48 info racoon INFO: received Vendor ID: DPD
22 Nov 23 03:24:48 info racoon INFO: Selected NAT-T version: RFC 3947
23 Nov 23 03:24:48 info racoon INFO: Adding remote and local NAT-D
payloads.
24 Nov 23 03:24:48 info racoon INFO: Hashing 192.168.20.240[500] with
algo #2
25 Nov 23 03:24:48 info racoon INFO: Hashing 192.168.20.133[500] with
algo #2
26 Nov 23 03:24:48 info racoon INFO: NAT not detected
27 Nov 23 03:24:48 err racoon ERROR: CRL has expired(12) at depth:0
SubjectName:/C=CN/O=1121/CN=1121/OU=1164073705U45625AE98F64A
28 Nov 23 03:24:48 err racoon ERROR: the peer's certificate is not
verified.
29 Nov 23 03:24:48 err racoon ERROR: ignore information because ISAKMP-SA
has not been established yet.
30 Nov 23 03:24:48 info racoon WARNING: Short payload
2006/11/23, Matthew Grooms <mgrooms at shrew.net>:
>
> Zhao,
>
> Thanks for trying out the VPN Client. If you see esp packets being
> emitted from the client ( passing both phase1 and phase2 ), it is very
> likely close to working.
>
> To start, it would be a good idea to reconfigure your client address
> range to start with .1 instead of .0 as this can cause problems. I will
> see if I can sneak in an ipsec-tools fix to prevent this from happening
> before we branch for 0.7.
>
> For example ...
>
> mode_cfg {
> pool_size 253;
> network4 192.168.1.1;
> netmask4 255.255.255.0;
> dns4 192.168.20.1;
> auth_source system;
> }
>
> Also, does your debian gateway have selinux or a firewall like iptables
> installed? As for the certificate verification not working, could you
> run racoon with the -d option and forward me the relevant debug output
> regarding this issue.
>
> Thanks,
>
> -Matthew
>
--
Best regards,
Tongyi ,Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061124/4d4e46bd/attachment-0002.html>
More information about the vpn-help
mailing list