[Vpn-help] Juniper SSG Commercial IPsec Gateway

Stefan Bauer Bauer at puhlmann.net
Thu Dec 13 03:20:52 CST 2007 

> -----Ursprüngliche Nachricht-----
> Von: Matthew Grooms [mailto:mgrooms at shrew.net] 
> Gesendet: Donnerstag, 13. Dezember 2007 09:50
> An: Stefan Bauer
> Cc: vpn-help at lists.shrew.net
> Betreff: Re: [Vpn-help] Juniper SSG Commercial IPsec Gateway

> Good news about the nat-t at least. Hmmm, I just tested the trace 
> facility and it seems to be working fine for me. When running 
> vpn trace, 
> did you use the options menu to set the log level to debug 
> and restart 
> the ike service? This is necessary to see anything besides 
> the startup 
> logo. If you can get this output to me, I will do what I can 
> to correct 
> the issue you are seeing.

shame on me. thought that all changes i've made will be automatically integrated to newer versions. please see the attached log below: (fyi, i moved back to default auth with ike ((without xauth).)

## : IKE Daemon, ver 2.1.0
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer added
ii : local address 192.168.1.12:500 selected for peer
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'sb at puhlmann.net' message
<A : remote id '' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.1.12:500 <-> 62.245.200.not-public:500
DB : 8e96306d5d6bb5b9:0000000000000000
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
ii : local supports nat-t ( draft v00 )
>> : vendor id payload
ii : local supports nat-t ( draft v01 )
>> : vendor id payload
ii : local supports nat-t ( draft v02 )
>> : vendor id payload
ii : local supports nat-t ( rfc )
>> : vendor id payload
ii : local supports FRAGMENTATION
>> : vendor id payload
ii : local supports DPDv1
>> : vendor id payload
ii : local is SHREW SOFT compatible
>> : vendor id payload
ii : local is CISCO UNITY compatible
>> : vendor id payload
ii : local is NETSCREEN compatible
>> : vendor id payload
ii : local is CHECKPOINT compatible
-> : send IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500 ( 535 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
ii : processing phase1 packet ( 412 bytes )
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #1 payload 
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = psk
ii : - life seconds = 86400
ii : - life kbytes  = 512
<< : vendor id payload
ii : unknown vendor id ( 28 bytes )
<< : vendor id payload
ii : peer supports HEARTBEAT-NOTIFY
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host 62.245.200.not-public )
<< : hash payload
<< : vendor id payload
ii : peer supports nat-t ( draft v00 )
<< : nat discovery payload
<< : nat discovery payload
ii : nat discovery - local address is translated
ii : switching to nat-t udp port 4500
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 40 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : hash payload
>> : nat discovery payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 100 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500 ( 132 bytes )
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
ii : phase1 sa established
ii : 62.245.200.not-public:4500 <-> 192.168.1.12:4500
ii : 8e96306d5d6bb5b9:4649801cfe5cf4c
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.1.12:4500 -> 62.245.200.not-public:4500
ii : - isakmp spi = 8e96306d5d6bb5b9:04649801cfe5cf4c
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500 ( 116 bytes )
DB : config added
ii : xauth is not required
ii : building config attribute list
ii : config is not required
DB : config deleted ( config count 0 )
DB : phase2 not found
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
ii : VNET adapter MTU is 1500
ii : enabled adapter ROOT\VNET\0000
ii : creating IPSEC INBOUND policy 192.168.10.0/24 -> 192.168.11.213/32
K> : send pfkey X_SPDADD UNSPEC message
ii : creating IPSEC OUTBOUND policy 192.168.11.213/32 -> 192.168.10.0/24
K> : send pfkey X_SPDADD UNSPEC message
ii : created IPSEC policy route for 192.168.10.0/24
K< : recv pfkey X_SPDADD UNSPEC message
DB : policy added
K< : recv pfkey X_SPDADD UNSPEC message
DB : policy added
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
K< : recv pfkey ACQUIRE UNSPEC message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send pfkey GETSPI ESP message
K< : recv pfkey GETSPI ESP message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
>> : hash payload
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : -- transform #2 payload 
>> : nonce payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( input ) ( 136 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 184 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500 ( 220 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
ii : resending 1 phase2 exchange packet(s)
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
ii : resending 1 phase2 exchange packet(s)
-> : send NAT-T:KEEP-ALIVE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
ii : phase2 packet resend limit exceeded
DB : phase2 deleted before expire time ( phase2 count = 0 )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
K< : recv pfkey ACQUIRE UNSPEC message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send pfkey GETSPI ESP message
K< : recv pfkey GETSPI ESP message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
>> : hash payload
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : -- transform #2 payload 
>> : nonce payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( input ) ( 136 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 184 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500 ( 220 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412 bytes )
DB : phase1 found
!! : responder port values have changed
<A : peer tunnel disable message
DB : policy found
ii : removing IPSEC INBOUND policy 192.168.10.0/24 -> 192.168.11.213/32
K> : send pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
ii : removing IPSEC OUTBOUND policy 192.168.11.213/32 -> 192.168.10.0/24
K> : send pfkey X_SPDDELETE2 UNSPEC message
ii : removed IPSEC policy route for 192.168.10.0/24
K< : recv pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
DB : policy deleted ( policy count = 1 )
K< : recv pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
DB : policy deleted ( policy count = 0 )
ii : disabled adapter ROOT\VNET\0000
DB : removing all tunnel refrences
DB : phase2 resend event canceled ( ref count = 1 )
DB : phase2 deleted before expire time ( phase2 count = 0 )
DB : phase1 natt event canceled ( ref count = 2 )
DB : phase1 hard event canceled ( ref count = 1 )
ii : sending peer DELETE message
ii : - 192.168.1.12:4500 -> 62.245.200.not-public:4500
ii : - isakmp spi = 8e96306d5d6bb5b9:04649801cfe5cf4c
ii : - data size 0
>> : hash payload
>> : delete payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:4500 -> 62.245.200.not-public:4500 ( 116 bytes )
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : tunnel deleted ( tunnel count = 0 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...


> > as a mad side effect, this alpha release break name lookups 
> on my system.
> > if i move back to 2.0.3 everything works fine expect nat-t.
> > 
> 
> Odd. In any case, I am re-writing the dns transparent proxy 
> daemon to be 
> more robust. For the time being, does disabling split dns 
> support help?

No, this did not solve the problem.

best regards

stefan

--
Haiko Puhlmann, Beratung + Konzeption
EDV-Systeme und -Kommunikation
Georgenschwaigstraße 4
80807 München
Tel: +49-89-3536960-0
Fax: +49-89-3536960-9

More information about the vpn-help mailing list