[Vpn-help] Juniper SSG Commercial IPsec Gateway

Stefan Bauer Bauer at puhlmann.net
Fri Dec 14 04:31:17 CST 2007 

> -----Original Message-----
> From: Matthew Grooms [mailto:mgrooms at shrew.net] 
> Sent: Friday, December 14, 2007 11:11 AM
> To: Stefan Bauer
> Cc: vpn-help at lists.shrew.net
> Subject: Re: [Vpn-help] Juniper SSG Commercial IPsec Gateway
> 
> 
> Matthew Grooms wrote:
> In any case, please give this build a whirl and let me know 
> how it turns 
> out.

Hi, here is the output:

## : IKE Daemon, ver 2.1.0
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-encrypt.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer added
ii : local address 192.168.1.12:500 selected for peer
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'sb at puhlmann.net' message
<A : remote id '' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.1.12:500 <-> 62.245.200.not-public:500
DB : 392e4c03833e4c5f:0000000000000000
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
ii : local supports nat-t ( draft v00 )
>> : vendor id payload
ii : local supports nat-t ( draft v01 )
>> : vendor id payload
ii : local supports nat-t ( draft v02 )
>> : vendor id payload
ii : local supports nat-t ( draft v03 )
>> : vendor id payload
ii : local supports nat-t ( rfc )
>> : vendor id payload
ii : local supports FRAGMENTATION
>> : vendor id payload
ii : local supports DPDv1
>> : vendor id payload
ii : local is SHREW SOFT compatible
>> : vendor id payload
ii : local is CISCO UNITY compatible
>> : vendor id payload
ii : local is NETSCREEN compatible
>> : vendor id payload
ii : local is CHECKPOINT compatible
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 555 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 412
bytes )
DB : phase1 found
ii : processing phase1 packet ( 412 bytes )
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #1 payload 
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = psk
ii : - life seconds = 86400
ii : - life kbytes  = 512
<< : vendor id payload
ii : unknown vendor id ( 28 bytes )
<< : vendor id payload
ii : peer supports HEARTBEAT-NOTIFY
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host 62.245.200.not-public )
<< : hash payload
<< : vendor id payload
ii : peer supports nat-t ( draft v00 )
<< : nat discovery payload
<< : nat discovery payload
ii : nat discovery - local address is translated
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 40 bytes )
== : cipher iv ( 8 bytes )
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : hash payload
>> : nat discovery payload
>> : nat discovery payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 100 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 128 bytes )
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
ii : phase1 sa established
ii : 62.245.200.not-public:500 <-> 192.168.1.12:500
ii : 392e4c03833e4c5f:e01374ffed45c932
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.1.12:500 -> 62.245.200.not-public:500
ii : - isakmp spi = 392e4c03833e4c5f:e01374ffed45c932
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 112 bytes )
DB : config added
ii : xauth is not required
ii : building config attribute list
ii : config is not required
DB : config deleted ( config count 0 )
DB : phase2 not found
ii : VNET adapter MTU is 1500
ii : enabled adapter ROOT\VNET\0000
ii : creating IPSEC INBOUND policy 192.168.10.0/24 -> 192.168.11.213/32
K> : send pfkey X_SPDADD UNSPEC message
ii : creating IPSEC OUTBOUND policy 192.168.11.213/32 -> 192.168.10.0/24
K> : send pfkey X_SPDADD UNSPEC message
ii : created IPSEC policy route for 192.168.10.0/24
K< : recv pfkey X_SPDADD UNSPEC message
DB : policy added
K< : recv pfkey X_SPDADD UNSPEC message
DB : policy added
K< : recv pfkey ACQUIRE UNSPEC message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send pfkey GETSPI ESP message
K< : recv pfkey GETSPI ESP message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
>> : hash payload
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : -- transform #2 payload 
>> : nonce payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( input ) ( 160 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 208 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 240 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
<= : trimmed packet padding ( 8 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #205 payload 

!! : rejecting phase2 proposal
!! : unhandled attribute type ( 32682 )

XX : warning, unprocessed payload data !!!
ii : sending peer ATTRIBUTES-NOT-SUPPORTED notification
ii : - 192.168.1.12:500 -> 62.245.200.not-public:500
ii : - isakmp spi = 392e4c03833e4c5f:e01374ffed45c932
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 112 bytes )
DB : phase2 resend event canceled ( ref count = 1 )
DB : phase2 deleted before expire time ( phase2 count = 0 )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 not found
DB : new phase2 ( IPSEC responder )
DB : phase2 added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
!! : validate packet failed ( decryption error or corrupted )
!! : phase2 packet ignored ( packet decryption error )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 18
bytes )
DB : phase1 not found
XX : ike packet from 62.245.200.not-public ignored
XX : unknown phase1 sa for peer
XX : 22022d996b3b4100:c0bf4a003000000
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
!! : validate packet failed ( decryption error or corrupted )
!! : phase2 packet ignored ( packet decryption error )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
!! : validate packet failed ( decryption error or corrupted )
!! : phase2 packet ignored ( packet decryption error )
-> : send NAT-T:KEEP-ALIVE packet 192.168.1.12:500 ->
62.245.200.not-public:500
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
!! : validate packet failed ( decryption error or corrupted )
!! : phase2 packet ignored ( packet decryption error )
K< : recv pfkey ACQUIRE UNSPEC message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send pfkey GETSPI ESP message
K< : recv pfkey GETSPI ESP message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
>> : hash payload
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : -- transform #2 payload 
>> : nonce payload
>> : identification payload
>> : identification payload
== : phase2 hash_i ( input ) ( 160 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 208 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 240 bytes )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
<= : trimmed packet padding ( 8 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : security association payload
<< : - propsal #1 payload 
<< : -- transform #86 payload 

!! : rejecting phase2 proposal
!! : unhandled attribute type ( 24894 )

XX : warning, unprocessed payload data !!!
ii : sending peer ATTRIBUTES-NOT-SUPPORTED notification
ii : - 192.168.1.12:500 -> 62.245.200.not-public:500
ii : - isakmp spi = 392e4c03833e4c5f:e01374ffed45c932
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 112 bytes )
DB : phase2 resend event canceled ( ref count = 1 )
DB : phase2 deleted before expire time ( phase2 count = 1 )
<- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
bytes )
DB : phase1 found
ii : processing phase2 packet ( 204 bytes )
DB : phase2 not found
DB : new phase2 ( IPSEC responder )
DB : phase2 added
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 204 bytes )
!! : validate packet failed ( decryption error or corrupted )
!! : phase2 packet ignored ( packet decryption error )
<A : peer tunnel disable message
DB : policy found
ii : removing IPSEC INBOUND policy 192.168.10.0/24 -> 192.168.11.213/32
K> : send pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
ii : removing IPSEC OUTBOUND policy 192.168.11.213/32 -> 192.168.10.0/24
K> : send pfkey X_SPDDELETE2 UNSPEC message
ii : removed IPSEC policy route for 192.168.10.0/24
K< : recv pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
DB : policy deleted ( policy count = 1 )
K< : recv pfkey X_SPDDELETE2 UNSPEC message
DB : policy found
DB : policy deleted ( policy count = 0 )
ii : disabled adapter ROOT\VNET\0000
DB : removing all tunnel refrences
DB : phase2 deleted before expire time ( phase2 count = 1 )
DB : phase2 deleted before expire time ( phase2 count = 0 )
DB : phase1 natt event canceled ( ref count = 2 )
DB : phase1 hard event canceled ( ref count = 1 )
ii : sending peer DELETE message
ii : - 192.168.1.12:500 -> 62.245.200.not-public:500
ii : - isakmp spi = 392e4c03833e4c5f:e01374ffed45c932
ii : - data size 0
>> : hash payload
>> : delete payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet 192.168.1.12:500 -> 62.245.200.not-public:500
( 112 bytes )
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : tunnel deleted ( tunnel count = 0 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...

More information about the vpn-help mailing list