[Vpn-help] Not entering quick mode

Matt Swift matt at its.monash.edu.au
Tue Feb 13 22:05:41 CST 2007


Hello fellow VPNers,

First off this is a really nice piece of software - grats to the
developers - it must have taken lots of time and effort. I have done a
search through your mailing list and i couldn't see this problem
mentioned, however i hope I'm not repeating a previously answered
question.

My setup is as follows:
Openswan 2.4.5 running on Fedora Core 6 (2.6.18-1.2798)
Win XP SP2 running Shrew Soft VPN client
Host-to-host tunnel mode
Authentication using PSK

I am (seemingly) able to successfully establish my tunnel and SA.

However when i go to transmit data through the connection (for example
using ping), the number of packets sent/received and the number of
bytes sent/received reported by the VPN client do not increase. They
stay at 0 for the duration of my connection. Running wireshark on both
the VPN server and client machines shows that ping requests and
replies are being transmitted, however they are not encapsulated using
ESP.

My VPN server log shows that the SA is created however it never enters
quick mode. From reading
http://lists.openswan.org/pipermail/users/2006-November/011216.html i
would expect this to happen when i starting pinging from the client to
the server.

Any ideas on why this is occuring? The log files from the client and
server are appended to this email.

Thanks for your time,
Matt Swift

------------------------

#######################################
#          /var/log/secure            #
#######################################

Feb 14 14:26:29 linux-box pluto[4908]: packet from a.b.c.d:500:
received Vendor ID payload [Cisco-Unity]
Feb 14 14:26:29 linux-box pluto[4908]: packet from a.b.c.d:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Feb 14 14:26:29 linux-box pluto[4908]: packet from a.b.c.d:500:
received Vendor ID payload [RFC 3947] method set to=110
Feb 14 14:26:29 linux-box pluto[4908]: packet from a.b.c.d:500:
ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d380000000]
Feb 14 14:26:29 linux-box pluto[4908]: packet from a.b.c.d:500:
received Vendor ID payload [Dead Peer Detection]
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
responding to Main Mode from unknown peer a.b.c.d
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
NAT-Traversal: Result using 3: no NAT detected
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
Main mode peer ID is ID_IPV4_ADDR: 'a.b.c.d'
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
I did not send a certificate because I do not have one.
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Feb 14 14:26:29 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
received and ignored informational message
Feb 14 14:26:54 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d #16:
received Delete SA payload: deleting ISAKMP State #16
Feb 14 14:26:54 linux-box pluto[4908]: "linux-to-win"[16] a.b.c.d:
deleting connection "linux-to-win" instance with peer a.b.c.d
{isakmp=#0/ipsec=#0}
Feb 14 14:26:54 linux-box pluto[4908]: packet from a.b.c.d:500:
received and ignored informational message




#######################################
#            Client Output            #
#######################################

config loaded for site 'w.x.y.z'
configuring client settings ...
attached to IPSEC daemon ...
peer configured
remote id configured
pre-shared key configured
bringing up tunnel ...
virtual network device configured
virtual network device enabled
tunnel enabled
bringing down tunnel ...
session terminated by user
tunnel disabled
detached from IPSEC daemon ...




#######################################
#       Client Output (verbose)       #
#######################################

## : IPSEC Daemon, ver 1.1.0
## : Copyright 2006 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened 'dump-ike.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : rebuilding vprot interface list ...
ii : skipping interface with null address
ii : interface IP=a.b.c.d, MTU=1300, MAC=00:16:76:20:b0:f1 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
DB : tunnel added
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
<C : client peer config message
DB : ipsec peer not found
ii : local address selected for peer
ii : a.b.c.d ( Intel(R) PRO/1000 PM Network Connection - Packet
Scheduler Miniport )
<C : client user credentials message
<C : client remote id 'w.x.y.z' message
<C : client preshared key message
<C : client policy config message
<C : client tunnel enable message
DB : new phase1 sa ( ISAKMP initiator )
DB : exchange type is identity protect
DB : a.b.c.d:500 <-> w.x.y.z:500
DB : 11ce4db385c488c4:0000000000000000
DB : phase1 sa added
>> : security association payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet to w.x.y.z:500 ( 188 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
<- : recv IKE packet from w.x.y.z:500 ( 140 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : security association payload
ii : matched phase1 proposal
ii : - protocol     = isakmp
ii : - transform    = ike
ii : - key length   = default
ii : - cipher type  = 3des
ii : - hash type    = md5
ii : - dh group     = modp-1024
ii : - auth type    = psk
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : vendor id payload
ii : unknown vendor id
 ( 12 bytes )
<< : vendor id payload
ii : peer supports DPDv1
<< : vendor id payload
ii : peer supports NAT-T RFC
>> : key exchange payload
>> : nonce payload
>> : nat discovery payload
>> : nat discovery payload
-> : send IKE packet to w.x.y.z:500 ( 224 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from w.x.y.z:500 ( 220 bytes )
DB : ipsec peer found
DB : phase1 sa found
<< : key exchange payload
<< : nonce payload
<< : nat discovery payload
<< : nat discovery payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 8 bytes )
>> : identification payload
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : hash payload
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 60 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to w.x.y.z:500 ( 60 bytes )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
<- : recv IKE packet from w.x.y.z:500 ( 60 bytes )
DB : ipsec peer found
DB : phase1 sa found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 60 bytes )
== : stored iv ( 8 bytes )
<< : identification payload
<< : hash payload
ii : peerid matched ( w.x.y.z )
== : phase1 hash_r ( computed ) ( 16 bytes )
== : phase1 hash_r ( received ) ( 16 bytes )
ii : phase1 sa established
ii : a.b.c.d:500 <-> w.x.y.z:500
ii : 11ce4db385c488c4:2c84e19a43a0aa33
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to w.x.y.z:500 ( 76 bytes )
ii : sent peer notification, INITIAL-CONTACT
ii : a.b.c.d -> w.x.y.z
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
ii : data size 0
DB : config added
== : new phase2 iv ( 8 bytes )
ii : determining required modecfg attributes
ii : isakmp config is not required
DB : config dereferenced ( ref count = 0, config count = 1 )
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
ii : client recv thread begin ...
ii : enabled adapter ROOT\VNET\0000
ii : waiting for vnet to arrive ...
!! : defaulting to MTU of 1500.
!! : add tunnel route for address w.x.y.z failed
DB : phase1 sa found
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to w.x.y.z:500 ( 84 bytes )
ii : sent peer notification, DPDV1-R-U-THERE
ii : a.b.c.d -> w.x.y.z
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
ii : data size 4
<- : recv IKE packet from w.x.y.z:500 ( 84 bytes )
DB : ipsec peer found
DB : phase1 sa found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 16 bytes )
== : informational hash_c ( computed ) ( 16 bytes )
ii : informational hash verified
ii : received peer notification, DPDV1-R-U-THERE-ACK
ii : w.x.y.z -> a.b.c.d
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
ii : data size 4
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to w.x.y.z:500 ( 84 bytes )
ii : sent peer notification, DPDV1-R-U-THERE
ii : a.b.c.d -> w.x.y.z
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
ii : data size 4
<- : recv IKE packet from w.x.y.z:500 ( 84 bytes )
DB : ipsec peer found
DB : phase1 sa found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 16 bytes )
== : informational hash_c ( computed ) ( 16 bytes )
ii : informational hash verified
ii : received peer notification, DPDV1-R-U-THERE-ACK
ii : w.x.y.z -> a.b.c.d
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
ii : data size 4
DB : phase1 sa dereferenced ( ref count = 0, phase1 count = 1 )
DB : tunnel dereferenced ( ref count = 2, tunnel count = 1 )
<C : client tunnel disable message
DB : removing all tunnel refrences
!! : deleted tunnel route for address w.x.y.z failed
ii : disabled adapter ROOT\VNET\0000
ii : client recv thread exit ...
DB : tunnel dereferenced ( ref count = 1, tunnel count = 1 )
ii : client ctrl thread exit ...
DB : config deleted
DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 8 bytes )
>= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet to w.x.y.z:500 ( 76 bytes )
ii : sent peer SA DELETE message
ii : a.b.c.d -> w.x.y.z
ii : isakmp spi = 11ce4db385c488c4:2c84e19a43a0aa33
DB : phase1 sa deleted before expire time
DB : tunnel deleted ( tunnel count = 0 )
<- : recv IKE packet from w.x.y.z:500 ( 76 bytes )
DB : ipsec peer not found
XX | ike packet from w.x.y.z ignored
XX | no tunnel defined for peer



More information about the vpn-help mailing list