[Vpn-help] Commercial IPSec Gateway (ZyWall 1050)
Stephen Cohoon
scohoon at raps.org
Tue Oct 2 17:50:32 CDT 2007
Greetings,
I've tried configuring the Shrew Soft VPN client 2.0.1 to work with my
zywall 1050 to no avail. I can't get pasted phase 1 it seems and the
client is replying to the gateway with invalid spi. Am I missing
something? Any help is welcomed.
iked.log:
<A : peer config add message
DB : peer ref increment ( ref count = 1, peer count = 0 )
DB : peer added
ii : local address 192.168.119.10:500 selected for peer
DB : tunnel ref increment ( ref count = 1, tunnel count = 0 )
DB : peer ref increment ( ref count = 2, peer count = 1 )
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : remote id '[removed]' message
<A : preshared key message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.119.10:500 <-> 65.213.209.34:500
DB : bbdebab4f9553e7b:0000000000000000
DB : phase1 ref increment ( ref count = 1, phase1 count = 0 )
DB : tunnel ref increment ( ref count = 2, tunnel count = 1 )
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet 192.168.119.10:500 -> 65.213.209.34:500 ( 344
bytes )
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet 65.213.209.34:500 -> 192.168.119.10:500 ( 533
bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : security association payload
<< : - propsal #1 payload
!! : invalid spi size of 8 for protocol isakmp
XX : warning, unprocessed payload data !!!
ii : sending peer INVALID-SPI notification
ii : - 192.168.119.10:500 -> 65.213.209.34:500
ii : - isakmp spi = bbdebab4f9553e7b:4e8270e2c1299bef
ii : - data size 0
>> : notification payload
-> : send IKE packet 192.168.119.10:500 -> 65.213.209.34:500 ( 84
bytes )
DB : phase1 resend event canceled ( ref count = 1 )
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : tunnel ref decrement ( ref count = 1, tunnel count = 1 )
DB : removing all tunnel refrences
DB : tunnel deleted ( tunnel count = 0 )
DB : peer ref decrement ( ref count = 1, peer count = 1 )
DB : peer deleted ( peer count = 0 )
The zywall reports this in its own logs:
22007-10-02 18:11:33 info IKE Recv:[NOTFY:INVALID_SPI]192.168.119.10:500
65.213.209.34:500 IKE_LOG
32007-10-02 18:11:33 info IKE
Send:[SA][KE][NONCE][ID][HASH][VID][VID][VID][VID][VID][VID][VID][VID][VID][NOTFY:INITIAL_CONTACT] 65.213.209.34:500192.168.119.10:500 IKE_LOG
42007-10-02 18:11:33 info IKE The cookie pair is : 0x84861c1f4420a0d1 /
0x8bf99628ede70833 65.213.209.34:500 192.168.119.10:500 IKE_LOG
52007-10-02 18:11:33 info IKE Tunnel [ipsecGw_i:ipsecForL2TPConn]
Recving IKE request 192.168.119.10:500 65.213.209.34:500 IKE_LOG
62007-10-02 18:11:33 info IKE
Recv:[SA][KE][NONCE][ID][VID][VID][VID][VID]192.168.119.10:500
65.213.209.34:500 IKE_LOG
72007-10-02 18:11:33 info IKE The cookie pair is : 0x84861c1f4420a0d1 /
0x8bf99628ede70833 [count=3] 192.168.119.10:500 65.213.209.34:500
IKE_LOG
82007-10-02 18:11:33 info IKE Recv Aggressive Mode request from
[192.168.119.10]192.168.119.10:500 65.213.209.34:500 IKE_LOG
92007-10-02 18:11:33 info IKE The cookie pair is : 0x84861c1f4420a0d1 /
0x0000000000000000 192.168.119.10:500 65.213.209.34:500 IKE_LOG
Stephen Cohoon
Information Technology
Regulatory Affairs Professionals Society
email: scohoon at raps.org; website: www.raps.org;
phone: 301.770.2920, ext. 236; fax: 301.770.2924
5635 Fishers Ln, Suite 550, Rockville, MD 20852
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RAPS—Advancing the Global Regulatory Profession
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071002/cec68b6c/attachment-0001.html>
More information about the vpn-help
mailing list