[Vpn-help] Connecting to Linksys RV042
Marc Goldburg
mgoldburg at assia-inc.com
Mon Oct 8 13:10:31 CDT 2007
Hello,
I'm trying to connect to a "Group VPN" on a Linksys RV042 using the
ShrewSoft client v 2.0.1. The VPN is set up to authenticate based on a
client FQDN and shared secret, and the router's LAN-side subnet is
included in the client's Policy tab for that connection. Phase 1 and
Phase 2 are Diffie-Hellman Group 2/AES-256/MD5 with perfect forward
secrecy on phase 2.
I've attached a router log and an IKE log from the client for a
connection attempt below. It looks like Phase 1 is completing
successfully, but the router and client hang at the start (?) of Phase 2
with the router saying "Received informational payload, type
IPSEC_INITIAL_CONTACT" and the client saying"phase 2 not found." Any
suggestions for how to debug this or for alternate configurations would
be greatly appreciated. Thanks in advance!
Oct 8 10:49:45 2007 VPN Log Received Vendor ID
payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 8 10:49:45 2007 VPN Log Ignoring Vendor ID payload
[4a131c8107035845...]
Oct 8 10:49:45 2007 VPN Log Ignoring Vendor ID payload
[4048b7d56ebce885...]
Oct 8 10:49:45 2007 VPN Log Received Vendor ID payload
Type = [Dead Peer Detection]
Oct 8 10:49:45 2007 VPN Log Ignoring Vendor ID payload
Type = [Cisco-Unity]
Oct 8 10:49:45 2007 VPN Log [Tunnel Negotiation Info]
<<< Responder Received Aggressive Mode 1st packet
Oct 8 10:49:45 2007 VPN Log Aggressive mode peer ID is
ID_USER_FQDN: 'md5-1 at assia-inc.com'
Oct 8 10:49:45 2007 VPN Log Responding to Aggressive
Mode from 67.152.82.178
Oct 8 10:49:46 2007 VPN Log [Tunnel Negotiation Info]
>>> Responder Send Aggressive Mode 2nd packet
Oct 8 10:49:46 2007 VPN Log [Tunnel Negotiation Info]
<<< Responder Received Aggressive Mode 3rd packet
Oct 8 10:49:46 2007 VPN Log Aggressive mode peer ID is
ID_USER_FQDN: 'md5-1 at assia-inc.com'
Oct 8 10:49:46 2007 VPN Log [Tunnel Negotiation Info]
Aggressive Mode Phase 1 SA Established
Oct 8 10:49:46 2007 VPN Log [Tunnel Negotiation Info]
Initiator Cookies = 35ca e22 fd29 d6c2
Oct 8 10:49:46 2007 VPN Log [Tunnel Negotiation Info]
Responder Cookies = 984d deda d02d 4191
Oct 8 10:49:46 2007 VPN Log Received informational
payload, type IPSEC_INITIAL_CONTACT
## : IKE Daemon, ver 2.0.1
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : opened C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : device ROOT\VNET\0001 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer ref increment ( ref count = 1, peer count = 0 )
DB : peer added
ii : local address 192.168.0.102:500 selected for peer
DB : tunnel ref increment ( ref count = 1, tunnel count = 0 )
DB : peer ref increment ( ref count = 2, peer count = 1 )
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'md5-1 at assia-inc.com' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.0.102:500 <-> 67.152.82.162:500
DB : 35cae202fd29d6c2:0000000000000000
DB : phase1 ref increment ( ref count = 1, phase1 count = 0 )
DB : tunnel ref increment ( ref count = 2, tunnel count = 1 )
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet 192.168.0.102:500 -> 67.152.82.162:500 ( 403
bytes )
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet 67.152.82.162:500 -> 192.168.0.102:500 ( 272
bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform = ike
ii : - cipher type = aes
ii : - key length = 256 bits
ii : - hash type = md5
ii : - dh group = modp-1024
ii : - auth type = psk
ii : - life seconds = 28800
ii : - life kbytes = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host 67.152.82.162 )
<< : hash payload
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 16 bytes )
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : hash payload
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 48 bytes )
== : stored iv ( 16 bytes )
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
-> : send IKE packet 192.168.0.102:500 -> 67.152.82.162:500 ( 88 bytes )
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
== : phase1 hash_r ( computed ) ( 16 bytes )
== : phase1 hash_r ( received ) ( 16 bytes )
ii : phase1 sa established
ii : 67.152.82.162:500 <-> 192.168.0.102:500
ii : 35cae202fd29d6c2:984ddedad02d4191
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.0.102:500 -> 67.152.82.162:500
ii : - isakmp spi = 35cae202fd29d6c2:984ddedad02d4191
ii : - data size 0
>> : hash payload
>> : notification payload
== : new informational hash ( 16 bytes )
== : new phase2 iv ( 16 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 76 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.0.102:500 -> 67.152.82.162:500 ( 104
bytes )
DB : config ref increment ( ref count = 1, config count = 0 )
DB : tunnel ref increment ( ref count = 3, tunnel count = 1 )
DB : config added
ii : xauth is not required
ii : building config attribute list
ii : excluding unity attribute set
ii : - IP4 DNS Server
ii : sending config pull request
== : new phase2 iv ( 16 bytes )
>> : hash payload
>> : attribute payload
== : new configure hash ( 16 bytes )
>= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 60 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.0.102:500 -> 67.152.82.162:500 ( 88 bytes )
DB : config ref increment ( ref count = 2, config count = 1 )
DB : config ref decrement ( ref count = 1, config count = 1 )
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
DB : phase2 not found
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
ii : resending 1 exchange packet(s)
ii : resending 1 exchange packet(s)
ii : exchange packet resend limit exceeded
DB : config deleted ( config count 0 )
DB : tunnel ref decrement ( ref count = 2, tunnel count = 1 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071008/32ffa9a3/attachment-0001.html>
More information about the vpn-help
mailing list