[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts
Harondel J. Sibble
help at pdscc.com
Mon Sep 17 15:14:21 CDT 2007
Matthew
On 10 Sep 2007 at 19:16, Matthew Grooms wrote:
> > I'll test it out now against the Fortinet Wifi-60a client has and report
> > back results along with a few other commercial vpn gateways I have under my
> I am looking forward to hearing the results :) I am more than happy to
> act as a sounding board, review log output, ike packet dumps or invest
> coding time if required to improve interoperability with any of your
> gateway devices.
Here's where I am at, I am seeing lots of DPD traffic happening, but it
doesn't look like it's getting to Phase2. Here's what I am seeing on the
router side, I've obscured any possibly sensitive info.
At the vpn client end, I have the laptop running Ubuntu 6.0.6 LTS and the
beta 3 of the Shrew client going through a Fortigate 50 router connecting to
a Fortgate Wifi60a gateway.
comes www.xxx.yyy.zzz:51859->aaa.bbb.ccc.ddd:500,ifindex=4....
0: Exchange=4 I_COOKIE=xxxxxxxxxxxxxxxxxxxxx R_COOKIE=xxxxxxxxxxxxxxxxxxxx
len=410
The peer id is staff.member1
0:P1_Reco_ipsec_vpn: new connection.
0:P1_Reco_ipsec_vpn:0: received payloads SA KE NONCE ID VID VID VID VID
0:P1_Reco_ipsec_vpn:347: responder: aggressive mode get 1st message...
0:P1_Reco_ipsec_vpn:347: parse all vendor ids...
0:P1_Reco_ipsec_vpn:347: found NAT-T v2
0:P1_Reco_ipsec_vpn:347 found FortiClient v3
0:P1_Reco_ipsec_vpn:347: found DPD v2
0:P1_Reco_ipsec_vpn:347: found Cisco Unity client
0:P1_Reco_ipsec_vpn:347: negotiation result
0:P1_Reco_ipsec_vpn:347: proposal id = 1:
0:P1_Reco_ipsec_vpn:347: protocol id = ISAKMP:
0:P1_Reco_ipsec_vpn:347: trans_id = KEY_IKE.
0:P1_Reco_ipsec_vpn:347: encapsulation = IKE/none
0:P1_Reco_ipsec_vpn:347: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
0:P1_Reco_ipsec_vpn:347: type=OAKLEY_HASH_ALG, val=SHA.
0:P1_Reco_ipsec_vpn:347: type=AUTH_METHOD, val=PRESHARED_KEY.
0:P1_Reco_ipsec_vpn:347: type=OAKLEY_GROUP, val=1536.
0:P1_Reco_ipsec_vpn:347: type=KEY_LENGTH, val=256.
0:P1_Reco_ipsec_vpn:347: phase1 lifetimes=28800
0:P1_Reco_ipsec_vpn:347: sending DPD VID payloads....
0:P1_Reco_ipsec_vpn:347: sending FGT DPD VID payloads....
0:P1_Reco_ipsec_vpn:347: Sending VID payload....
P1_Reco_ipsec_vpn: Responder: sent www.xxx.yyy.zzz aggressive mode message #1
(OK)
0:P1_Reco_ipsec_vpn:347: send IKE Packet(STF_REPLY):aaa.bbb.ccc.ddd:500(if4) -> www.xxx.yyy.zzz:51859, len=420
0:P1_Reco_ipsec_vpn:347: retransmit timeout=6.
0: comes www.xxx.yyy.zzz:51859->aaa.bbb.ccc.ddd:500,ifindex=4....
0: Exchange=4 I_COOKIE=xxxxxxxxxxxxxxxxxxx R_COOKIE=xxxxxxxxxxxxxxxxx len=60
0: checking P1_Reco_ipsec_vpn aaa.bbb.ccc.ddd 4 -> www.xxx.yyy.zzz:51859
0:P1_Reco_ipsec_vpn: phase1 found
0:P1_Reco_ipsec_vpn:347: received payloads HASH
0:P1_Reco_ipsec_vpn:347: responder: aggressive mode get 2nd response...
0:P1_Reco_ipsec_vpn:347: set phase1 state timeout=28800
P1_Reco_ipsec_vpn: Responder: parsed www.xxx.yyy.zzz aggressive mode message
#2 (DONE)
0:P1_Reco_ipsec_vpn: adding new dialup tunnel for www.xxx.yyy.zzz:51859
0:P1_Reco_ipsec_vpn_0: added new dialup tunnel for www.xxx.yyy.zzz:51859
0: comes www.xxx.yyy.zzz:51859->aaa.bbb.ccc.ddd:500,ifindex=4....
0: Exchange=5 Message=0x1ACE4F83 len=92
0: checking P1_Reco_ipsec_vpn_0 aaa.bbb.ccc.ddd 4 -> www.xxx.yyy.zzz:51859
0:P1_Reco_ipsec_vpn_0: phase1 found
0:P1_Reco_ipsec_vpn_0:347: received payloads HASH Notif
0:P1_Reco_ipsec_vpn_0:347: received protected info
0:P1_Reco_ipsec_vpn_0:347: protocol_id=1, notify_msg=24578 (24578??),
ispi_size=16
0:P1_Reco_ipsec_vpn_0:347: spi=yyyyyyyyyyyyyyyyyyyyyyyy
0:P1_Reco_ipsec_vpn_0:347: Msg=ô¿@3
0:P1_Reco_ipsec_vpn_0:347: processing INITIAL-CONTACT
0:P1_Reco_ipsec_vpn_0: flushing
0:P1_Reco_ipsec_vpn_0: flushed
0:P1_Reco_ipsec_vpn_0:347: processed INITIAL-CONTACT
0:P1_Reco_ipsec_vpn_0: no ISAKMP SA available to send DPD, so delete dynamic
connection
0: comes www.xxx.yyy.zzz:51859->aaa.bbb.ccc.ddd:500,ifindex=4....
0: Exchange=5 Message=0x7DB5C7A7 len=92
0: checking P1_Reco_ipsec_vpn_0 aaa.bbb.ccc.ddd 4 -> www.xxx.yyy.zzz:51859
0:P1_Reco_ipsec_vpn_0: phase1 found
0:P1_Reco_ipsec_vpn_0:347: received payloads HASH Notif
0:P1_Reco_ipsec_vpn_0:347: received protected info
0:P1_Reco_ipsec_vpn_0:347: send IKE Packet(DPD
response):aaa.bbb.ccc.ddd:500(if4) -> www.xxx.yyy.zzz:51859, len=92
0: comes www.xxx.yyy.zzz:51859->aaa.bbb.ccc.ddd:500,ifindex=4....
0: Exchange=5 Message=0x96FC1503 len=92
0: checking P1_Reco_ipsec_vpn_0 aaa.bbb.ccc.ddd 4 -> www.xxx.yyy.zzz:51859
0:P1_Reco_ipsec_vpn_0: phase1 found
0:P1_Reco_ipsec_vpn_0:347: received payloads HASH Notif
0:P1_Reco_ipsec_vpn_0:347: received protected info
0:P1_Reco_ipsec_vpn_0:347: send IKE Packet(DPD
response):aaa.bbb.ccc.ddd:500(if4) -> www.xxx.yyy.zzz:51859, len=92
On the Shrew side I see the following. P.S. is there are way to have
date/time stamp on the logs, that'd be really hand to have.
I'm seeing similar results with Nat Traversal enabled or disabled on the
client side. What is difference between the push and pull configuration
method on the general tab?
Where do I get sysv startup script I see mentioned in a few posts, that
doesn't seem to be around after my compile.
Lastly, running iked manually, I noticed it stops running on it's own about
half the time and has to be restarted manually.
## : IKE Daemon, ver 2.0.0
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened /var/log/iked.log'
ii : opened /var/log/ike.pcap'
ii : opened /var/log/pub.pcap'
ii : network process thread begin ...
ii : pfkey process thread begin ...
K! : recv X_SPDDUMP message failure ( errno = 2 )
ii : admin process thread begin ...
<A : peer config add message
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'staff.member1' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
ii : opened tap device tap0
ii : matched isakmp proposal #1 transform #1
ii : - transform = ike
ii : - cipher type = aes
ii : - key length = 256 bits
ii : - hash type = sha1
ii : - dh group = modp-1536
ii : - auth type = psk
ii : - life seconds = 28800
ii : - life kbytes = 0
ii : phase1 id match ( natt prevents ip match )
ii : phase1 id match ( ipv4-host aaa.bbb.ccc.ddd )
ii : peer supports DPDv1
ii : phase1 sa established
ii : aaa.bbb.ccc.ddd:500 <-> fff.ggg.eee.hhh:500
ii : (the spi has been obscured)
ii : sending peer INITIAL-CONTACT notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 0
ii : xauth is not required
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : sending peer DPDV1-R-U-THERE notification
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - aaa.bbb.ccc.ddd:500 -> fff.ggg.eee.hhh:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 4
<A : peer tunnel disable message
ii : closed tap device tap0
DB : removing all tunnel refrences
ii : sending peer DELETE message
ii : - fff.ggg.eee.hhh:500 -> aaa.bbb.ccc.ddd:500
ii : - isakmp spi = (the spi has been obscured)
ii : - data size 0
DB : phase1 deleted before expire time ( phase1 count = 0 )
ii : removed IPSEC policy route for 0.0.0.0
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax) (604) 686-2253 (pager)
More information about the vpn-help
mailing list