[Vpn-help] Zywall 70 problem

Vladislav Malyshkin mal at gromco.com
Sun Mar 9 11:24:38 CDT 2008 

Hi,
I have a
problem to establish phase 2 VPN to zywall 70 using 2.0.3 version.
Linux racoon called directly is OK with zywall 70, shrew vpn is not.
The 2.1 beta does not work for any router.
Other routers are OK.
Also. the 2.1 beta created a number of devices which is hard to remove 
from windows configuration.

The failed phase2 connection log is attached

## : IKE Daemon, ver 2.0.3
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : device ROOT\VNET\0001 disabled
ii : device ROOT\VNET\0002 disabled
ii : device ROOT\VNET\0003 disabled
ii : device ROOT\VNET\0004 disabled
ii : device ROOT\VNET\0009 disabled
ii : device ROOT\VNET\0012 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer added
ii : local address 192.168.2.154:500 selected for peer
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 't_loc at forumcm.com' message
<A : remote id 't_rem at forumcm.com' message
<A : preshared key message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.2.20:500 <-> 1.2.3.4:500
DB : 86b72a443771512d:0000000000000000
DB : phase1 added
 >> : security association payload
 >> : - proposal #1 payload
 >> : -- transform #1 payload
 >> : key exchange payload
 >> : nonce payload
 >> : identification payload
 >> : vendor id payload
 >> : vendor id payload
 >> : vendor id payload
 >> : vendor id payload
 >> : vendor id payload
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 401 bytes )
<- : recv IKE packet 1.2.3.4:500 -> 192.168.2.20:500 ( 337 bytes )
DB : phase1 found
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = aes
ii : - key length   = 192 bits
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = psk
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match ( user-fqdn t_rem at forumcm.com )
<< : hash payload
<< : vendor id payload
ii : peer supports DPDv1
<< : vendor id payload
ii : unknown vendor id ( 20 bytes )
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 24 bytes )
== : cipher iv ( 16 bytes )
== : phase1 hash_i ( computed ) ( 20 bytes )
 >> : hash payload
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 52 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 88 bytes )
== : phase1 hash_r ( computed ) ( 20 bytes )
== : phase1 hash_r ( received ) ( 20 bytes )
ii : phase1 sa established
ii : 1.2.3.4:500 <-> 192.168.2.20:500
ii : 86b72a443771512d:2db38e041d76b4b0
ii : sending peer INITIAL-CONTACT notification
ii : - 192.168.2.20:500 -> 1.2.3.4:500
ii : - isakmp spi = 86b72a443771512d:2db38e041d76b4b0
ii : - data size 0
 >> : hash payload
 >> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 16 bytes )
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 80 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 120 bytes )
DB : config added
ii : xauth is not required
ii : building config attribute list
ii : excluding unity attribute set
ii : config is not required
DB : config deleted ( config count 0 )
DB : phase2 not found
ii : VNET adapter MTU is 1500
ii : enabled adapter ROOT\VNET\0000
ii : creating NONE INBOUND policy 1.2.3.4/32 -> 192.168.2.20/32
K> : send X_SPDADD UNSPEC pfkey message
ii : creating NONE OUTBOUND policy 192.168.2.20/32 -> 1.2.3.4/32
K> : send X_SPDADD UNSPEC pfkey message
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
ii : created NONE policy route for 1.2.3.4/32
ii : creating IPSEC INBOUND policy 0.0.0.0 -> 192.168.169.80/32
K> : send X_SPDADD UNSPEC pfkey message
ii : creating IPSEC OUTBOUND policy 192.168.169.80/32 -> 0.0.0.0
K> : send X_SPDADD UNSPEC pfkey message
ii : created IPSEC policy route for 0.0.0.0
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv X_SPDADD UNSPEC pfkey message
DB : policy added
K< : recv ACQUIRE UNSPEC pfkey message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send GETSPI ESP pfkey message
K< : recv GETSPI ESP pfkey message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
 >> : hash payload
 >> : security association payload
 >> : - proposal #1 payload
 >> : -- transform #1 payload
 >> : nonce payload
 >> : key exchange payload
 >> : identification payload
 >> : identification payload
== : phase2 hash_i ( input ) ( 248 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 16 bytes )
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 296 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 328 bytes )
ii : resending 1 exchange packet(s)
ii : sending peer DPDV1-R-U-THERE notification
ii : - 192.168.2.20:500 -> 1.2.3.4:500
ii : - isakmp spi = 86b72a443771512d:2db38e041d76b4b0
ii : - data size 4
 >> : hash payload
 >> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 16 bytes )
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 84 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 120 bytes )
ii : DPD ARE-YOU-THERE sequence 11f9741b requested
ii : resending 1 exchange packet(s)
ii : exchange packet resend limit exceeded
DB : phase2 deleted before expire time ( phase2 count = 0 )
K< : recv ACQUIRE UNSPEC pfkey message
DB : policy found
DB : policy found
DB : tunnel found
DB : new phase2 ( IPSEC initiator )
DB : phase2 added
K> : send GETSPI ESP pfkey message
K< : recv GETSPI ESP pfkey message
DB : phase2 found
ii : updated spi for 1 ipsec-esp proposal
DB : phase1 found
 >> : hash payload
 >> : security association payload
 >> : - proposal #1 payload
 >> : -- transform #1 payload
 >> : nonce payload
 >> : key exchange payload
 >> : identification payload
 >> : identification payload
== : phase2 hash_i ( input ) ( 248 bytes )
== : phase2 hash_i ( computed ) ( 20 bytes )
== : new phase2 iv ( 16 bytes )
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 296 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 328 bytes )
ii : sending peer DPDV1-R-U-THERE notification
ii : - 192.168.2.20:500 -> 1.2.3.4:500
ii : - isakmp spi = 86b72a443771512d:2db38e041d76b4b0
ii : - data size 4
 >> : hash payload
 >> : notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 16 bytes )
 >= : encrypt iv ( 16 bytes )
=> : encrypt packet ( 84 bytes )
== : stored iv ( 16 bytes )
-> : send IKE packet 192.168.2.20:500 -> 1.2.3.4:500 ( 120 bytes )
ii : DPD ARE-YOU-THERE sequence 11f9741c requested
ii : resending 1 exchange packet(s)
ii : resending 1 exchange packet(s)
!! : phase1 sa dpd timeout
!! : 86b72a443771512d:2db38e041d76b4b0
DB : phase1 hard event canceled ( ref count = 1 )
DB : phase1 deleted after expire time ( phase1 count = 0 )
DB : policy found
ii : removing IPSEC INBOUND policy 0.0.0.0 -> 192.168.169.80/32
K> : send X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
ii : removing IPSEC OUTBOUND policy 192.168.169.80/32 -> 0.0.0.0
K> : send X_SPDDELETE2 UNSPEC pfkey message
K< : recv X_SPDDELETE2 UNSPEC pfkey message
ii : failed to remove IPSEC policy route for 0.0.0.0/0
DB : policy found
ii : removing NONE INBOUND policy 1.2.3.4/32 -> 192.168.2.20/32
K> : send X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
ii : removing NONE OUTBOUND policy 192.168.2.20/32 -> 1.2.3.4/32
K> : send X_SPDDELETE2 UNSPEC pfkey message
ii : removed NONE policy route for 1.2.3.4
DB : policy found
DB : policy deleted ( policy count = 3 )
K< : recv X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
DB : policy deleted ( policy count = 2 )
K< : recv X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
DB : policy deleted ( policy count = 1 )
K< : recv X_SPDDELETE2 UNSPEC pfkey message
DB : policy found
DB : policy deleted ( policy count = 0 )
ii : disabled adapter ROOT\VNET\0000
DB : removing all tunnel refrences
DB : phase2 resend event canceled ( ref count = 1 )
DB : phase2 deleted before expire time ( phase2 count = 0 )
DB : tunnel deleted ( tunnel count = 0 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...

More information about the vpn-help mailing list