[Vpn-help] PIX Connection Help
Matthew Grooms
mgrooms at shrew.net
Sun Feb 15 00:16:17 CST 2009
Michael Russell wrote:
> I haven't heard anything on this. I would greatly appreciate some help
> debugging it. Thanks.
>
Michael,
I took some time today to test a few different versions of the client
with my pix using similar phase1 negotiation parameters. It connected
without any issues. I have attached my pix configuration and my client
site configuration. Here is the debug level output from the trace
utility ...
09/02/14 10:27:35 ## : IKE Daemon, ver 2.2.0
09/02/14 10:27:35 ## : Copyright 2008 Shrew Soft Inc.
09/02/14 10:27:35 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/02/14 10:27:35 ii : opened 'C:\Documents and Settings\mgrooms\My
Documents\devel\ipsec\head\prv\windows\Win32\Debug\debug\iked.log'
09/02/14 10:27:35 ii : opened 'C:\Documents and Settings\mgrooms\My
Documents\devel\ipsec\head\prv\windows\Win32\Debug/debug/dump-ike-decrypt.cap'
09/02/14 10:27:35 ii : opened 'C:\Documents and Settings\mgrooms\My
Documents\devel\ipsec\head\prv\windows\Win32\Debug/debug/dump-ike-encrypt.cap'
09/02/14 10:27:35 ii : rebuilding vnet device list ...
09/02/14 10:27:35 ii : device ROOT\NET\0000 disabled
09/02/14 10:27:35 ii : network process thread begin ...
09/02/14 10:27:35 ii : ipc server process thread begin ...
09/02/14 10:27:35 ii : pfkey process thread begin ...
09/02/14 10:27:35 !! : unable to connect to pfkey interface
09/02/14 10:30:28 ii : ipc client process thread begin ...
09/02/14 10:30:28 <A : peer config add message
09/02/14 10:30:28 <A : proposal config message
09/02/14 10:30:28 <A : proposal config message
09/02/14 10:30:28 <A : client config message
09/02/14 10:30:28 <A : xauth username message
09/02/14 10:30:28 <A : xauth password message
09/02/14 10:30:28 <A : local id 'vpnclient' message
09/02/14 10:30:28 <A : preshared key message
09/02/14 10:30:28 <A : peer tunnel enable message
09/02/14 10:30:28 DB : peer added ( obj count = 1 )
09/02/14 10:30:28 ii : local address 10.22.200.30 selected for peer
09/02/14 10:30:28 DB : tunnel added ( obj count = 1 )
09/02/14 10:30:28 DB : new phase1 ( ISAKMP initiator )
09/02/14 10:30:28 DB : exchange type is aggressive
09/02/14 10:30:28 DB : 10.22.200.30:500 <-> 10.1.1.20:500
09/02/14 10:30:28 DB : 9ca98d3dfe11a06c:0000000000000000
09/02/14 10:30:28 DB : phase1 added ( obj count = 1 )
09/02/14 10:30:28 >> : security association payload
09/02/14 10:30:28 >> : - proposal #1 payload
09/02/14 10:30:28 >> : -- transform #1 payload
09/02/14 10:30:28 >> : key exchange payload
09/02/14 10:30:28 >> : nonce payload
09/02/14 10:30:28 >> : identification payload
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports XAUTH
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports nat-t ( draft v00 )
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports nat-t ( draft v01 )
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports nat-t ( draft v02 )
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports nat-t ( draft v03 )
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports nat-t ( rfc )
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports FRAGMENTATION
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local supports DPDv1
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local is SHREW SOFT compatible
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local is NETSCREEN compatible
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local is SIDEWINDER compatible
09/02/14 10:30:28 >> : vendor id payload
09/02/14 10:30:28 ii : local is CISCO UNITY compatible
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:0000000000000000
09/02/14 10:30:28 >= : message 00000000
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 545 bytes )
09/02/14 10:30:28 DB : phase1 resend event scheduled ( ref count = 2 )
09/02/14 10:30:28 <- : recv IKE packet 10.1.1.20:500 -> 10.22.200.30:500
( 368 bytes )
09/02/14 10:30:28 DB : phase1 found
09/02/14 10:30:28 ii : processing phase1 packet ( 368 bytes )
09/02/14 10:30:28 =< : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 =< : message 00000000
09/02/14 10:30:28 << : security association payload
09/02/14 10:30:28 << : - propsal #1 payload
09/02/14 10:30:28 << : -- transform #1 payload
09/02/14 10:30:28 ii : matched isakmp proposal #1 transform #1
09/02/14 10:30:28 ii : - transform = ike
09/02/14 10:30:28 ii : - cipher type = des
09/02/14 10:30:28 ii : - key length = default
09/02/14 10:30:28 ii : - hash type = sha1
09/02/14 10:30:28 ii : - dh group = modp-1024
09/02/14 10:30:28 ii : - auth type = xauth-initiator-psk
09/02/14 10:30:28 ii : - life seconds = 60
09/02/14 10:30:28 ii : - life kbytes = 0
09/02/14 10:30:28 << : key exchange payload
09/02/14 10:30:28 << : nonce payload
09/02/14 10:30:28 << : identification payload
09/02/14 10:30:28 ii : phase1 id match ( natt prevents ip match )
09/02/14 10:30:28 ii : received = ipv4-host 10.1.1.20
09/02/14 10:30:28 << : hash payload
09/02/14 10:30:28 << : vendor id payload
09/02/14 10:30:28 ii : peer is CISCO UNITY compatible
09/02/14 10:30:28 << : vendor id payload
09/02/14 10:30:28 ii : peer supports XAUTH
09/02/14 10:30:28 << : vendor id payload
09/02/14 10:30:28 ii : peer supports DPDv1
09/02/14 10:30:28 << : vendor id payload
09/02/14 10:30:28 ii : unknown vendor id ( 20 bytes )
09/02/14 10:30:28 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
09/02/14 10:30:28 << : vendor id payload
09/02/14 10:30:28 ii : unknown vendor id ( 16 bytes )
09/02/14 10:30:28 0x : 1f07f70e aa6514d3 b0fa9654 2a500100
09/02/14 10:30:28 ii : nat-t is unsupported by remote peer
09/02/14 10:30:28 == : DH shared secret ( 128 bytes )
09/02/14 10:30:28 == : SETKEYID ( 20 bytes )
09/02/14 10:30:28 == : SETKEYID_d ( 20 bytes )
09/02/14 10:30:28 == : SETKEYID_a ( 20 bytes )
09/02/14 10:30:28 == : SETKEYID_e ( 20 bytes )
09/02/14 10:30:28 == : cipher key ( 8 bytes )
09/02/14 10:30:28 == : cipher iv ( 8 bytes )
09/02/14 10:30:28 == : phase1 hash_i ( computed ) ( 20 bytes )
09/02/14 10:30:28 >> : hash payload
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 >= : message 00000000
09/02/14 10:30:28 >= : encrypt iv ( 8 bytes )
09/02/14 10:30:28 == : encrypt packet ( 52 bytes )
09/02/14 10:30:28 == : stored iv ( 8 bytes )
09/02/14 10:30:28 DB : phase1 resend event canceled ( ref count = 1 )
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 80 bytes )
09/02/14 10:30:28 == : phase1 hash_r ( computed ) ( 20 bytes )
09/02/14 10:30:28 == : phase1 hash_r ( received ) ( 20 bytes )
09/02/14 10:30:28 ii : phase1 sa established
09/02/14 10:30:28 ii : 10.1.1.20:500 <-> 10.22.200.30:500
09/02/14 10:30:28 ii : 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 ii : sending peer INITIAL-CONTACT notification
09/02/14 10:30:28 ii : - 10.22.200.30:500 -> 10.1.1.20:500
09/02/14 10:30:28 ii : - isakmp spi = 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 ii : - data size 0
09/02/14 10:30:28 >> : hash payload
09/02/14 10:30:28 >> : notification payload
09/02/14 10:30:28 == : new informational hash ( 20 bytes )
09/02/14 10:30:28 == : new informational iv ( 8 bytes )
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 >= : message a9bf799b
09/02/14 10:30:28 >= : encrypt iv ( 8 bytes )
09/02/14 10:30:28 == : encrypt packet ( 80 bytes )
09/02/14 10:30:28 == : stored iv ( 8 bytes )
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 112 bytes )
09/02/14 10:30:28 DB : phase2 not found
09/02/14 10:30:28 <- : recv IKE packet 10.1.1.20:500 -> 10.22.200.30:500
( 76 bytes )
09/02/14 10:30:28 DB : phase1 found
09/02/14 10:30:28 ii : processing config packet ( 76 bytes )
09/02/14 10:30:28 DB : config not found
09/02/14 10:30:28 DB : config added ( obj count = 1 )
09/02/14 10:30:28 == : new config iv ( 8 bytes )
09/02/14 10:30:28 =< : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 =< : message e1f680ee
09/02/14 10:30:28 =< : decrypt iv ( 8 bytes )
09/02/14 10:30:28 == : decrypt packet ( 76 bytes )
09/02/14 10:30:28 <= : trimmed packet padding ( 4 bytes )
09/02/14 10:30:28 <= : stored iv ( 8 bytes )
09/02/14 10:30:28 << : hash payload
09/02/14 10:30:28 << : attribute payload
09/02/14 10:30:28 == : configure hash_i ( computed ) ( 20 bytes )
09/02/14 10:30:28 == : configure hash_c ( computed ) ( 20 bytes )
09/02/14 10:30:28 ii : configure hash verified
09/02/14 10:30:28 ii : - xauth authentication type
09/02/14 10:30:28 ii : - xauth username
09/02/14 10:30:28 ii : - xauth password
09/02/14 10:30:28 ii : received basic xauth request -
09/02/14 10:30:28 ii : - standard xauth username
09/02/14 10:30:28 ii : - standard xauth basic password
09/02/14 10:30:28 ii : sending xauth response for mgrooms
09/02/14 10:30:28 >> : hash payload
09/02/14 10:30:28 >> : attribute payload
09/02/14 10:30:28 == : new configure hash ( 20 bytes )
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 >= : message e1f680ee
09/02/14 10:30:28 >= : encrypt iv ( 8 bytes )
09/02/14 10:30:28 == : encrypt packet ( 88 bytes )
09/02/14 10:30:28 == : stored iv ( 8 bytes )
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 120 bytes )
09/02/14 10:30:28 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:30:28 <- : recv IKE packet 10.1.1.20:500 -> 10.22.200.30:500
( 68 bytes )
09/02/14 10:30:28 DB : phase1 found
09/02/14 10:30:28 ii : processing config packet ( 68 bytes )
09/02/14 10:30:28 DB : config found
09/02/14 10:30:28 == : new config iv ( 8 bytes )
09/02/14 10:30:28 =< : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 =< : message 4ccbf5b7
09/02/14 10:30:28 =< : decrypt iv ( 8 bytes )
09/02/14 10:30:28 == : decrypt packet ( 68 bytes )
09/02/14 10:30:28 <= : trimmed packet padding ( 4 bytes )
09/02/14 10:30:28 <= : stored iv ( 8 bytes )
09/02/14 10:30:28 << : hash payload
09/02/14 10:30:28 << : attribute payload
09/02/14 10:30:28 == : configure hash_i ( computed ) ( 20 bytes )
09/02/14 10:30:28 == : configure hash_c ( computed ) ( 20 bytes )
09/02/14 10:30:28 ii : configure hash verified
09/02/14 10:30:28 ii : received xauth result -
09/02/14 10:30:28 ii : user mgrooms authentication succeeded
09/02/14 10:30:28 ii : sending xauth acknowledge
09/02/14 10:30:28 >> : hash payload
09/02/14 10:30:28 >> : attribute payload
09/02/14 10:30:28 == : new configure hash ( 20 bytes )
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 >= : message 4ccbf5b7
09/02/14 10:30:28 >= : encrypt iv ( 8 bytes )
09/02/14 10:30:28 == : encrypt packet ( 60 bytes )
09/02/14 10:30:28 == : stored iv ( 8 bytes )
09/02/14 10:30:28 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 88 bytes )
09/02/14 10:30:28 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:30:28 ii : building config attribute list
09/02/14 10:30:28 ii : - IP4 Address
09/02/14 10:30:28 ii : - Address Expiry
09/02/14 10:30:28 ii : - IP4 Netamask
09/02/14 10:30:28 ii : - IP4 DNS Server
09/02/14 10:30:28 ii : - IP4 WINS Server
09/02/14 10:30:28 ii : - DNS Suffix
09/02/14 10:30:28 ii : - Split DNS Domain
09/02/14 10:30:28 ii : - IP4 Split Network Include
09/02/14 10:30:28 ii : - IP4 Split Network Exclude
09/02/14 10:30:28 ii : - Login Banner
09/02/14 10:30:28 ii : - Save Password
09/02/14 10:30:28 ii : - CISCO UDP Port
09/02/14 10:30:28 == : new config iv ( 8 bytes )
09/02/14 10:30:28 ii : sending config pull request
09/02/14 10:30:28 >> : hash payload
09/02/14 10:30:28 >> : attribute payload
09/02/14 10:30:28 == : new configure hash ( 20 bytes )
09/02/14 10:30:28 >= : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 >= : message 28f77e7a
09/02/14 10:30:28 >= : encrypt iv ( 8 bytes )
09/02/14 10:30:28 == : encrypt packet ( 108 bytes )
09/02/14 10:30:28 == : stored iv ( 8 bytes )
09/02/14 10:30:28 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:30:28 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.20:500
( 136 bytes )
09/02/14 10:30:28 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:30:28 <- : recv IKE packet 10.1.1.20:500 -> 10.22.200.30:500
( 228 bytes )
09/02/14 10:30:28 DB : phase1 found
09/02/14 10:30:28 ii : processing config packet ( 228 bytes )
09/02/14 10:30:28 DB : config found
09/02/14 10:30:28 =< : cookies 9ca98d3dfe11a06c:8d0f5b122887ed56
09/02/14 10:30:28 =< : message 28f77e7a
09/02/14 10:30:28 =< : decrypt iv ( 8 bytes )
09/02/14 10:30:28 == : decrypt packet ( 228 bytes )
09/02/14 10:30:28 <= : trimmed packet padding ( 2 bytes )
09/02/14 10:30:28 <= : stored iv ( 8 bytes )
09/02/14 10:30:28 << : hash payload
09/02/14 10:30:28 << : attribute payload
09/02/14 10:30:28 == : configure hash_i ( computed ) ( 20 bytes )
09/02/14 10:30:28 == : configure hash_c ( computed ) ( 20 bytes )
09/02/14 10:30:28 ii : configure hash verified
09/02/14 10:30:28 ii : received config pull response
09/02/14 10:30:28 ii : - IP4 Address = 10.2.20.1
09/02/14 10:30:28 ii : - IP4 Netmask = 255.255.255.0
09/02/14 10:30:28 ii : - IP4 DNS Server = 10.1.2.100
09/02/14 10:30:28 ii : - IP4 DNS Server = 10.1.2.1
09/02/14 10:30:28 ii : - IP4 WINS Server = 10.1.2.100
09/02/14 10:30:28 ii : - IP4 WINS Server = 10.1.2.1
09/02/14 10:30:28 ii : - Login Banner = Welcome to the ...
09/02/14 10:30:28 ii : - Save Password = 0
09/02/14 10:30:28 ii : - IP4 Split Network Include = ANY:10.1.2.0/24:*
09/02/14 10:30:28 ii : - IP4 Split Network Include = ANY:10.22.0.0/16:*
09/02/14 10:30:28 ii : - DNS Suffix = shrew.net
09/02/14 10:30:28 ii : - Split Domain = shrew.net
09/02/14 10:30:28 ii : - Split Domain = example.com
09/02/14 10:30:28 ii : - Cisco UDP Port = 10000
09/02/14 10:30:28 ii : switching nat-t to cisco-udp
09/02/14 10:30:28 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:30:33 ii : VNET adapter MTU is 1500
09/02/14 10:30:33 ii : enabled adapter ROOT\NET\0000
09/02/14 10:30:33 ii : creating IPSEC INBOUND policy ANY:10.1.2.0/24:*
-> ANY:10.2.20.1:*
09/02/14 10:30:33 DB : policy added ( obj count = 1 )
09/02/14 10:30:33 K> : send pfkey X_SPDADD UNSPEC message
09/02/14 10:30:33 ii : creating IPSEC OUTBOUND policy ANY:10.2.20.1:* ->
ANY:10.1.2.0/24:*
09/02/14 10:30:33 K< : recv pfkey X_SPDADD UNSPEC message
09/02/14 10:30:33 DB : policy found
09/02/14 10:30:34 ii : created IPSEC policy route for 10.1.2.0/24
09/02/14 10:30:34 DB : policy added ( obj count = 2 )
09/02/14 10:30:34 K> : send pfkey X_SPDADD UNSPEC message
09/02/14 10:30:34 ii : creating IPSEC INBOUND policy ANY:10.22.0.0/16:*
-> ANY:10.2.20.1:*
09/02/14 10:30:34 DB : policy added ( obj count = 3 )
09/02/14 10:30:34 K> : send pfkey X_SPDADD UNSPEC message
09/02/14 10:30:34 ii : creating IPSEC OUTBOUND policy ANY:10.2.20.1:* ->
ANY:10.22.0.0/16:*
09/02/14 10:30:34 K< : recv pfkey X_SPDADD UNSPEC message
09/02/14 10:30:34 DB : policy found
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pixconf.log
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090215/88c86ffc/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Cisco PIX.vpn
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090215/88c86ffc/attachment-0005.ksh>
More information about the vpn-help
mailing list