[Vpn-help] PIX Connection Help

Matthew Grooms mgrooms at shrew.net
Sun Feb 15 00:23:00 CST 2009 

Matthew Grooms wrote:
> Michael Russell wrote:
>> I haven't heard anything on this.  I would greatly appreciate some 
>> help debugging it.  Thanks.
>>
> 
> Michael,
> 
> I took some time today to test a few different versions of the client 
> with my pix using similar phase1 negotiation parameters. It connected 
> without any issues. I have attached my pix configuration and my client 
> site configuration. Here is the debug level output from the trace 
> utility ...
> 

Woops. That las log was from a previous connection attempt. Here is the 
one using des + md5 ...

09/02/14 10:50:03 ii : ipc client process thread exit ...
09/02/14 10:50:03 K< : recv pfkey DELETE ESP message
09/02/14 10:57:24 ii : ipc client process thread begin ...
09/02/14 10:57:24 <A : peer config add message
09/02/14 10:57:24 <A : proposal config message
09/02/14 10:57:24 <A : proposal config message
09/02/14 10:57:24 <A : client config message
09/02/14 10:57:24 <A : xauth username message
09/02/14 10:57:24 <A : xauth password message
09/02/14 10:57:24 <A : local id 'vpn-users' message
09/02/14 10:57:24 <A : preshared key message
09/02/14 10:57:24 <A : peer tunnel enable message
09/02/14 10:57:24 DB : peer added ( obj count = 1 )
09/02/14 10:57:24 ii : local address 10.22.200.30 selected for peer
09/02/14 10:57:24 DB : tunnel added ( obj count = 1 )
09/02/14 10:57:24 DB : new phase1 ( ISAKMP initiator )
09/02/14 10:57:24 DB : exchange type is aggressive
09/02/14 10:57:24 DB : 10.22.200.30:500 <-> 10.1.1.26:500
09/02/14 10:57:24 DB : 32a5547394e2547e:0000000000000000
09/02/14 10:57:24 DB : phase1 added ( obj count = 1 )
09/02/14 10:57:24 >> : security association payload
09/02/14 10:57:24 >> : - proposal #1 payload
09/02/14 10:57:24 >> : -- transform #1 payload
09/02/14 10:57:24 >> : key exchange payload
09/02/14 10:57:24 >> : nonce payload
09/02/14 10:57:24 >> : identification payload
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local supports XAUTH
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local supports FRAGMENTATION
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local supports DPDv1
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local is SHREW SOFT compatible
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local is NETSCREEN compatible
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local is SIDEWINDER compatible
09/02/14 10:57:24 >> : vendor id payload
09/02/14 10:57:24 ii : local is CISCO UNITY compatible
09/02/14 10:57:24 >= : cookies 32a5547394e2547e:0000000000000000
09/02/14 10:57:24 >= : message 00000000
09/02/14 10:57:24 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 445 bytes )
09/02/14 10:57:24 DB : phase1 resend event scheduled ( ref count = 2 )
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 344 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing phase1 packet ( 344 bytes )
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message 00000000
09/02/14 10:57:25 << : security association payload
09/02/14 10:57:25 << : - propsal #1 payload
09/02/14 10:57:25 << : -- transform #1 payload
09/02/14 10:57:25 ii : matched isakmp proposal #1 transform #1
09/02/14 10:57:25 ii : - transform    = ike
09/02/14 10:57:25 ii : - cipher type  = des
09/02/14 10:57:25 ii : - key length   = default
09/02/14 10:57:25 ii : - hash type    = md5
09/02/14 10:57:25 ii : - dh group     = modp-1024
09/02/14 10:57:25 ii : - auth type    = xauth-initiator-psk
09/02/14 10:57:25 ii : - life seconds = 86400
09/02/14 10:57:25 ii : - life kbytes  = 0
09/02/14 10:57:25 << : vendor id payload
09/02/14 10:57:25 ii : peer supports XAUTH
09/02/14 10:57:25 << : vendor id payload
09/02/14 10:57:25 ii : peer supports DPDv1
09/02/14 10:57:25 << : vendor id payload
09/02/14 10:57:25 ii : peer is CISCO UNITY compatible
09/02/14 10:57:25 << : vendor id payload
09/02/14 10:57:25 ii : unknown vendor id ( 16 bytes )
09/02/14 10:57:25 0x : f415b3d9 a3214592 1852c4b8 7355c4c1
09/02/14 10:57:25 << : key exchange payload
09/02/14 10:57:25 << : identification payload
09/02/14 10:57:25 ii : phase1 id match
09/02/14 10:57:25 ii : received = ipv4-host 10.1.1.26
09/02/14 10:57:25 << : nonce payload
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 ii : nat-t is disabled locally
09/02/14 10:57:25 == : DH shared secret ( 128 bytes )
09/02/14 10:57:25 == : SETKEYID ( 16 bytes )
09/02/14 10:57:25 == : SETKEYID_d ( 16 bytes )
09/02/14 10:57:25 == : SETKEYID_a ( 16 bytes )
09/02/14 10:57:25 == : SETKEYID_e ( 16 bytes )
09/02/14 10:57:25 == : cipher key ( 8 bytes )
09/02/14 10:57:25 == : cipher iv ( 8 bytes )
09/02/14 10:57:25 == : phase1 hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 >> : hash payload
09/02/14 10:57:25 >= : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 >= : message 00000000
09/02/14 10:57:25 >= : encrypt iv ( 8 bytes )
09/02/14 10:57:25 == : encrypt packet ( 48 bytes )
09/02/14 10:57:25 == : stored iv ( 8 bytes )
09/02/14 10:57:25 DB : phase1 resend event canceled ( ref count = 1 )
09/02/14 10:57:25 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 80 bytes )
09/02/14 10:57:25 == : phase1 hash_r ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : phase1 hash_r ( received ) ( 16 bytes )
09/02/14 10:57:25 ii : phase1 sa established
09/02/14 10:57:25 ii : 10.1.1.26:500 <-> 10.22.200.30:500
09/02/14 10:57:25 ii : 32a5547394e2547e:1d214c4a3204592
09/02/14 10:57:25 ii : sending peer INITIAL-CONTACT notification
09/02/14 10:57:25 ii : - 10.22.200.30:500 -> 10.1.1.26:500
09/02/14 10:57:25 ii : - isakmp spi = 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 ii : - data size 0
09/02/14 10:57:25 >> : hash payload
09/02/14 10:57:25 >> : notification payload
09/02/14 10:57:25 == : new informational hash ( 16 bytes )
09/02/14 10:57:25 == : new informational iv ( 8 bytes )
09/02/14 10:57:25 >= : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 >= : message 6e851257
09/02/14 10:57:25 >= : encrypt iv ( 8 bytes )
09/02/14 10:57:25 == : encrypt packet ( 76 bytes )
09/02/14 10:57:25 == : stored iv ( 8 bytes )
09/02/14 10:57:25 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 104 bytes )
09/02/14 10:57:25 DB : phase2 not found
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 84 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing informational packet ( 84 bytes )
09/02/14 10:57:25 == : new informational iv ( 8 bytes )
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message e150fa6f
09/02/14 10:57:25 =< : decrypt iv ( 8 bytes )
09/02/14 10:57:25 == : decrypt packet ( 84 bytes )
09/02/14 10:57:25 <= : trimmed packet padding ( 8 bytes )
09/02/14 10:57:25 <= : stored iv ( 8 bytes )
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 << : notification payload
09/02/14 10:57:25 == : informational hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : informational hash_c ( received ) ( 16 bytes )
09/02/14 10:57:25 ii : informational hash verified
09/02/14 10:57:25 ii : received peer INITIAL-CONTACT notification
09/02/14 10:57:25 ii : - 10.1.1.26:500 -> 10.22.200.30:500
09/02/14 10:57:25 ii : - isakmp spi = 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 ii : - data size 0
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 92 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing informational packet ( 92 bytes )
09/02/14 10:57:25 == : new informational iv ( 8 bytes )
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message 420247a1
09/02/14 10:57:25 =< : decrypt iv ( 8 bytes )
09/02/14 10:57:25 == : decrypt packet ( 92 bytes )
09/02/14 10:57:25 <= : trimmed packet padding ( 4 bytes )
09/02/14 10:57:25 <= : stored iv ( 8 bytes )
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 << : notification payload
09/02/14 10:57:25 == : informational hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : informational hash_c ( received ) ( 16 bytes )
09/02/14 10:57:25 ii : informational hash verified
09/02/14 10:57:25 ii : received peer RESPONDER-LIFETIME notification
09/02/14 10:57:25 ii : - 10.1.1.26:500 -> 10.22.200.30:500
09/02/14 10:57:25 ii : - isakmp spi = 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 ii : - data size 12
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 76 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing config packet ( 76 bytes )
09/02/14 10:57:25 DB : config not found
09/02/14 10:57:25 DB : config added ( obj count = 1 )
09/02/14 10:57:25 == : new config iv ( 8 bytes )
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message 52202d5d
09/02/14 10:57:25 =< : decrypt iv ( 8 bytes )
09/02/14 10:57:25 == : decrypt packet ( 76 bytes )
09/02/14 10:57:25 <= : trimmed packet padding ( 8 bytes )
09/02/14 10:57:25 <= : stored iv ( 8 bytes )
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 << : attribute payload
09/02/14 10:57:25 == : configure hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : configure hash_c ( computed ) ( 16 bytes )
09/02/14 10:57:25 ii : configure hash verified
09/02/14 10:57:25 ii : - xauth authentication type
09/02/14 10:57:25 ii : - xauth username
09/02/14 10:57:25 ii : - xauth password
09/02/14 10:57:25 ii : received basic xauth request -
09/02/14 10:57:25 ii : - standard xauth username
09/02/14 10:57:25 ii : - standard xauth basic password
09/02/14 10:57:25 ii : sending xauth response for mgrooms
09/02/14 10:57:25 >> : hash payload
09/02/14 10:57:25 >> : attribute payload
09/02/14 10:57:25 == : new configure hash ( 16 bytes )
09/02/14 10:57:25 >= : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 >= : message 52202d5d
09/02/14 10:57:25 >= : encrypt iv ( 8 bytes )
09/02/14 10:57:25 == : encrypt packet ( 84 bytes )
09/02/14 10:57:25 == : stored iv ( 8 bytes )
09/02/14 10:57:25 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 112 bytes )
09/02/14 10:57:25 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 68 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing config packet ( 68 bytes )
09/02/14 10:57:25 DB : config found
09/02/14 10:57:25 == : new config iv ( 8 bytes )
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message 40a7e791
09/02/14 10:57:25 =< : decrypt iv ( 8 bytes )
09/02/14 10:57:25 == : decrypt packet ( 68 bytes )
09/02/14 10:57:25 <= : trimmed packet padding ( 8 bytes )
09/02/14 10:57:25 <= : stored iv ( 8 bytes )
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 << : attribute payload
09/02/14 10:57:25 == : configure hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : configure hash_c ( computed ) ( 16 bytes )
09/02/14 10:57:25 ii : configure hash verified
09/02/14 10:57:25 ii : received xauth result -
09/02/14 10:57:25 ii : user mgrooms authentication succeeded
09/02/14 10:57:25 ii : sending xauth acknowledge
09/02/14 10:57:25 >> : hash payload
09/02/14 10:57:25 >> : attribute payload
09/02/14 10:57:25 == : new configure hash ( 16 bytes )
09/02/14 10:57:25 >= : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 >= : message 40a7e791
09/02/14 10:57:25 >= : encrypt iv ( 8 bytes )
09/02/14 10:57:25 == : encrypt packet ( 56 bytes )
09/02/14 10:57:25 == : stored iv ( 8 bytes )
09/02/14 10:57:25 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:57:25 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 88 bytes )
09/02/14 10:57:25 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:57:25 ii : building config attribute list
09/02/14 10:57:25 ii : - IP4 Address
09/02/14 10:57:25 ii : - Address Expiry
09/02/14 10:57:25 ii : - IP4 Netamask
09/02/14 10:57:25 ii : - IP4 DNS Server
09/02/14 10:57:25 ii : - IP4 WINS Server
09/02/14 10:57:25 ii : - DNS Suffix
09/02/14 10:57:25 ii : - Split DNS Domain
09/02/14 10:57:25 ii : - IP4 Split Network Include
09/02/14 10:57:25 ii : - IP4 Split Network Exclude
09/02/14 10:57:25 ii : - Login Banner
09/02/14 10:57:25 ii : - Save Password
09/02/14 10:57:25 == : new config iv ( 8 bytes )
09/02/14 10:57:25 ii : sending config pull request
09/02/14 10:57:25 >> : hash payload
09/02/14 10:57:25 >> : attribute payload
09/02/14 10:57:25 == : new configure hash ( 16 bytes )
09/02/14 10:57:25 >= : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 >= : message c05f3c23
09/02/14 10:57:25 >= : encrypt iv ( 8 bytes )
09/02/14 10:57:25 == : encrypt packet ( 100 bytes )
09/02/14 10:57:25 == : stored iv ( 8 bytes )
09/02/14 10:57:25 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:57:25 -> : send IKE packet 10.22.200.30:500 -> 10.1.1.26:500 
( 128 bytes )
09/02/14 10:57:25 DB : config resend event scheduled ( ref count = 2 )
09/02/14 10:57:25 <- : recv IKE packet 10.1.1.26:500 -> 10.22.200.30:500 
( 124 bytes )
09/02/14 10:57:25 DB : phase1 found
09/02/14 10:57:25 ii : processing config packet ( 124 bytes )
09/02/14 10:57:25 DB : config found
09/02/14 10:57:25 =< : cookies 32a5547394e2547e:01d214c4a3204592
09/02/14 10:57:25 =< : message c05f3c23
09/02/14 10:57:25 =< : decrypt iv ( 8 bytes )
09/02/14 10:57:25 == : decrypt packet ( 124 bytes )
09/02/14 10:57:25 <= : trimmed packet padding ( 5 bytes )
09/02/14 10:57:25 <= : stored iv ( 8 bytes )
09/02/14 10:57:25 << : hash payload
09/02/14 10:57:25 << : attribute payload
09/02/14 10:57:25 == : configure hash_i ( computed ) ( 16 bytes )
09/02/14 10:57:25 == : configure hash_c ( computed ) ( 16 bytes )
09/02/14 10:57:25 ii : configure hash verified
09/02/14 10:57:25 ii : received config pull response
09/02/14 10:57:25 ii : - IP4 Address = 10.2.26.1
09/02/14 10:57:25 ii : - IP4 Netmask = 255.255.255.0
09/02/14 10:57:25 ii : - IP4 DNS Server = 10.1.2.100
09/02/14 10:57:25 ii : - IP4 WINS Server = 10.1.2.100
09/02/14 10:57:25 ii : - DNS Suffix = shrew.net
09/02/14 10:57:25 ii : - IP4 Split Network Include = ANY:10.1.2.0/24:*
09/02/14 10:57:25 DB : config resend event canceled ( ref count = 1 )
09/02/14 10:57:26 ii : VNET adapter MTU is 1500
09/02/14 10:57:26 ii : enabled adapter ROOT\NET\0000
09/02/14 10:57:26 ii : creating IPSEC INBOUND policy ANY:10.1.2.0/24:* 
-> ANY:10.2.26.1:*
09/02/14 10:57:26 DB : policy added ( obj count = 1 )
09/02/14 10:57:26 K> : send pfkey X_SPDADD UNSPEC message
09/02/14 10:57:26 ii : creating IPSEC OUTBOUND policy ANY:10.2.26.1:* -> 
ANY:10.1.2.0/24:*
09/02/14 10:57:26 K< : recv pfkey X_SPDADD UNSPEC message
09/02/14 10:57:26 DB : policy found
09/02/14 10:57:26 ii : created IPSEC policy route for 10.1.2.0/24
09/02/14 10:57:26 DB : policy added ( obj count = 2 )
09/02/14 10:57:26 K> : send pfkey X_SPDADD UNSPEC message
09/02/14 10:57:26 ii : split DNS is disabled
09/02/14 10:57:26 K< : recv pfkey X_SPDADD UNSPEC message
09/02/14 10:57:26 DB : policy found

More information about the vpn-help mailing list