[Vpn-help] Multiple network problem
Robert Myhren
myhren at gmail.com
Mon Jan 12 06:39:56 CST 2009
Hi!
I have installed Shrew vpn client (v.2.1.4 ) on Windows Vista 64.
The client is connecting to a Cisco IOS.
The tunnel is created as expected.
The Cisco gateway announces several subnets.
192.168.3.0/24 10.220.0.0/16 and 192.192.168.113.0/24.
Now, if I define more than one subnet, or if is set to auto under "Policy",
then I am not able to access any of the networks.
If I define only one network manually under "Policy", then it works for that
subnet.
I have found this in the logs,
failed to create IPSEC policy route for 192.168.3.0/24
Any help is greatly appreciated.
Regards,
Robert
LOG OUTPUT BELOW:
ipconfig output:
Ethernet adapter Local Area Connection* 17:
Connection-specific DNS Suffix . : pillar.as
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::4583:1a90:d144:b362%21(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.113.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.113.55(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.3.101
195.159.0.100
NetBIOS over Tcpip. . . . . . . . : Disabled
route output:
Interface List
21 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter
15 ...02 00 4e 43 50 49 ...... NCP Secure Client Virtual NDIS6 Adapter
12 ...00 1f 3b bf 30 7b ...... Intel(R) Wireless WiFi Link 4965AGN
10 ...00 1c 23 50 65 38 ...... Broadcom NetXtreme 57xx Gigabit Controller
1 ........................... Software Loopback Interface 1
20 ...00 00 00 00 00 00 00 e0
isatap.{B06A9A31-24A5-48F1-A151-1D518CEAD8CB}
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
18 ...00 00 00 00 00 00 00 e0 isatap.bb.online.no
48 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.199 10
10.220.0.0 255.255.0.0 On-link 15 51
10.220.255.255 255.255.255.255 On-link 15 306
91.203.116.34 255.255.255.255 On-link 15 51
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.199 266
192.168.0.199 255.255.255.255 On-link 192.168.0.199 266
192.168.0.255 255.255.255.255 On-link 192.168.0.199 266
192.168.3.0 255.255.255.0 On-link 192.168.113.26 51
192.168.3.255 255.255.255.255 On-link 192.168.113.26 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.199 266
224.0.0.0 240.0.0.0 On-link 192.168.113.26 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.199 266
255.255.255.255 255.255.255.255 On-link 192.168.113.26 306
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 266 fe80::/64 On-link
21 306 fe80::/64 On-link
21 306 fe80::4583:1a90:d144:b362/128
On-link
10 266 fe80::b5ed:a21:4099:cbd/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
21 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
IKE service log:
09/01/12 13:33:33 ii : ipc client process thread begin ...
09/01/12 13:33:33 <A : peer config add message
09/01/12 13:33:33 DB : peer added ( obj count = 1 )
09/01/12 13:33:33 ii : local address 192.168.0.199:500 selected for peer
09/01/12 13:33:33 DB : tunnel added ( obj count = 1 )
09/01/12 13:33:33 <A : proposal config message
09/01/12 13:33:33 <A : proposal config message
09/01/12 13:33:33 <A : client config message
09/01/12 13:33:33 <A : xauth username message
09/01/12 13:33:33 <A : xauth password message
09/01/12 13:33:33 <A : local id 'BC' message
09/01/12 13:33:33 <A : remote id 'BC-R01.basis-consulting.no' message
09/01/12 13:33:33 <A : preshared key message
09/01/12 13:33:33 <A : peer tunnel enable message
09/01/12 13:33:33 DB : new phase1 ( ISAKMP initiator )
09/01/12 13:33:33 DB : exchange type is aggressive
09/01/12 13:33:33 DB : 192.168.0.199:500 <-> 195.159.111.66:500
09/01/12 13:33:33 DB : 0226893edab8a100:0000000000000000
09/01/12 13:33:33 DB : phase1 added ( obj count = 1 )
09/01/12 13:33:33 >> : security association payload
09/01/12 13:33:33 >> : - proposal #1 payload
09/01/12 13:33:33 >> : -- transform #1 payload
09/01/12 13:33:33 >> : -- transform #2 payload
09/01/12 13:33:33 >> : -- transform #3 payload
09/01/12 13:33:33 >> : -- transform #4 payload
09/01/12 13:33:33 >> : -- transform #5 payload
09/01/12 13:33:33 >> : -- transform #6 payload
09/01/12 13:33:33 >> : -- transform #7 payload
09/01/12 13:33:33 >> : -- transform #8 payload
09/01/12 13:33:33 >> : -- transform #9 payload
09/01/12 13:33:33 >> : -- transform #10 payload
09/01/12 13:33:33 >> : -- transform #11 payload
09/01/12 13:33:33 >> : -- transform #12 payload
09/01/12 13:33:33 >> : -- transform #13 payload
09/01/12 13:33:33 >> : -- transform #14 payload
09/01/12 13:33:33 >> : -- transform #15 payload
09/01/12 13:33:33 >> : -- transform #16 payload
09/01/12 13:33:33 >> : -- transform #17 payload
09/01/12 13:33:33 >> : -- transform #18 payload
09/01/12 13:33:33 >> : key exchange payload
09/01/12 13:33:33 >> : nonce payload
09/01/12 13:33:33 >> : identification payload
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports XAUTH
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports nat-t ( draft v00 )
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports nat-t ( draft v01 )
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports nat-t ( draft v02 )
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports nat-t ( draft v03 )
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports nat-t ( rfc )
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local supports FRAGMENTATION
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local is SHREW SOFT compatible
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local is NETSCREEN compatible
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local is SIDEWINDER compatible
09/01/12 13:33:33 >> : vendor id payload
09/01/12 13:33:33 ii : local is CISCO UNITY compatible
09/01/12 13:33:33 >= : cookies 0226893edab8a100:0000000000000000
09/01/12 13:33:33 >= : message 00000000
09/01/12 13:33:33 -> : send IKE packet 192.168.0.199:500 ->
195.159.111.66:500 ( 1158 bytes )
09/01/12 13:33:33 DB : phase1 resend event scheduled ( ref count = 2 )
09/01/12 13:33:33 <- : recv IKE packet 195.159.111.66:500 ->
192.168.0.199:500 ( 438 bytes )
09/01/12 13:33:33 DB : phase1 found
09/01/12 13:33:33 ii : processing phase1 packet ( 438 bytes )
09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 =< : message 00000000
09/01/12 13:33:33 << : security association payload
09/01/12 13:33:33 << : - propsal #1 payload
09/01/12 13:33:33 << : -- transform #1 payload
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != aes )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
09/01/12 13:33:33 ii : hash type ( hmac-sha != hmac-md5 )
09/01/12 13:33:33 !! : peer violates RFC, transform number mismatch ( 1 !=
14 )
09/01/12 13:33:33 ii : matched isakmp proposal #1 transform #1
09/01/12 13:33:33 ii : - transform = ike
09/01/12 13:33:33 ii : - cipher type = 3des
09/01/12 13:33:33 ii : - key length = default
09/01/12 13:33:33 ii : - hash type = sha1
09/01/12 13:33:33 ii : - dh group = modp-1024
09/01/12 13:33:33 ii : - auth type = xauth-initiator-psk
09/01/12 13:33:33 ii : - life seconds = 86400
09/01/12 13:33:33 ii : - life kbytes = 0
09/01/12 13:33:33 << : vendor id payload
09/01/12 13:33:33 ii : peer is CISCO UNITY compatible
09/01/12 13:33:33 << : vendor id payload
09/01/12 13:33:33 ii : peer supports DPDv1
09/01/12 13:33:33 << : vendor id payload
09/01/12 13:33:33 ii : unknown vendor id ( 16 bytes )
09/01/12 13:33:33 0x : 901d27bc 48919240 e61a88fc 07f35213
09/01/12 13:33:33 << : vendor id payload
09/01/12 13:33:33 ii : peer supports XAUTH
09/01/12 13:33:33 << : vendor id payload
09/01/12 13:33:33 ii : peer supports nat-t ( rfc )
09/01/12 13:33:33 << : key exchange payload
09/01/12 13:33:33 << : identification payload
09/01/12 13:33:33 ii : phase1 id match
09/01/12 13:33:33 ii : received = fqdn BC-R01.basis-consulting.no
09/01/12 13:33:33 << : nonce payload
09/01/12 13:33:33 << : hash payload
09/01/12 13:33:33 << : nat discovery payload
09/01/12 13:33:33 << : nat discovery payload
09/01/12 13:33:33 ii : nat discovery - local address is translated
09/01/12 13:33:33 ii : switching to nat-t udp port 4500
09/01/12 13:33:33 == : DH shared secret ( 128 bytes )
09/01/12 13:33:33 == : SETKEYID ( 20 bytes )
09/01/12 13:33:33 == : SETKEYID_d ( 20 bytes )
09/01/12 13:33:33 == : SETKEYID_a ( 20 bytes )
09/01/12 13:33:33 == : SETKEYID_e ( 20 bytes )
09/01/12 13:33:33 == : cipher key ( 40 bytes )
09/01/12 13:33:33 == : cipher iv ( 8 bytes )
09/01/12 13:33:33 == : phase1 hash_i ( computed ) ( 20 bytes )
09/01/12 13:33:33 >> : hash payload
09/01/12 13:33:33 >> : nat discovery payload
09/01/12 13:33:33 >> : nat discovery payload
09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 >= : message 00000000
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:33 == : encrypt packet ( 100 bytes )
09/01/12 13:33:33 == : stored iv ( 8 bytes )
09/01/12 13:33:33 DB : phase1 resend event canceled ( ref count = 1 )
09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 132 bytes )
09/01/12 13:33:33 == : phase1 hash_r ( computed ) ( 20 bytes )
09/01/12 13:33:33 == : phase1 hash_r ( received ) ( 20 bytes )
09/01/12 13:33:33 ii : phase1 sa established
09/01/12 13:33:33 ii : 195.159.111.66:4500 <-> 192.168.0.199:4500
09/01/12 13:33:33 ii : 226893edab8a100:65da80a148909240
09/01/12 13:33:33 ii : sending peer INITIAL-CONTACT notification
09/01/12 13:33:33 ii : - 192.168.0.199:4500 -> 195.159.111.66:4500
09/01/12 13:33:33 ii : - isakmp spi = 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 ii : - data size 0
09/01/12 13:33:33 >> : hash payload
09/01/12 13:33:33 >> : notification payload
09/01/12 13:33:33 == : new informational hash ( 20 bytes )
09/01/12 13:33:33 == : new informational iv ( 8 bytes )
09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 >= : message fa803be7
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:33 == : encrypt packet ( 80 bytes )
09/01/12 13:33:33 == : stored iv ( 8 bytes )
09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 116 bytes )
09/01/12 13:33:33 DB : phase2 not found
09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
192.168.0.199:4500 ( 76 bytes )
09/01/12 13:33:33 DB : phase1 found
09/01/12 13:33:33 ii : processing config packet ( 76 bytes )
09/01/12 13:33:33 DB : config not found
09/01/12 13:33:33 DB : config added ( obj count = 1 )
09/01/12 13:33:33 == : new config iv ( 8 bytes )
09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 =< : message 87640ecc
09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
09/01/12 13:33:33 == : decrypt packet ( 76 bytes )
09/01/12 13:33:33 <= : trimmed packet padding ( 8 bytes )
09/01/12 13:33:33 <= : stored iv ( 8 bytes )
09/01/12 13:33:33 << : hash payload
09/01/12 13:33:33 << : attribute payload
09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
09/01/12 13:33:33 ii : configure hash verified
09/01/12 13:33:33 !! : warning, missing required xauth type attribute
09/01/12 13:33:33 ii : received xauth request -
09/01/12 13:33:33 ii : added standard xauth username attribute
09/01/12 13:33:33 ii : added standard xauth password attribute
09/01/12 13:33:33 ii : sending xauth response for robert
09/01/12 13:33:33 >> : hash payload
09/01/12 13:33:33 >> : attribute payload
09/01/12 13:33:33 == : new configure hash ( 20 bytes )
09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 >= : message 87640ecc
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:33 == : encrypt packet ( 86 bytes )
09/01/12 13:33:33 == : stored iv ( 8 bytes )
09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 124 bytes )
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
192.168.0.199:4500 ( 68 bytes )
09/01/12 13:33:33 DB : phase1 found
09/01/12 13:33:33 ii : processing config packet ( 68 bytes )
09/01/12 13:33:33 DB : config found
09/01/12 13:33:33 == : new config iv ( 8 bytes )
09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 =< : message a27cf1aa
09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
09/01/12 13:33:33 == : decrypt packet ( 68 bytes )
09/01/12 13:33:33 <= : trimmed packet padding ( 4 bytes )
09/01/12 13:33:33 <= : stored iv ( 8 bytes )
09/01/12 13:33:33 << : hash payload
09/01/12 13:33:33 << : attribute payload
09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
09/01/12 13:33:33 ii : configure hash verified
09/01/12 13:33:33 ii : received xauth result -
09/01/12 13:33:33 ii : user robert authentication succeeded
09/01/12 13:33:33 ii : sending xauth acknowledge
09/01/12 13:33:33 >> : hash payload
09/01/12 13:33:33 >> : attribute payload
09/01/12 13:33:33 == : new configure hash ( 20 bytes )
09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 >= : message a27cf1aa
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:33 == : encrypt packet ( 60 bytes )
09/01/12 13:33:33 == : stored iv ( 8 bytes )
09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 92 bytes )
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
09/01/12 13:33:33 ii : building config attribute list
09/01/12 13:33:33 ii : - IP4 Address
09/01/12 13:33:33 ii : - Address Expiry
09/01/12 13:33:33 ii : - IP4 Netamask
09/01/12 13:33:33 ii : - IP4 DNS Server
09/01/12 13:33:33 ii : - IP4 WINS Server
09/01/12 13:33:33 ii : - DNS Suffix
09/01/12 13:33:33 ii : - Split DNS Domain
09/01/12 13:33:33 ii : - IP4 Split Network Include
09/01/12 13:33:33 ii : - IP4 Split Network Exclude
09/01/12 13:33:33 ii : - Save Password
09/01/12 13:33:33 == : new config iv ( 8 bytes )
09/01/12 13:33:33 ii : sending config pull request
09/01/12 13:33:33 >> : hash payload
09/01/12 13:33:33 >> : attribute payload
09/01/12 13:33:33 == : new configure hash ( 20 bytes )
09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 >= : message a15127cd
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:33 == : encrypt packet ( 100 bytes )
09/01/12 13:33:33 == : stored iv ( 8 bytes )
09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 132 bytes )
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
192.168.0.199:4500 ( 188 bytes )
09/01/12 13:33:33 DB : phase1 found
09/01/12 13:33:33 ii : processing config packet ( 188 bytes )
09/01/12 13:33:33 DB : config found
09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:33 =< : message a15127cd
09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
09/01/12 13:33:33 == : decrypt packet ( 188 bytes )
09/01/12 13:33:33 <= : trimmed packet padding ( 3 bytes )
09/01/12 13:33:33 <= : stored iv ( 8 bytes )
09/01/12 13:33:33 << : hash payload
09/01/12 13:33:33 << : attribute payload
09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
09/01/12 13:33:33 ii : configure hash verified
09/01/12 13:33:33 ii : received config pull response
09/01/12 13:33:33 ii : - IP4 Address = 192.168.113.64
09/01/12 13:33:33 ii : - Address Expiry = 2136015104
09/01/12 13:33:33 ii : - IP4 Netmask = 255.255.255.0
09/01/12 13:33:33 ii : - IP4 DNS Server = 192.168.3.101
09/01/12 13:33:33 ii : - IP4 DNS Server = 195.159.0.100
09/01/12 13:33:33 ii : - DNS Suffix = pillar.as
09/01/12 13:33:33 ii : - Split Domain
09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:192.168.3.0/24:*
09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:10.220.0.0/16:*
09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:91.203.116.34/32:*
09/01/12 13:33:33 ii : - IP4 Split Network Exclude = ANY:0.0.0.0/32:* (
invalid subnet ignored )
09/01/12 13:33:33 ii : - Save Password = 0
09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
09/01/12 13:33:35 ii : VNET adapter MTU is 1500
09/01/12 13:33:35 ii : enabled adapter ROOT\VNET\0000
09/01/12 13:33:35 ii : creating IPSEC INBOUND policy ANY:192.168.3.0/24:* ->
ANY:192.168.113.64:*
09/01/12 13:33:35 DB : policy added ( obj count = 1 )
09/01/12 13:33:35 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:35 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
-> ANY:192.168.3.0/24:*
09/01/12 13:33:35 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:35 DB : policy found
09/01/12 13:33:40 !! : failed to create IPSEC policy route for
192.168.3.0/24
09/01/12 13:33:40 DB : policy added ( obj count = 2 )
09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:40 ii : creating IPSEC INBOUND policy ANY:10.220.0.0/16:* ->
ANY:192.168.113.64:*
09/01/12 13:33:40 DB : policy added ( obj count = 3 )
09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:40 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
-> ANY:10.220.0.0/16:*
09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:40 DB : policy found
09/01/12 13:33:40 ii : calling init phase2 for initial policy
09/01/12 13:33:40 DB : policy found
09/01/12 13:33:40 DB : policy found
09/01/12 13:33:40 DB : tunnel found
09/01/12 13:33:40 DB : new phase2 ( IPSEC initiator )
09/01/12 13:33:40 DB : phase2 added ( obj count = 1 )
09/01/12 13:33:40 K> : send pfkey GETSPI ESP message
09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:40 DB : policy found
09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message
09/01/12 13:33:40 DB : phase2 found
09/01/12 13:33:40 ii : updated spi for 1 ipsec-esp proposal
09/01/12 13:33:40 DB : phase1 found
09/01/12 13:33:40 >> : hash payload
09/01/12 13:33:40 >> : security association payload
09/01/12 13:33:40 >> : - proposal #1 payload
09/01/12 13:33:40 >> : -- transform #1 payload
09/01/12 13:33:40 >> : -- transform #2 payload
09/01/12 13:33:40 >> : -- transform #3 payload
09/01/12 13:33:40 >> : -- transform #4 payload
09/01/12 13:33:40 >> : -- transform #5 payload
09/01/12 13:33:40 >> : -- transform #6 payload
09/01/12 13:33:40 >> : -- transform #7 payload
09/01/12 13:33:40 >> : -- transform #8 payload
09/01/12 13:33:40 >> : -- transform #9 payload
09/01/12 13:33:40 >> : -- transform #10 payload
09/01/12 13:33:40 >> : -- transform #11 payload
09/01/12 13:33:40 >> : -- transform #12 payload
09/01/12 13:33:40 >> : -- transform #13 payload
09/01/12 13:33:40 >> : -- transform #14 payload
09/01/12 13:33:40 >> : -- transform #15 payload
09/01/12 13:33:40 >> : -- transform #16 payload
09/01/12 13:33:40 >> : -- transform #17 payload
09/01/12 13:33:40 >> : -- transform #18 payload
09/01/12 13:33:40 >> : nonce payload
09/01/12 13:33:40 >> : identification payload
09/01/12 13:33:40 >> : identification payload
09/01/12 13:33:40 == : phase2 hash_i ( input ) ( 632 bytes )
09/01/12 13:33:40 == : phase2 hash_i ( computed ) ( 20 bytes )
09/01/12 13:33:40 == : new phase2 iv ( 8 bytes )
09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:40 >= : message a8c542ad
09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:40 == : encrypt packet ( 680 bytes )
09/01/12 13:33:40 == : stored iv ( 8 bytes )
09/01/12 13:33:40 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 716 bytes )
09/01/12 13:33:40 DB : phase2 resend event scheduled ( ref count = 2 )
09/01/12 13:33:40 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
192.168.0.199:4500 ( 188 bytes )
09/01/12 13:33:40 DB : phase1 found
09/01/12 13:33:40 ii : processing phase2 packet ( 188 bytes )
09/01/12 13:33:40 DB : phase2 found
09/01/12 13:33:40 =< : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:40 =< : message a8c542ad
09/01/12 13:33:40 =< : decrypt iv ( 8 bytes )
09/01/12 13:33:40 == : decrypt packet ( 188 bytes )
09/01/12 13:33:40 <= : trimmed packet padding ( 4 bytes )
09/01/12 13:33:40 <= : stored iv ( 8 bytes )
09/01/12 13:33:40 << : hash payload
09/01/12 13:33:40 << : security association payload
09/01/12 13:33:40 << : - propsal #1 payload
09/01/12 13:33:40 << : -- transform #1 payload
09/01/12 13:33:40 << : nonce payload
09/01/12 13:33:40 << : identification payload
09/01/12 13:33:40 << : identification payload
09/01/12 13:33:40 << : notification payload
09/01/12 13:33:40 == : phase2 hash_r ( input ) ( 156 bytes )
09/01/12 13:33:40 == : phase2 hash_r ( computed ) ( 20 bytes )
09/01/12 13:33:40 == : phase2 hash_r ( received ) ( 20 bytes )
09/01/12 13:33:40 ii : unmatched ipsec-esp proposal/transform
09/01/12 13:33:40 ii : msg auth ( hmac-sha != hmac-md5 )
09/01/12 13:33:40 !! : peer violates RFC, transform number mismatch ( 1 != 2
)
09/01/12 13:33:40 ii : matched ipsec-esp proposal #1 transform #2
09/01/12 13:33:40 ii : - transform = esp-aes
09/01/12 13:33:40 ii : - key length = 256 bits
09/01/12 13:33:40 ii : - encap mode = udp-tunnel ( rfc )
09/01/12 13:33:40 ii : - msg auth = hmac-sha
09/01/12 13:33:40 ii : - pfs dh group = none
09/01/12 13:33:40 ii : - life seconds = 3600
09/01/12 13:33:40 ii : - life kbytes = 0
09/01/12 13:33:40 DB : policy found
09/01/12 13:33:40 ii : received peer RESPONDER-LIFETIME notification
09/01/12 13:33:40 ii : - 195.159.111.66:4500 -> 192.168.0.199:4500
09/01/12 13:33:40 ii : - ipsec-esp spi = 0x1efc8af8
09/01/12 13:33:40 ii : - data size 12
09/01/12 13:33:40 K> : send pfkey GETSPI ESP message
09/01/12 13:33:40 ii : phase2 ids accepted
09/01/12 13:33:40 ii : - loc ANY:192.168.113.64:* -> ANY:192.168.3.0/24:*
09/01/12 13:33:40 ii : - rmt ANY:192.168.3.0/24:* -> ANY:192.168.113.64:*
09/01/12 13:33:40 ii : phase2 sa established
09/01/12 13:33:40 ii : 192.168.0.199:4500 <-> 195.159.111.66:4500
09/01/12 13:33:40 == : phase2 hash_p ( input ) ( 45 bytes )
09/01/12 13:33:40 == : phase2 hash_p ( computed ) ( 20 bytes )
09/01/12 13:33:40 >> : hash payload
09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240
09/01/12 13:33:40 >= : message a8c542ad
09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )
09/01/12 13:33:40 == : encrypt packet ( 52 bytes )
09/01/12 13:33:40 == : stored iv ( 8 bytes )
09/01/12 13:33:40 DB : phase2 resend event canceled ( ref count = 1 )
09/01/12 13:33:40 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
195.159.111.66:4500 ( 84 bytes )
09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )
09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )
09/01/12 13:33:40 K> : send pfkey UPDATE ESP message
09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )
09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )
09/01/12 13:33:40 K> : send pfkey UPDATE ESP message
09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message
09/01/12 13:33:40 DB : phase2 found
09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message
09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message
09/01/12 13:33:45 !! : failed to create IPSEC policy route for 10.220.0.0/16
09/01/12 13:33:45 DB : policy added ( obj count = 4 )
09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:45 ii : creating IPSEC INBOUND policy
ANY:91.203.116.34/32:*-> ANY:192.168.113.64:
*
09/01/12 13:33:45 DB : policy added ( obj count = 5 )
09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:45 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
-> ANY:91.203.116.34/32:*
09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:45 DB : policy found
09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:45 DB : policy found
09/01/12 13:33:48 DB : phase1 found
09/01/12 13:33:48 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.199:4500 ->
195.159.111.66:4500
09/01/12 13:33:50 !! : failed to create IPSEC policy route for
91.203.116.34/32
09/01/12 13:33:50 DB : policy added ( obj count = 6 )
09/01/12 13:33:50 K> : send pfkey X_SPDADD UNSPEC message
09/01/12 13:33:50 ii : split DNS bypassed ( no split domains defined )
09/01/12 13:33:50 K< : recv pfkey X_SPDADD UNSPEC message
09/01/12 13:33:50 DB : policy found
09/01/12 13:34:04 DB : phase1 found
09/01/12 13:34:04 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.199:4500 ->
195.159.111.66:4500
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090112/0b1fefd4/attachment-0001.html>
More information about the vpn-help
mailing list