[Vpn-help] Multiple network problem

Noach Sumner nss at compu-skill.com
Tue Jan 13 03:07:22 CST 2009


Matthew,

This is great. Robert just helped you isolate my bug which he is now
experiencing. And told us why you can't reproduce.

Note his IPs
   IPv4 Address. . . . . . . . . . . : 192.168.113.46(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.113.55(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

remind you of anything (it sure does for me). Only he found what I never
even though to test. I also have multiple address blocks set in my policy! I
am not by my laptop right now but I will try and test tonight. I bet you if
I bring it down to 1 address block it will suddenly work!

Do you have time to work on this yet or not really?

On Mon, Jan 12, 2009 at 2:39 PM, Robert Myhren <myhren at gmail.com> wrote:

> Hi!
>
> I have installed Shrew vpn client (v.2.1.4 ) on Windows Vista 64.
> The client is connecting to a Cisco IOS.
>
> The tunnel is created as expected.
>
> The Cisco gateway announces several subnets.
> 192.168.3.0/24 10.220.0.0/16 and 192.192.168.113.0/24.
>
> Now, if I define more than one subnet, or if is set to auto under "Policy",
> then I am not able to access any of the networks.
>
> If I define only one network manually under "Policy", then it works for
> that subnet.
>
> I have found this in the logs,
> failed to create IPSEC policy route for 192.168.3.0/24
>
> Any help is greatly appreciated.
>
> Regards,
>
> Robert
>
>
> LOG OUTPUT BELOW:
>
> ipconfig output:
> Ethernet adapter Local Area Connection* 17:
>
>    Connection-specific DNS Suffix  . : pillar.as
>    Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
>    Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    Link-local IPv6 Address . . . . . :
> fe80::4583:1a90:d144:b362%21(Preferred)
>    IPv4 Address. . . . . . . . . . . : 192.168.113.46(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    IPv4 Address. . . . . . . . . . . : 192.168.113.55(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Default Gateway . . . . . . . . . :
>    DNS Servers . . . . . . . . . . . : 192.168.3.101
>                                        195.159.0.100
>    NetBIOS over Tcpip. . . . . . . . : Disabled
>
> route output:
> Interface List
>  21 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter
>  15 ...02 00 4e 43 50 49 ...... NCP Secure Client Virtual NDIS6 Adapter
>  12 ...00 1f 3b bf 30 7b ...... Intel(R) Wireless WiFi Link 4965AGN
>  10 ...00 1c 23 50 65 38 ...... Broadcom NetXtreme 57xx Gigabit Controller
>   1 ........................... Software Loopback Interface 1
>  20 ...00 00 00 00 00 00 00 e0
> isatap.{B06A9A31-24A5-48F1-A151-1D518CEAD8CB}
>  11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
>  18 ...00 00 00 00 00 00 00 e0  isatap.bb.online.no
>  48 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #3
>  19 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
> ===========================================================================
>
> IPv4 Route Table
> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metric
>           0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.199     10
>        10.220.0.0      255.255.0.0         On-link                15     51
>    10.220.255.255  255.255.255.255         On-link                15    306
>     91.203.116.34  255.255.255.255         On-link                15     51
>         127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
>         127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
>   127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
>       192.168.0.0    255.255.255.0         On-link     192.168.0.199    266
>     192.168.0.199  255.255.255.255         On-link     192.168.0.199    266
>     192.168.0.255  255.255.255.255         On-link     192.168.0.199    266
>       192.168.3.0    255.255.255.0         On-link    192.168.113.26     51
>     192.168.3.255  255.255.255.255         On-link    192.168.113.26    306
>         224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
>         224.0.0.0        240.0.0.0         On-link     192.168.0.199    266
>         224.0.0.0        240.0.0.0         On-link    192.168.113.26    306
>   255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
>   255.255.255.255  255.255.255.255         On-link     192.168.0.199    266
>   255.255.255.255  255.255.255.255         On-link    192.168.113.26    306
> ===========================================================================
> Persistent Routes:
>   None
>
> IPv6 Route Table
> ===========================================================================
> Active Routes:
>  If Metric Network Destination      Gateway
>   1    306 ::1/128                  On-link
>  10    266 fe80::/64                On-link
>  21    306 fe80::/64                On-link
>  21    306 fe80::4583:1a90:d144:b362/128
>                                     On-link
>  10    266 fe80::b5ed:a21:4099:cbd/128
>                                     On-link
>   1    306 ff00::/8                 On-link
>  10    266 ff00::/8                 On-link
>  21    306 ff00::/8                 On-link
> ===========================================================================
> Persistent Routes:
>   None
>
> IKE service log:
> 09/01/12 13:33:33 ii : ipc client process thread begin ...
> 09/01/12 13:33:33 <A : peer config add message
> 09/01/12 13:33:33 DB : peer added ( obj count = 1 )
> 09/01/12 13:33:33 ii : local address 192.168.0.199:500 selected for peer
> 09/01/12 13:33:33 DB : tunnel added ( obj count = 1 )
> 09/01/12 13:33:33 <A : proposal config message
> 09/01/12 13:33:33 <A : proposal config message
> 09/01/12 13:33:33 <A : client config message
> 09/01/12 13:33:33 <A : xauth username message
> 09/01/12 13:33:33 <A : xauth password message
> 09/01/12 13:33:33 <A : local id 'BC' message
> 09/01/12 13:33:33 <A : remote id 'BC-R01.basis-consulting.no' message
> 09/01/12 13:33:33 <A : preshared key message
> 09/01/12 13:33:33 <A : peer tunnel enable message
> 09/01/12 13:33:33 DB : new phase1 ( ISAKMP initiator )
> 09/01/12 13:33:33 DB : exchange type is aggressive
> 09/01/12 13:33:33 DB : 192.168.0.199:500 <-> 195.159.111.66:500
> 09/01/12 13:33:33 DB : 0226893edab8a100:0000000000000000
> 09/01/12 13:33:33 DB : phase1 added ( obj count = 1 )
> 09/01/12 13:33:33 >> : security association payload
> 09/01/12 13:33:33 >> : - proposal #1 payload
> 09/01/12 13:33:33 >> : -- transform #1 payload
> 09/01/12 13:33:33 >> : -- transform #2 payload
> 09/01/12 13:33:33 >> : -- transform #3 payload
> 09/01/12 13:33:33 >> : -- transform #4 payload
> 09/01/12 13:33:33 >> : -- transform #5 payload
> 09/01/12 13:33:33 >> : -- transform #6 payload
> 09/01/12 13:33:33 >> : -- transform #7 payload
> 09/01/12 13:33:33 >> : -- transform #8 payload
> 09/01/12 13:33:33 >> : -- transform #9 payload
> 09/01/12 13:33:33 >> : -- transform #10 payload
> 09/01/12 13:33:33 >> : -- transform #11 payload
> 09/01/12 13:33:33 >> : -- transform #12 payload
> 09/01/12 13:33:33 >> : -- transform #13 payload
> 09/01/12 13:33:33 >> : -- transform #14 payload
> 09/01/12 13:33:33 >> : -- transform #15 payload
> 09/01/12 13:33:33 >> : -- transform #16 payload
> 09/01/12 13:33:33 >> : -- transform #17 payload
> 09/01/12 13:33:33 >> : -- transform #18 payload
> 09/01/12 13:33:33 >> : key exchange payload
> 09/01/12 13:33:33 >> : nonce payload
> 09/01/12 13:33:33 >> : identification payload
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports XAUTH
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports nat-t ( draft v00 )
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports nat-t ( draft v01 )
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports nat-t ( draft v02 )
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports nat-t ( draft v03 )
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports nat-t ( rfc )
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local supports FRAGMENTATION
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local is SHREW SOFT compatible
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local is NETSCREEN compatible
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local is SIDEWINDER compatible
> 09/01/12 13:33:33 >> : vendor id payload
> 09/01/12 13:33:33 ii : local is CISCO UNITY compatible
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:0000000000000000
> 09/01/12 13:33:33 >= : message 00000000
> 09/01/12 13:33:33 -> : send IKE packet 192.168.0.199:500 ->
> 195.159.111.66:500 ( 1158 bytes )
> 09/01/12 13:33:33 DB : phase1 resend event scheduled ( ref count = 2 )
> 09/01/12 13:33:33 <- : recv IKE packet 195.159.111.66:500 ->
> 192.168.0.199:500 ( 438 bytes )
> 09/01/12 13:33:33 DB : phase1 found
> 09/01/12 13:33:33 ii : processing phase1 packet ( 438 bytes )
> 09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 =< : message 00000000
> 09/01/12 13:33:33 << : security association payload
> 09/01/12 13:33:33 << : - propsal #1 payload
> 09/01/12 13:33:33 << : -- transform #1 payload
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != aes )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )
> 09/01/12 13:33:33 ii : unmatched isakmp proposal/transform
> 09/01/12 13:33:33 ii : hash type ( hmac-sha != hmac-md5 )
> 09/01/12 13:33:33 !! : peer violates RFC, transform number mismatch ( 1 !=
> 14 )
> 09/01/12 13:33:33 ii : matched isakmp proposal #1 transform #1
> 09/01/12 13:33:33 ii : - transform    = ike
> 09/01/12 13:33:33 ii : - cipher type  = 3des
> 09/01/12 13:33:33 ii : - key length   = default
> 09/01/12 13:33:33 ii : - hash type    = sha1
> 09/01/12 13:33:33 ii : - dh group     = modp-1024
> 09/01/12 13:33:33 ii : - auth type    = xauth-initiator-psk
> 09/01/12 13:33:33 ii : - life seconds = 86400
> 09/01/12 13:33:33 ii : - life kbytes  = 0
> 09/01/12 13:33:33 << : vendor id payload
> 09/01/12 13:33:33 ii : peer is CISCO UNITY compatible
> 09/01/12 13:33:33 << : vendor id payload
> 09/01/12 13:33:33 ii : peer supports DPDv1
> 09/01/12 13:33:33 << : vendor id payload
> 09/01/12 13:33:33 ii : unknown vendor id ( 16 bytes )
> 09/01/12 13:33:33 0x : 901d27bc 48919240 e61a88fc 07f35213
> 09/01/12 13:33:33 << : vendor id payload
> 09/01/12 13:33:33 ii : peer supports XAUTH
> 09/01/12 13:33:33 << : vendor id payload
> 09/01/12 13:33:33 ii : peer supports nat-t ( rfc )
> 09/01/12 13:33:33 << : key exchange payload
> 09/01/12 13:33:33 << : identification payload
> 09/01/12 13:33:33 ii : phase1 id match
> 09/01/12 13:33:33 ii : received = fqdn BC-R01.basis-consulting.no
> 09/01/12 13:33:33 << : nonce payload
> 09/01/12 13:33:33 << : hash payload
> 09/01/12 13:33:33 << : nat discovery payload
> 09/01/12 13:33:33 << : nat discovery payload
> 09/01/12 13:33:33 ii : nat discovery - local address is translated
> 09/01/12 13:33:33 ii : switching to nat-t udp port 4500
> 09/01/12 13:33:33 == : DH shared secret ( 128 bytes )
> 09/01/12 13:33:33 == : SETKEYID ( 20 bytes )
> 09/01/12 13:33:33 == : SETKEYID_d ( 20 bytes )
> 09/01/12 13:33:33 == : SETKEYID_a ( 20 bytes )
> 09/01/12 13:33:33 == : SETKEYID_e ( 20 bytes )
> 09/01/12 13:33:33 == : cipher key ( 40 bytes )
> 09/01/12 13:33:33 == : cipher iv ( 8 bytes )
> 09/01/12 13:33:33 == : phase1 hash_i ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 >> : hash payload
> 09/01/12 13:33:33 >> : nat discovery payload
> 09/01/12 13:33:33 >> : nat discovery payload
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 >= : message 00000000
> 09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : encrypt packet ( 100 bytes )
> 09/01/12 13:33:33 == : stored iv ( 8 bytes )
> 09/01/12 13:33:33 DB : phase1 resend event canceled ( ref count = 1 )
> 09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 132 bytes )
> 09/01/12 13:33:33 == : phase1 hash_r ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 == : phase1 hash_r ( received ) ( 20 bytes )
> 09/01/12 13:33:33 ii : phase1 sa established
> 09/01/12 13:33:33 ii : 195.159.111.66:4500 <-> 192.168.0.199:4500
> 09/01/12 13:33:33 ii : 226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 ii : sending peer INITIAL-CONTACT notification
> 09/01/12 13:33:33 ii : - 192.168.0.199:4500 -> 195.159.111.66:4500
> 09/01/12 13:33:33 ii : - isakmp spi = 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 ii : - data size 0
> 09/01/12 13:33:33 >> : hash payload
> 09/01/12 13:33:33 >> : notification payload
> 09/01/12 13:33:33 == : new informational hash ( 20 bytes )
> 09/01/12 13:33:33 == : new informational iv ( 8 bytes )
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 >= : message fa803be7
> 09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : encrypt packet ( 80 bytes )
> 09/01/12 13:33:33 == : stored iv ( 8 bytes )
> 09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 116 bytes )
> 09/01/12 13:33:33 DB : phase2 not found
> 09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
> 192.168.0.199:4500 ( 76 bytes )
> 09/01/12 13:33:33 DB : phase1 found
> 09/01/12 13:33:33 ii : processing config packet ( 76 bytes )
> 09/01/12 13:33:33 DB : config not found
> 09/01/12 13:33:33 DB : config added ( obj count = 1 )
> 09/01/12 13:33:33 == : new config iv ( 8 bytes )
> 09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 =< : message 87640ecc
> 09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : decrypt packet ( 76 bytes )
> 09/01/12 13:33:33 <= : trimmed packet padding ( 8 bytes )
> 09/01/12 13:33:33 <= : stored iv ( 8 bytes )
> 09/01/12 13:33:33 << : hash payload
> 09/01/12 13:33:33 << : attribute payload
> 09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 ii : configure hash verified
> 09/01/12 13:33:33 !! : warning, missing required xauth type attribute
> 09/01/12 13:33:33 ii : received xauth request -
> 09/01/12 13:33:33 ii : added standard xauth username attribute
> 09/01/12 13:33:33 ii : added standard xauth password attribute
> 09/01/12 13:33:33 ii : sending xauth response for robert
> 09/01/12 13:33:33 >> : hash payload
> 09/01/12 13:33:33 >> : attribute payload
> 09/01/12 13:33:33 == : new configure hash ( 20 bytes )
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 >= : message 87640ecc
> 09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : encrypt packet ( 86 bytes )
> 09/01/12 13:33:33 == : stored iv ( 8 bytes )
> 09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 124 bytes )
> 09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
> 09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
> 192.168.0.199:4500 ( 68 bytes )
> 09/01/12 13:33:33 DB : phase1 found
> 09/01/12 13:33:33 ii : processing config packet ( 68 bytes )
> 09/01/12 13:33:33 DB : config found
> 09/01/12 13:33:33 == : new config iv ( 8 bytes )
> 09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 =< : message a27cf1aa
> 09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : decrypt packet ( 68 bytes )
> 09/01/12 13:33:33 <= : trimmed packet padding ( 4 bytes )
> 09/01/12 13:33:33 <= : stored iv ( 8 bytes )
> 09/01/12 13:33:33 << : hash payload
> 09/01/12 13:33:33 << : attribute payload
> 09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 ii : configure hash verified
> 09/01/12 13:33:33 ii : received xauth result -
> 09/01/12 13:33:33 ii : user robert authentication succeeded
> 09/01/12 13:33:33 ii : sending xauth acknowledge
> 09/01/12 13:33:33 >> : hash payload
> 09/01/12 13:33:33 >> : attribute payload
> 09/01/12 13:33:33 == : new configure hash ( 20 bytes )
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 >= : message a27cf1aa
> 09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : encrypt packet ( 60 bytes )
> 09/01/12 13:33:33 == : stored iv ( 8 bytes )
> 09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
> 09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 92 bytes )
> 09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
> 09/01/12 13:33:33 ii : building config attribute list
> 09/01/12 13:33:33 ii : - IP4 Address
> 09/01/12 13:33:33 ii : - Address Expiry
> 09/01/12 13:33:33 ii : - IP4 Netamask
> 09/01/12 13:33:33 ii : - IP4 DNS Server
> 09/01/12 13:33:33 ii : - IP4 WINS Server
> 09/01/12 13:33:33 ii : - DNS Suffix
> 09/01/12 13:33:33 ii : - Split DNS Domain
> 09/01/12 13:33:33 ii : - IP4 Split Network Include
> 09/01/12 13:33:33 ii : - IP4 Split Network Exclude
> 09/01/12 13:33:33 ii : - Save Password
> 09/01/12 13:33:33 == : new config iv ( 8 bytes )
> 09/01/12 13:33:33 ii : sending config pull request
> 09/01/12 13:33:33 >> : hash payload
> 09/01/12 13:33:33 >> : attribute payload
> 09/01/12 13:33:33 == : new configure hash ( 20 bytes )
> 09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 >= : message a15127cd
> 09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : encrypt packet ( 100 bytes )
> 09/01/12 13:33:33 == : stored iv ( 8 bytes )
> 09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
> 09/01/12 13:33:33 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 132 bytes )
> 09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )
> 09/01/12 13:33:33 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
> 192.168.0.199:4500 ( 188 bytes )
> 09/01/12 13:33:33 DB : phase1 found
> 09/01/12 13:33:33 ii : processing config packet ( 188 bytes )
> 09/01/12 13:33:33 DB : config found
> 09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:33 =< : message a15127cd
> 09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )
> 09/01/12 13:33:33 == : decrypt packet ( 188 bytes )
> 09/01/12 13:33:33 <= : trimmed packet padding ( 3 bytes )
> 09/01/12 13:33:33 <= : stored iv ( 8 bytes )
> 09/01/12 13:33:33 << : hash payload
> 09/01/12 13:33:33 << : attribute payload
> 09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )
> 09/01/12 13:33:33 ii : configure hash verified
> 09/01/12 13:33:33 ii : received config pull response
> 09/01/12 13:33:33 ii : - IP4 Address = 192.168.113.64
> 09/01/12 13:33:33 ii : - Address Expiry = 2136015104
> 09/01/12 13:33:33 ii : - IP4 Netmask = 255.255.255.0
> 09/01/12 13:33:33 ii : - IP4 DNS Server = 192.168.3.101
> 09/01/12 13:33:33 ii : - IP4 DNS Server = 195.159.0.100
> 09/01/12 13:33:33 ii : - DNS Suffix = pillar.as
> 09/01/12 13:33:33 ii : - Split Domain
> 09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:192.168.3.0/24:*
> 09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:10.220.0.0/16:*
> 09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:
> 91.203.116.34/32:*
> 09/01/12 13:33:33 ii : - IP4 Split Network Exclude = ANY:0.0.0.0/32:* (
> invalid subnet ignored )
> 09/01/12 13:33:33 ii : - Save Password = 0
> 09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )
> 09/01/12 13:33:35 ii : VNET adapter MTU is 1500
> 09/01/12 13:33:35 ii : enabled adapter ROOT\VNET\0000
> 09/01/12 13:33:35 ii : creating IPSEC INBOUND policy ANY:192.168.3.0/24:*-> ANY:192.168.113.64:
> *
> 09/01/12 13:33:35 DB : policy added ( obj count = 1 )
> 09/01/12 13:33:35 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:35 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
> -> ANY:192.168.3.0/24:*
> 09/01/12 13:33:35 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:35 DB : policy found
> 09/01/12 13:33:40 !! : failed to create IPSEC policy route for
> 192.168.3.0/24
> 09/01/12 13:33:40 DB : policy added ( obj count = 2 )
> 09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:40 ii : creating IPSEC INBOUND policy ANY:10.220.0.0/16:*-> ANY:192.168.113.64:
> *
> 09/01/12 13:33:40 DB : policy added ( obj count = 3 )
> 09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:40 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
> -> ANY:10.220.0.0/16:*
> 09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:40 DB : policy found
> 09/01/12 13:33:40 ii : calling init phase2 for initial policy
> 09/01/12 13:33:40 DB : policy found
> 09/01/12 13:33:40 DB : policy found
> 09/01/12 13:33:40 DB : tunnel found
> 09/01/12 13:33:40 DB : new phase2 ( IPSEC initiator )
> 09/01/12 13:33:40 DB : phase2 added ( obj count = 1 )
> 09/01/12 13:33:40 K> : send pfkey GETSPI ESP message
> 09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:40 DB : policy found
> 09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message
> 09/01/12 13:33:40 DB : phase2 found
> 09/01/12 13:33:40 ii : updated spi for 1 ipsec-esp proposal
> 09/01/12 13:33:40 DB : phase1 found
> 09/01/12 13:33:40 >> : hash payload
> 09/01/12 13:33:40 >> : security association payload
> 09/01/12 13:33:40 >> : - proposal #1 payload
> 09/01/12 13:33:40 >> : -- transform #1 payload
> 09/01/12 13:33:40 >> : -- transform #2 payload
> 09/01/12 13:33:40 >> : -- transform #3 payload
> 09/01/12 13:33:40 >> : -- transform #4 payload
> 09/01/12 13:33:40 >> : -- transform #5 payload
> 09/01/12 13:33:40 >> : -- transform #6 payload
> 09/01/12 13:33:40 >> : -- transform #7 payload
> 09/01/12 13:33:40 >> : -- transform #8 payload
> 09/01/12 13:33:40 >> : -- transform #9 payload
> 09/01/12 13:33:40 >> : -- transform #10 payload
> 09/01/12 13:33:40 >> : -- transform #11 payload
> 09/01/12 13:33:40 >> : -- transform #12 payload
> 09/01/12 13:33:40 >> : -- transform #13 payload
> 09/01/12 13:33:40 >> : -- transform #14 payload
> 09/01/12 13:33:40 >> : -- transform #15 payload
> 09/01/12 13:33:40 >> : -- transform #16 payload
> 09/01/12 13:33:40 >> : -- transform #17 payload
> 09/01/12 13:33:40 >> : -- transform #18 payload
> 09/01/12 13:33:40 >> : nonce payload
> 09/01/12 13:33:40 >> : identification payload
> 09/01/12 13:33:40 >> : identification payload
> 09/01/12 13:33:40 == : phase2 hash_i ( input ) ( 632 bytes )
> 09/01/12 13:33:40 == : phase2 hash_i ( computed ) ( 20 bytes )
> 09/01/12 13:33:40 == : new phase2 iv ( 8 bytes )
> 09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:40 >= : message a8c542ad
> 09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:40 == : encrypt packet ( 680 bytes )
> 09/01/12 13:33:40 == : stored iv ( 8 bytes )
> 09/01/12 13:33:40 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 716 bytes )
> 09/01/12 13:33:40 DB : phase2 resend event scheduled ( ref count = 2 )
> 09/01/12 13:33:40 <- : recv NAT-T:IKE packet 195.159.111.66:4500 ->
> 192.168.0.199:4500 ( 188 bytes )
> 09/01/12 13:33:40 DB : phase1 found
> 09/01/12 13:33:40 ii : processing phase2 packet ( 188 bytes )
> 09/01/12 13:33:40 DB : phase2 found
> 09/01/12 13:33:40 =< : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:40 =< : message a8c542ad
> 09/01/12 13:33:40 =< : decrypt iv ( 8 bytes )
> 09/01/12 13:33:40 == : decrypt packet ( 188 bytes )
> 09/01/12 13:33:40 <= : trimmed packet padding ( 4 bytes )
> 09/01/12 13:33:40 <= : stored iv ( 8 bytes )
> 09/01/12 13:33:40 << : hash payload
> 09/01/12 13:33:40 << : security association payload
> 09/01/12 13:33:40 << : - propsal #1 payload
> 09/01/12 13:33:40 << : -- transform #1 payload
> 09/01/12 13:33:40 << : nonce payload
> 09/01/12 13:33:40 << : identification payload
> 09/01/12 13:33:40 << : identification payload
> 09/01/12 13:33:40 << : notification payload
> 09/01/12 13:33:40 == : phase2 hash_r ( input ) ( 156 bytes )
> 09/01/12 13:33:40 == : phase2 hash_r ( computed ) ( 20 bytes )
> 09/01/12 13:33:40 == : phase2 hash_r ( received ) ( 20 bytes )
> 09/01/12 13:33:40 ii : unmatched ipsec-esp proposal/transform
> 09/01/12 13:33:40 ii : msg auth ( hmac-sha != hmac-md5 )
> 09/01/12 13:33:40 !! : peer violates RFC, transform number mismatch ( 1 !=
> 2 )
> 09/01/12 13:33:40 ii : matched ipsec-esp proposal #1 transform #2
> 09/01/12 13:33:40 ii : - transform    = esp-aes
> 09/01/12 13:33:40 ii : - key length   = 256 bits
> 09/01/12 13:33:40 ii : - encap mode   = udp-tunnel ( rfc )
> 09/01/12 13:33:40 ii : - msg auth     = hmac-sha
> 09/01/12 13:33:40 ii : - pfs dh group = none
> 09/01/12 13:33:40 ii : - life seconds = 3600
> 09/01/12 13:33:40 ii : - life kbytes  = 0
> 09/01/12 13:33:40 DB : policy found
> 09/01/12 13:33:40 ii : received peer RESPONDER-LIFETIME notification
> 09/01/12 13:33:40 ii : - 195.159.111.66:4500 -> 192.168.0.199:4500
> 09/01/12 13:33:40 ii : - ipsec-esp spi = 0x1efc8af8
> 09/01/12 13:33:40 ii : - data size 12
> 09/01/12 13:33:40 K> : send pfkey GETSPI ESP message
> 09/01/12 13:33:40 ii : phase2 ids accepted
> 09/01/12 13:33:40 ii : - loc ANY:192.168.113.64:* -> ANY:192.168.3.0/24:*
> 09/01/12 13:33:40 ii : - rmt ANY:192.168.3.0/24:* -> ANY:192.168.113.64:*
> 09/01/12 13:33:40 ii : phase2 sa established
> 09/01/12 13:33:40 ii : 192.168.0.199:4500 <-> 195.159.111.66:4500
> 09/01/12 13:33:40 == : phase2 hash_p ( input ) ( 45 bytes )
> 09/01/12 13:33:40 == : phase2 hash_p ( computed ) ( 20 bytes )
> 09/01/12 13:33:40 >> : hash payload
> 09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240
> 09/01/12 13:33:40 >= : message a8c542ad
> 09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )
> 09/01/12 13:33:40 == : encrypt packet ( 52 bytes )
> 09/01/12 13:33:40 == : stored iv ( 8 bytes )
> 09/01/12 13:33:40 DB : phase2 resend event canceled ( ref count = 1 )
> 09/01/12 13:33:40 -> : send NAT-T:IKE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500 ( 84 bytes )
> 09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )
> 09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )
> 09/01/12 13:33:40 K> : send pfkey UPDATE ESP message
> 09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )
> 09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )
> 09/01/12 13:33:40 K> : send pfkey UPDATE ESP message
> 09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message
> 09/01/12 13:33:40 DB : phase2 found
> 09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message
> 09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message
> 09/01/12 13:33:45 !! : failed to create IPSEC policy route for
> 10.220.0.0/16
> 09/01/12 13:33:45 DB : policy added ( obj count = 4 )
> 09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:45 ii : creating IPSEC INBOUND policy ANY:
> 91.203.116.34/32:* -> ANY:192.168.113.64:*
> 09/01/12 13:33:45 DB : policy added ( obj count = 5 )
> 09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:45 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:*
> -> ANY:91.203.116.34/32:*
> 09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:45 DB : policy found
> 09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:45 DB : policy found
> 09/01/12 13:33:48 DB : phase1 found
> 09/01/12 13:33:48 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500
> 09/01/12 13:33:50 !! : failed to create IPSEC policy route for
> 91.203.116.34/32
> 09/01/12 13:33:50 DB : policy added ( obj count = 6 )
> 09/01/12 13:33:50 K> : send pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:50 ii : split DNS bypassed ( no split domains defined )
> 09/01/12 13:33:50 K< : recv pfkey X_SPDADD UNSPEC message
> 09/01/12 13:33:50 DB : policy found
> 09/01/12 13:34:04 DB : phase1 found
> 09/01/12 13:34:04 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.199:4500 ->
> 195.159.111.66:4500
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090113/4bd7f58d/attachment-0002.html>


More information about the vpn-help mailing list