[Vpn-help] Cisco VPN 3000 and Shrew 2.1.5-rc-4(2) issue
Charles Buckley
ceb at mauto.com
Fri Nov 27 12:30:20 CST 2009
As far as I know, Shrew is the best game in town for 64 bits at the moment.
There may be some efforts internal to the bit network gear manufacturers,
but I'm curious as to why these haven't rolled out faster, and why they're
usually so awful when they do roll out. People who work at these places are
aware of the problem - the only value add the tech support person I
initially dealt with at Netgear provided was to put me onto Shrew.
Apparently there's a big divide between tech support, engineering
scheduling, and release management at these places, yet the tech support
people seem to have been given a gag order - no information will flow to
engineering, who just develop in a blissful vacuum of customer input. And
tech support people will never complain to customers about engineering.
Sounds like the recipe for Vista to me. I wonder what honors graduate of
the Matchbook School of International Business dreamt that one up.
This is why I'd like to see Shrewsoft OEM agreements with these equipment
manufacturers. Although he's doing a good job of addressing an identified
need, Mr Grooms seems to have limited bandwidth - not one of the issues I've
posted here has been addressed, so it would seem to make sense to find a way
to increase that bandwidth more efficient that that already implemented.
Such agreements have been known to enable hiring teams.
Working from my completely overloaded non-W7 perspective, the best thing I
find to do in the interim is to run 2.1.5 rc4 at the moment, both on 32 and
64 bits. There are limitations as I have posted previously, but it's
possible to work around them.
If there's some development or testing work I can do after hours (though
'after hours' is a diminishingly small part of my life these days), I'll be
happy to pitch in.
Charles
_____
From: Mathieu Ploton [mailto:mploton at gmail.com]
Sent: Friday, November 27, 2009 8:22 AM
To: Charles Buckley
Cc: Frank Pikelner; Daniel Sabanes Bove; vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] Cisco VPN 3000 and Shrew 2.1.5-rc-4(2) issue
Just to get back to my original post, do you advice me to try some other
versions of Shrew or something else ?
My aim is definitely to find a solution for remote access to my VPN3000
Gateway from a Windows 7 64bits station. The cisco ipsec client is hardly
compatible with windows 7 and not at all 64 bits compatible.
Best regards,
MP
On Fri, Nov 27, 2009 at 7:51 AM, Charles Buckley <ceb at mauto.com> wrote:
I would be compelled to wonder, just how flexible and/or universal this SSL
client installation feature from Cisco is. I bought the Netgear FVS336G
because the marketing literature suggested a VPN connection "anywhere,
anytime" was possible. To my horror upon receiving the unit, I discover
it's only good for 32-bit Windows clients. 64-bit doesn't work, and in the
latest releases of the firmware, even Macintosh is not supported.
So I'm back fiddling with IPSec clients. I don't mind - this is the way I
discovered the Shrew enterprise, but it's a lot of additional hassle in an
already over-busy day. Given the way Netgear seem to approach software, I
wonder if some sort of OEM cooperation between Netgear and Shrewsoft would
make sense.
Charles
_____
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Frank Pikelner
Sent: Friday, November 27, 2009 12:16 AM
To: Mathieu Ploton
Cc: Daniel Sabanes Bove; vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] Cisco VPN 3000 and Shrew 2.1.5-rc-4(2) issue
This is a bit off topic, but the Cisco 3000 has the ability to dynamically
install a VPN client on Windows platforms following a successful
authentication over SSL. We've used this successfully in the past.
Frank Pikelner
On 2009-11-26, at 4:00 PM, "Mathieu Ploton" <mploton at gmail.com> wrote:
Thank you, I will try to downgrade to see what's going on.
Mathieu
On Thu, Nov 26, 2009 at 8:43 PM, Daniel Sabanes Bove <
<mailto:daniel.sabanesbove at gmx.net> daniel.sabanesbove at gmx.net> wrote:
Hi,
I have experienced exactly the same problem since 2.1.5 rc-3, as a user
wanting to VPN to my university (so I cannot change the concentrator
config). Matthew wanted to analyze the problem, but unfortunately I got
no response from him since August or so ... I am suspecting that is has
something to do with the dead peer detection protocol (dpd).
Daniel
> From: Mathieu Ploton < <mailto:mploton at gmail.com> mploton at gmail.com>
> Subject: [Vpn-help] Cisco VPN 3000 and Shrew 2.1.5-rc-4(2) issue
> To: <mailto:vpn-help at lists.shrew.net> vpn-help at lists.shrew.net
> Message-ID:
> <
<mailto:fcc0fade0911260656g319e9a6ax45e43ebbafc8300 at mail.gmail.com>
fcc0fade0911260656g319e9a6ax45e43ebbafc8300 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
>
>
> One of my user want to connect to the VPN3000 Concentrator with a windows
7
> 64b station.
>
>
> I'm trying to import the cisco vpn profile to
> *Shrew*vpn-client-2.1.5-rc-4(2) in order to make it work in Windows 7
> 64b.
>
>
>
> The import goes well and I'm able to connect but a few sec after the
> connection, I get this message :
>
>
>
> network device configured
> tunnel enabled
> *session terminated by gateway*
> tunnel disabled
> detached from key daemon ...
>
>
>
> - *My concentrator is a VPN 3000 and the log does not say much :*
>
>
>
> 3758 11/24/2009 12:11:13.710 SEV=4 IKE/52 RPT=19713 remote address
> Group [vg-clients] User [toto]
> User (toto) authenticated.
>
> 3759 11/24/2009 12:11:13.720 SEV=4 IKE/149 RPT=46
> Hardware client security attribute SECURE UNIT was enabled but not
requeste
>
>
>
> - *Here is the log from shrew* :
>
>
>
> 09/11/24 12:12:18 ii : device ROOT\VNET\0000 disabled
> 09/11/24 12:12:18 ii : network process thread begin ...
> 09/11/24 12:12:18 ii : pfkey process thread begin ...
> 09/11/24 12:12:18 ii : ipc server process thread begin ...
> 09/11/24 12:12:19 ii : ipc client process thread begin ...
> 09/11/24 12:12:19 <A : peer config add message
> 09/11/24 12:12:19 DB : peer added ( obj count = 1 )
> 09/11/24 12:12:19 ii : local address 172.16.60.12 selected for peer
> 09/11/24 12:12:20 DB : tunnel added ( obj count = 1 )
> 09/11/24 12:12:20 <A : proposal config message
> 09/11/24 12:12:20 <A : proposal config message
> 09/11/24 12:12:20 <A : client config message
> 09/11/24 12:12:20 <A : xauth username message
> 09/11/24 12:12:20 <A : xauth password message
> 09/11/24 12:12:20 <A : local id 'vg-domain' message
> 09/11/24 12:12:20 <A : preshared key message
> 09/11/24 12:12:20 <A : peer tunnel enable message
> 09/11/24 12:12:20 DB : new phase1 ( ISAKMP initiator )
> 09/11/24 12:12:20 DB : exchange type is aggressive
> 09/11/24 12:12:20 DB : 172.16.60.12:500 <-> public_ip_gateway:500
> 09/11/24 12:12:20 DB : 56e1b7cb81389699:0000000000000000
> 09/11/24 12:12:20 DB : phase1 added ( obj count = 1 )
> 09/11/24 12:12:20 >> : security association payload
> 09/11/24 12:12:20 >> : - proposal #1 payload
> 09/11/24 12:12:20 >> : -- transform #1 payload
> 09/11/24 12:12:20 >> : -- transform #2 payload
> 09/11/24 12:12:20 >> : -- transform #3 payload
> 09/11/24 12:12:20 >> : -- transform #4 payload
> 09/11/24 12:12:20 >> : -- transform #5 payload
> 09/11/24 12:12:20 >> : -- transform #6 payload
> 09/11/24 12:12:20 >> : -- transform #7 payload
> 09/11/24 12:12:20 >> : -- transform #8 payload
> 09/11/24 12:12:20 >> : -- transform #9 payload
> 09/11/24 12:12:20 >> : -- transform #10 payload
> 09/11/24 12:12:20 >> : -- transform #11 payload
> 09/11/24 12:12:20 >> : -- transform #12 payload
> 09/11/24 12:12:20 >> : -- transform #13 payload
> 09/11/24 12:12:20 >> : -- transform #14 payload
> 09/11/24 12:12:20 >> : -- transform #15 payload
> 09/11/24 12:12:20 >> : -- transform #16 payload
> 09/11/24 12:12:20 >> : -- transform #17 payload
> 09/11/24 12:12:20 >> : -- transform #18 payload
> 09/11/24 12:12:20 >> : key exchange payload
> 09/11/24 12:12:20 >> : nonce payload
> 09/11/24 12:12:20 >> : identification payload
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports XAUTH
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports nat-t ( draft v00 )
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports nat-t ( draft v01 )
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports nat-t ( draft v02 )
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports nat-t ( draft v03 )
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports nat-t ( rfc )
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local supports DPDv1
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local is SHREW SOFT compatible
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local is NETSCREEN compatible
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local is SIDEWINDER compatible
> 09/11/24 12:12:20 >> : vendor id payload
> 09/11/24 12:12:20 ii : local is CISCO UNITY compatible
> 09/11/24 12:12:20 >= : cookies 56e1b7cb81389699:0000000000000000
> 09/11/24 12:12:20 >= : message 00000000
> 09/11/24 12:12:20 -> : send IKE packet 172.16.60.12:500 ->
> public_ip_gateway:500 ( 1161 bytes )
> 09/11/24 12:12:20 DB : phase1 resend event scheduled ( ref count = 2 )
> 09/11/24 12:12:20 <- : recv IKE packet public_ip_gateway:500 ->
> 172.16.60.12:500 ( 460 bytes )
> 09/11/24 12:12:20 DB : phase1 found
> 09/11/24 12:12:20 ii : processing phase1 packet ( 460 bytes )
> 09/11/24 12:12:20 =< : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 =< : message 00000000
> 09/11/24 12:12:20 << : security association payload
> 09/11/24 12:12:20 << : - propsal #1 payload
> 09/11/24 12:12:20 << : -- transform #14 payload
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != aes )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : cipher type ( 3des != blowfish )
> 09/11/24 12:12:20 ii : unmatched isakmp proposal/transform
> 09/11/24 12:12:20 ii : hash type ( hmac-sha != hmac-md5 )
> 09/11/24 12:12:20 ii : matched isakmp proposal #1 transform #14
> 09/11/24 12:12:20 ii : - transform = ike
> 09/11/24 12:12:20 ii : - cipher type = 3des
> 09/11/24 12:12:20 ii : - key length = default
> 09/11/24 12:12:20 ii : - hash type = sha1
> 09/11/24 12:12:20 ii : - dh group = modp-1024
> 09/11/24 12:12:20 ii : - auth type = xauth-initiator-psk
> 09/11/24 12:12:20 ii : - life seconds = 86400
> 09/11/24 12:12:20 ii : - life kbytes = 0
> 09/11/24 12:12:20 << : key exchange payload
> 09/11/24 12:12:20 << : nonce payload
> 09/11/24 12:12:20 << : identification payload
> 09/11/24 12:12:20 ii : phase1 id target is any
> 09/11/24 12:12:20 ii : phase1 id match
> 09/11/24 12:12:20 ii : received = ipv4-host public_ip_gateway
> 09/11/24 12:12:20 << : hash payload
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : peer is CISCO UNITY compatible
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : peer supports XAUTH
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : peer supports DPDv1
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : peer supports nat-t ( draft v02 )
> 09/11/24 12:12:20 << : nat discovery payload
> 09/11/24 12:12:20 << : nat discovery payload
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : unknown vendor id ( 20 bytes )
> 09/11/24 12:12:20 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : unknown vendor id ( 16 bytes )
> 09/11/24 12:12:20 0x : 0a514e9c de6fc185 4ba3f52b 64aeb625
> 09/11/24 12:12:20 << : vendor id payload
> 09/11/24 12:12:20 ii : unknown vendor id ( 16 bytes )
> 09/11/24 12:12:20 0x : 1f07f70e aa6514d3 b0fa9654 2a500401
> 09/11/24 12:12:20 ii : nat discovery - local address is translated
> 09/11/24 12:12:20 ii : switching to src nat-t udp port 4500
> 09/11/24 12:12:20 ii : switching to dst nat-t udp port 4500
> 09/11/24 12:12:20 == : DH shared secret ( 128 bytes )
> 09/11/24 12:12:20 == : SETKEYID ( 20 bytes )
> 09/11/24 12:12:20 == : SETKEYID_d ( 20 bytes )
> 09/11/24 12:12:20 == : SETKEYID_a ( 20 bytes )
> 09/11/24 12:12:20 == : SETKEYID_e ( 20 bytes )
> 09/11/24 12:12:20 == : cipher key ( 40 bytes )
> 09/11/24 12:12:20 == : cipher iv ( 8 bytes )
> 09/11/24 12:12:20 == : phase1 hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:20 >> : hash payload
> 09/11/24 12:12:20 >> : nat discovery payload
> 09/11/24 12:12:20 >> : nat discovery payload
> 09/11/24 12:12:20 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 >= : message 00000000
> 09/11/24 12:12:20 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:20 == : encrypt packet ( 100 bytes )
> 09/11/24 12:12:20 == : stored iv ( 8 bytes )
> 09/11/24 12:12:20 DB : phase1 resend event canceled ( ref count = 1 )
> 09/11/24 12:12:20 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 132 bytes )
> 09/11/24 12:12:20 == : phase1 hash_r ( computed ) ( 20 bytes )
> 09/11/24 12:12:20 == : phase1 hash_r ( received ) ( 20 bytes )
> 09/11/24 12:12:20 ii : phase1 sa established
> 09/11/24 12:12:20 ii : public_ip_gateway:4500 <-> 172.16.60.12:4500
> 09/11/24 12:12:20 ii : 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 ii : sending peer INITIAL-CONTACT notification
> 09/11/24 12:12:20 ii : - 172.16.60.12:4500 -> public_ip_gateway:4500
> 09/11/24 12:12:20 ii : - isakmp spi = 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 ii : - data size 0
> 09/11/24 12:12:20 >> : hash payload
> 09/11/24 12:12:20 >> : notification payload
> 09/11/24 12:12:20 == : new informational hash ( 20 bytes )
> 09/11/24 12:12:20 == : new informational iv ( 8 bytes )
> 09/11/24 12:12:20 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 >= : message 7606f5a3
> 09/11/24 12:12:20 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:20 == : encrypt packet ( 80 bytes )
> 09/11/24 12:12:20 == : stored iv ( 8 bytes )
> 09/11/24 12:12:20 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 116 bytes )
> 09/11/24 12:12:20 DB : phase2 not found
> 09/11/24 12:12:20 <- : recv NAT-T:IKE packet public_ip_gateway:4500 ->
> 172.16.60.12:4500 ( 116 bytes )
> 09/11/24 12:12:20 DB : phase1 found
> 09/11/24 12:12:20 ii : processing config packet ( 116 bytes )
> 09/11/24 12:12:20 DB : config not found
> 09/11/24 12:12:20 DB : config added ( obj count = 1 )
> 09/11/24 12:12:20 == : new config iv ( 8 bytes )
> 09/11/24 12:12:20 =< : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 =< : message 0181be70
> 09/11/24 12:12:20 =< : decrypt iv ( 8 bytes )
> 09/11/24 12:12:20 == : decrypt packet ( 116 bytes )
> 09/11/24 12:12:20 <= : stored iv ( 8 bytes )
> 09/11/24 12:12:20 << : hash payload
> 09/11/24 12:12:20 << : attribute payload
> 09/11/24 12:12:20 == : configure hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:20 == : configure hash_c ( computed ) ( 20 bytes )
> 09/11/24 12:12:20 ii : configure hash verified
> 09/11/24 12:12:20 ii : - xauth authentication type
> 09/11/24 12:12:20 ii : - xauth username
> 09/11/24 12:12:20 !! : warning, unhandled xauth attribute 16526
> 09/11/24 12:12:20 ii : - xauth password
> 09/11/24 12:12:20 ii : received basic xauth request - Enter Username,
> Password and Domain.
> 09/11/24 12:12:20 ii : - standard xauth username
> 09/11/24 12:12:20 ii : - standard xauth password
> 09/11/24 12:12:20 ii : sending xauth response for mathieu.ploton
> 09/11/24 12:12:20 >> : hash payload
> 09/11/24 12:12:20 >> : attribute payload
> 09/11/24 12:12:20 == : new configure hash ( 20 bytes )
> 09/11/24 12:12:20 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:20 >= : message 0181be70
> 09/11/24 12:12:20 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:20 == : encrypt packet ( 95 bytes )
> 09/11/24 12:12:20 == : stored iv ( 8 bytes )
> 09/11/24 12:12:20 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 132 bytes )
> 09/11/24 12:12:20 DB : config resend event scheduled ( ref count = 2 )
> 09/11/24 12:12:22 <- : recv NAT-T:IKE packet public_ip_gateway:4500 ->
> 172.16.60.12:4500 ( 68 bytes )
> 09/11/24 12:12:22 DB : phase1 found
> 09/11/24 12:12:22 ii : processing config packet ( 68 bytes )
> 09/11/24 12:12:22 DB : config found
> 09/11/24 12:12:22 == : new config iv ( 8 bytes )
> 09/11/24 12:12:22 =< : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:22 =< : message 28b9cd9c
> 09/11/24 12:12:22 =< : decrypt iv ( 8 bytes )
> 09/11/24 12:12:22 == : decrypt packet ( 68 bytes )
> 09/11/24 12:12:22 <= : trimmed packet padding ( 4 bytes )
> 09/11/24 12:12:22 <= : stored iv ( 8 bytes )
> 09/11/24 12:12:22 << : hash payload
> 09/11/24 12:12:22 << : attribute payload
> 09/11/24 12:12:22 == : configure hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:22 == : configure hash_c ( computed ) ( 20 bytes )
> 09/11/24 12:12:22 ii : configure hash verified
> 09/11/24 12:12:22 ii : received xauth result -
> 09/11/24 12:12:22 ii : user mathieu.ploton authentication succeeded
> 09/11/24 12:12:22 ii : sending xauth acknowledge
> 09/11/24 12:12:22 >> : hash payload
> 09/11/24 12:12:22 >> : attribute payload
> 09/11/24 12:12:22 == : new configure hash ( 20 bytes )
> 09/11/24 12:12:22 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:22 >= : message 28b9cd9c
> 09/11/24 12:12:22 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:22 == : encrypt packet ( 60 bytes )
> 09/11/24 12:12:22 == : stored iv ( 8 bytes )
> 09/11/24 12:12:22 DB : config resend event canceled ( ref count = 1 )
> 09/11/24 12:12:22 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 92 bytes )
> 09/11/24 12:12:22 DB : config resend event scheduled ( ref count = 2 )
> 09/11/24 12:12:22 ii : building config attribute list
> 09/11/24 12:12:22 ii : - IP4 Address
> 09/11/24 12:12:22 ii : - Address Expiry
> 09/11/24 12:12:22 ii : - IP4 Netamask
> 09/11/24 12:12:22 ii : - IP4 DNS Server
> 09/11/24 12:12:22 ii : - IP4 WINS Server
> 09/11/24 12:12:22 ii : - DNS Suffix
> 09/11/24 12:12:22 ii : - IP4 Split Network Include
> 09/11/24 12:12:22 ii : - IP4 Split Network Exclude
> 09/11/24 12:12:22 ii : - Login Banner
> 09/11/24 12:12:22 ii : - PFS Group
> 09/11/24 12:12:22 ii : - Save Password
> 09/11/24 12:12:22 == : new config iv ( 8 bytes )
> 09/11/24 12:12:22 ii : sending config pull request
> 09/11/24 12:12:22 >> : hash payload
> 09/11/24 12:12:22 >> : attribute payload
> 09/11/24 12:12:22 == : new configure hash ( 20 bytes )
> 09/11/24 12:12:22 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:22 >= : message 2be9d912
> 09/11/24 12:12:22 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:22 == : encrypt packet ( 104 bytes )
> 09/11/24 12:12:22 == : stored iv ( 8 bytes )
> 09/11/24 12:12:22 DB : config resend event canceled ( ref count = 1 )
> 09/11/24 12:12:22 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 140 bytes )
> 09/11/24 12:12:22 DB : config resend event scheduled ( ref count = 2 )
> 09/11/24 12:12:22 <- : recv NAT-T:IKE packet public_ip_gateway:4500 ->
> 172.16.60.12:4500 ( 252 bytes )
> 09/11/24 12:12:22 DB : phase1 found
> 09/11/24 12:12:22 ii : processing config packet ( 252 bytes )
> 09/11/24 12:12:22 DB : config found
> 09/11/24 12:12:22 =< : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:22 =< : message 2be9d912
> 09/11/24 12:12:22 =< : decrypt iv ( 8 bytes )
> 09/11/24 12:12:22 == : decrypt packet ( 252 bytes )
> 09/11/24 12:12:22 <= : trimmed packet padding ( 4 bytes )
> 09/11/24 12:12:22 <= : stored iv ( 8 bytes )
> 09/11/24 12:12:22 << : hash payload
> 09/11/24 12:12:22 << : attribute payload
> 09/11/24 12:12:22 == : configure hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:22 == : configure hash_c ( computed ) ( 20 bytes )
> 09/11/24 12:12:22 ii : configure hash verified
> 09/11/24 12:12:22 ii : received config pull response
> 09/11/24 12:12:22 ii : - IP4 Address = 192.168.3.1
> 09/11/24 12:12:22 ii : - IP4 DNS Server = 172.21.10.10
> 09/11/24 12:12:22 ii : - IP4 DNS Server = 172.24.10.31
> 09/11/24 12:12:22 ii : - IP4 WINS Server = 172.21.10.10
> 09/11/24 12:12:22 ii : - IP4 WINS Server = 172.24.10.31
> 09/11/24 12:12:22 ii : - Login Banner = Welcome in the ...
> 09/11/24 12:12:22 ii : - Save Password = 0
> 09/11/24 12:12:22 ii : - PFS Group = 1
> 09/11/24 12:12:22 DB : config resend event canceled ( ref count = 1 )
> 09/11/24 12:12:22 !! : invalid private netmask, defaulting to class c
> 09/11/24 12:12:26 ii : VNET adapter MTU is 1500
> 09/11/24 12:12:26 ii : enabled adapter ROOT\VNET\0000
> 09/11/24 12:12:26 ii : creating NONE INBOUND policy
ANY:public_ip_gateway:*
> -> ANY:172.16.60.12:*
> 09/11/24 12:12:26 DB : policy added ( obj count = 1 )
> 09/11/24 12:12:26 K> : send pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 ii : creating NONE OUTBOUND policy ANY:172.16.60.12:* ->
> ANY:public_ip_gateway:*
> 09/11/24 12:12:26 K< : recv pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 DB : policy found
> 09/11/24 12:12:26 ii : created NONE policy route for public_ip_gateway/32
> 09/11/24 12:12:26 DB : policy added ( obj count = 2 )
> 09/11/24 12:12:26 K> : send pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* ->
> ANY:192.168.1.1:*
> 09/11/24 12:12:26 DB : policy added ( obj count = 3 )
> 09/11/24 12:12:26 K> : send pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 ii : creating IPSEC OUTBOUND policy ANY:192.168.1.1:* ->
> ANY:0.0.0.0/0:*
> 09/11/24 12:12:26 K< : recv pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 DB : policy found
> 09/11/24 12:12:26 ii : calling init phase2 for nailed policy
> 09/11/24 12:12:26 DB : policy found
> 09/11/24 12:12:26 DB : policy not found
> 09/11/24 12:12:26 !! : unable to locate inbound policy for init phase2
> 09/11/24 12:12:26 ii : calling init phase2 for initial policy
> 09/11/24 12:12:26 DB : policy found
> 09/11/24 12:12:26 DB : policy not found
> 09/11/24 12:12:26 !! : unable to locate inbound policy for init phase2
> 09/11/24 12:12:26 K< : recv pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:26 DB : policy found
> 09/11/24 12:12:29 ii : created IPSEC policy route for 0.0.0.0
> 09/11/24 12:12:29 DB : policy added ( obj count = 4 )
> 09/11/24 12:12:29 K> : send pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:29 ii : split DNS is disabled
> 09/11/24 12:12:29 K< : recv pfkey X_SPDADD UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : calling init phase2 for nailed policy
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 DB : tunnel found
> 09/11/24 12:12:29 DB : new phase2 ( IPSEC initiator )
> 09/11/24 12:12:29 DB : phase2 added ( obj count = 1 )
> 09/11/24 12:12:29 K> : send pfkey GETSPI ESP message
> 09/11/24 12:12:29 K< : recv pfkey ACQUIRE UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : ignoring init phase2 by acquire, tunnel is nailed
> 09/11/24 12:12:29 K< : recv pfkey GETSPI ESP message
> 09/11/24 12:12:29 DB : phase2 found
> 09/11/24 12:12:29 ii : updated spi for 1 ipsec-esp proposal
> 09/11/24 12:12:29 DB : phase1 found
> 09/11/24 12:12:29 >> : hash payload
> 09/11/24 12:12:29 >> : security association payload
> 09/11/24 12:12:29 >> : - proposal #1 payload
> 09/11/24 12:12:29 >> : -- transform #1 payload
> 09/11/24 12:12:29 >> : -- transform #2 payload
> 09/11/24 12:12:29 >> : -- transform #3 payload
> 09/11/24 12:12:29 >> : -- transform #4 payload
> 09/11/24 12:12:29 >> : -- transform #5 payload
> 09/11/24 12:12:29 >> : -- transform #6 payload
> 09/11/24 12:12:29 >> : -- transform #7 payload
> 09/11/24 12:12:29 >> : -- transform #8 payload
> 09/11/24 12:12:29 >> : -- transform #9 payload
> 09/11/24 12:12:29 >> : -- transform #10 payload
> 09/11/24 12:12:29 >> : -- transform #11 payload
> 09/11/24 12:12:29 >> : -- transform #12 payload
> 09/11/24 12:12:29 >> : -- transform #13 payload
> 09/11/24 12:12:29 >> : -- transform #14 payload
> 09/11/24 12:12:29 >> : -- transform #15 payload
> 09/11/24 12:12:29 >> : -- transform #16 payload
> 09/11/24 12:12:29 >> : -- transform #17 payload
> 09/11/24 12:12:29 >> : -- transform #18 payload
> 09/11/24 12:12:29 >> : nonce payload
> 09/11/24 12:12:29 >> : key exchange payload
> 09/11/24 12:12:29 >> : identification payload
> 09/11/24 12:12:29 >> : identification payload
> 09/11/24 12:12:29 == : phase2 hash_i ( input ) ( 804 bytes )
> 09/11/24 12:12:29 == : phase2 hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:29 == : new phase2 iv ( 8 bytes )
> 09/11/24 12:12:29 >= : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:29 >= : message 68cb6858
> 09/11/24 12:12:29 >= : encrypt iv ( 8 bytes )
> 09/11/24 12:12:29 == : encrypt packet ( 852 bytes )
> 09/11/24 12:12:29 == : stored iv ( 8 bytes )
> 09/11/24 12:12:29 -> : send NAT-T:IKE packet 172.16.60.12:4500 ->
> public_ip_gateway:4500 ( 884 bytes )
> 09/11/24 12:12:29 DB : phase2 resend event scheduled ( ref count = 2 )
> 09/11/24 12:12:29 <- : recv NAT-T:IKE packet public_ip_gateway:4500 ->
> 172.16.60.12:4500 ( 84 bytes )
> 09/11/24 12:12:29 DB : phase1 found
> 09/11/24 12:12:29 ii : processing informational packet ( 84 bytes )
> 09/11/24 12:12:29 == : new informational iv ( 8 bytes )
> 09/11/24 12:12:29 =< : cookies 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:29 =< : message 43d5efde
> 09/11/24 12:12:29 =< : decrypt iv ( 8 bytes )
> 09/11/24 12:12:29 == : decrypt packet ( 84 bytes )
> 09/11/24 12:12:29 <= : trimmed packet padding ( 4 bytes )
> 09/11/24 12:12:29 <= : stored iv ( 8 bytes )
> 09/11/24 12:12:29 << : hash payload
> 09/11/24 12:12:29 << : delete payload
> 09/11/24 12:12:29 == : informational hash_i ( computed ) ( 20 bytes )
> 09/11/24 12:12:29 == : informational hash_c ( received ) ( 20 bytes )
> 09/11/24 12:12:29 ii : informational hash verified
> *09/11/24 12:12:29 ii : received peer DELETE message
> 09/11/24 12:12:29 ii : - public_ip_gateway:4500 -> 172.16.60.12:4500
> 09/11/24 12:12:29 ii : - isakmp spi = 56e1b7cb81389699:ff96e981de6ec185
> 09/11/24 12:12:29 DB : phase1 found
> 09/11/24 12:12:29 ii : cleanup, marked phase1
> 56e1b7cb81389699:ff96e981de6ec185 for removal
> 09/11/24 12:12:29 DB : phase1 soft event canceled ( ref count = 4 )
> 09/11/24 12:12:29 DB : phase1 hard event canceled ( ref count = 3 )
> 09/11/24 12:12:29 DB : phase1 dead event canceled ( ref count = 2 )
> 09/11/24 12:12:29 DB : config deleted ( obj count = 0 )
> 09/11/24 12:12:29 ii : phase1 removal before expire time
> 09/11/24 12:12:29 DB : phase1 not found
> 09/11/24 12:12:29 DB : phase1 deleted ( obj count = 0 )
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : removing IPSEC INBOUND policy ANY:0.0.0.0/0:* ->
> ANY:192.168.1.1:*
> 09/11/24 12:12:29 K> : send pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : removing IPSEC OUTBOUND policy ANY:192.168.1.1:* ->
> ANY:0.0.0.0/0:*
> 09/11/24 12:12:29 K> : send pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 K< : recv pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 ii : removed IPSEC policy route for ANY:0.0.0.0/0:*
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : removing NONE INBOUND policy
ANY:public_ip_gateway:*
> -> ANY:172.16.60.12:*
> 09/11/24 12:12:29 K> : send pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 ii : removing NONE OUTBOUND policy ANY:172.16.60.12:* ->
> ANY:public_ip_gateway:*
> 09/11/24 12:12:29 K> : send pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 ii : removed NONE policy route for
ANY:public_ip_gateway:*
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 DB : policy deleted ( obj count = 3 )
> 09/11/24 12:12:29 K< : recv pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 K< : recv pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 DB : policy found*
> 09/11/24 12:12:29 DB : policy deleted ( obj count = 2 )
> 09/11/24 12:12:29 ii : disabled adapter ROOT\VNET\0000
> 09/11/24 12:12:29 DB : tunnel dpd event canceled ( ref count = 4 )
> 09/11/24 12:12:29 DB : tunnel natt event canceled ( ref count = 3 )
> 09/11/24 12:12:29 DB : tunnel stats event canceled ( ref count = 2 )
> 09/11/24 12:12:29 DB : removing tunnel config references
> 09/11/24 12:12:29 DB : removing tunnel phase2 references
> 09/11/24 12:12:29 DB : phase2 resend event canceled ( ref count = 1 )
> 09/11/24 12:12:29 ii : phase2 removal before expire time
> 09/11/24 12:12:29 DB : phase2 deleted ( obj count = 0 )
> 09/11/24 12:12:29 DB : removing tunnel phase1 references
> 09/11/24 12:12:29 DB : tunnel deleted ( obj count = 0 )
> 09/11/24 12:12:29 K< : recv pfkey X_SPDDELETE2 UNSPEC message
> 09/11/24 12:12:29 DB : policy found
> 09/11/24 12:12:29 DB : policy deleted ( obj count = 1 )
> 09/11/24 12:12:29 DB : removing all peer tunnel refrences
> 09/11/24 12:12:29 DB : peer deleted ( obj count = 0 )
> 09/11/24 12:12:29 ii : ipc client process thread exit ...
> 09/11/24 12:12:33 ii : halt signal received, shutting down
> 09/11/24 12:12:33 ii : pfkey process thread exit ...
> 09/11/24 12:12:33 ii : ipc server process thread exit ...
> 09/11/24 12:12:33 ii : network process thread exit ...
>
>
>
>
>
> And the Shrew Profile :
>
>
>
> n:version:3
> n:network-ike-port:500
> n:network-mtu-size:1380
> n:client-addr-auto:1
> n:network-natt-port:4500
> n:network-natt-rate:15
> n:network-frag-size:540
> n:network-dpd-enable:1
> n:network-notify-enable:1
> n:client-banner-enable:1
> n:phase1-dhgroup:2
> n:phase1-life-secs:86400
> n:client-dns-used:1
> n:client-dns-auto:1
> n:client-dns-suffix-auto:1
> n:client-splitdns-used:0
> n:client-splitdns-auto:0
> n:client-wins-used:1
> n:client-wins-auto:1
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-nailed:1
> n:policy-list-auto:1
> s:client-saved-username:user
> n:phase1-life-kbytes:0
> n:vendor-chkpt-enable:0
> s:network-host:gateway_ip_adress
> s:client-auto-mode:pull
> s:client-iface:virtual
> s:network-natt-mode:enable
> s:network-frag-mode:disable
> s:auth-method:mutual-psk-xauth
> s:ident-client-type:keyid
> s:ident-server-type:any
> s:ident-client-data:vg-domain
> b:auth-mutual-psk:pass
> s:phase1-exchange:aggressive
> s:phase1-cipher:auto
> s:phase1-hash:auto
> s:phase2-transform:auto
> s:phase2-hmac:auto
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:0
>
>
>
> Thank you for your help !
>
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091127/afaa4a5d/attachment-0002.html>
More information about the vpn-help
mailing list