[vpn-help] "negotiation timout occurred" when trying to connect to Cisco VPN
John Morkel
jmorkel at gmail.com
Wed Dec 1 15:08:58 CST 2010
I'm trying to connect to what I think is a Cisco gateway using Shrew 2.1.7.
The Cisco client works fine, but local LAN traffic has been disabled by the
sysadmin which is a dealbreaker for me.
The Cisco GUI uses a .pcf file and .p12 certificate to connect. I used
OpenSSL to extract the client and CA certs and client private key from the
PKCS#12 file.
I get the following output in the connect dialogue when connecting:
config loaded for site 'xxxxxx'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...
-------------------------------------------------------------------------------------
The redacted .pcf file looks like this:
[main]
Description=VPN connexion
Host=xxx.xxx.xxx.xxx
AuthType=3
GroupName=
GroupPwd=
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=Mobile Connect
ISPPhonebook=C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=1
CertName=client
CertPath=
CertSubjectName=cn=client,ou=xxxxx,o=xxxxxxxxxxxxxxxxx,st=xxxxxxxxxxxx,c=xx
CertSerialHash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0
-------------------------------------------------------------------------------------
The trace output is as follows:
10/12/01 23:00:57 ## : IKE Daemon, ver 2.1.7
10/12/01 23:00:57 ## : Copyright 2010 Shrew Soft Inc.
10/12/01 23:00:57 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/12/01 23:00:57 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/12/01 23:00:57 ii : rebuilding vnet device list ...
10/12/01 23:00:57 ii : device ROOT\VNET\0000 disabled
10/12/01 23:00:57 ii : network process thread begin ...
10/12/01 23:00:57 ii : pfkey process thread begin ...
10/12/01 23:00:57 ii : ipc server process thread begin ...
10/12/01 23:01:12 ii : ipc client process thread begin ...
10/12/01 23:01:12 <A : peer config add message
10/12/01 23:01:12 DB : peer added ( obj count = 1 )
10/12/01 23:01:12 ii : local address 192.168.1.101 selected for peer
10/12/01 23:01:12 DB : tunnel added ( obj count = 1 )
10/12/01 23:01:12 <A : proposal config message
10/12/01 23:01:12 <A : proposal config message
10/12/01 23:01:12 <A : client config message
10/12/01 23:01:12 <A : xauth username message
10/12/01 23:01:12 <A : xauth password message
10/12/01 23:01:12 <A : remote cert 'C:\Documents and
Settings\xxxx\Desktop\server.pem' message
10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\server.pem'
loaded
10/12/01 23:01:12 <A : local cert 'C:\Documents and
Settings\xxxx\Desktop\clientcert.pem' message
10/12/01 23:01:12 ii : 'C:\Documents and
Settings\xxxx\Desktop\clientcert.pem' loaded
10/12/01 23:01:12 <A : local key 'C:\Documents and
Settings\xxxx\Desktop\clientkey.pem' message
10/12/01 23:01:12 ii : 'C:\Documents and
Settings\xxxx\Desktop\clientkey.pem' loaded
10/12/01 23:01:12 <A : peer tunnel enable message
10/12/01 23:01:12 ii : obtained x509 cert subject ( 106 bytes )
10/12/01 23:01:12 DB : new phase1 ( ISAKMP initiator )
10/12/01 23:01:12 DB : exchange type is aggressive
10/12/01 23:01:12 DB : 192.168.1.101:500 <-> xxx.xxx.xxx.xxx:500
10/12/01 23:01:12 DB : 4bb4816e147a3ab7:0000000000000000
10/12/01 23:01:12 DB : phase1 added ( obj count = 1 )
10/12/01 23:01:12 >> : security association payload
10/12/01 23:01:12 >> : - proposal #1 payload
10/12/01 23:01:12 >> : -- transform #1 payload
10/12/01 23:01:12 >> : -- transform #2 payload
10/12/01 23:01:12 >> : -- transform #3 payload
10/12/01 23:01:12 >> : -- transform #4 payload
10/12/01 23:01:12 >> : -- transform #5 payload
10/12/01 23:01:12 >> : -- transform #6 payload
10/12/01 23:01:12 >> : -- transform #7 payload
10/12/01 23:01:12 >> : -- transform #8 payload
10/12/01 23:01:12 >> : -- transform #9 payload
10/12/01 23:01:12 >> : -- transform #10 payload
10/12/01 23:01:12 >> : -- transform #11 payload
10/12/01 23:01:12 >> : -- transform #12 payload
10/12/01 23:01:12 >> : -- transform #13 payload
10/12/01 23:01:12 >> : -- transform #14 payload
10/12/01 23:01:12 >> : -- transform #15 payload
10/12/01 23:01:12 >> : -- transform #16 payload
10/12/01 23:01:12 >> : -- transform #17 payload
10/12/01 23:01:12 >> : -- transform #18 payload
10/12/01 23:01:12 >> : key exchange payload
10/12/01 23:01:12 >> : nonce payload
10/12/01 23:01:12 >> : cert request payload
10/12/01 23:01:12 >> : identification payload
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports XAUTH
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports nat-t ( draft v00 )
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports nat-t ( draft v01 )
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports nat-t ( draft v02 )
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports nat-t ( draft v03 )
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports nat-t ( rfc )
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local supports DPDv1
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local is SHREW SOFT compatible
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local is NETSCREEN compatible
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local is SIDEWINDER compatible
10/12/01 23:01:12 >> : vendor id payload
10/12/01 23:01:12 ii : local is CISCO UNITY compatible
10/12/01 23:01:12 >= : cookies 4bb4816e147a3ab7:0000000000000000
10/12/01 23:01:12 >= : message 00000000
10/12/01 23:01:12 -> : send IKE packet 192.168.1.101:500 ->
xxx.xxx.xxx.xxx:500 ( 1231 bytes )
10/12/01 23:01:12 DB : phase1 resend event scheduled ( ref count = 2 )
10/12/01 23:01:17 -> : resend 1 phase1 packet(s) 192.168.1.101:500 ->
xxx.xxx.xxx.xxx:500
10/12/01 23:01:22 -> : resend 1 phase1 packet(s) 192.168.1.101:500 ->
xxx.xxx.xxx.xxx:500
10/12/01 23:01:27 -> : resend 1 phase1 packet(s) 192.168.1.101:500 ->
xxx.xxx.xxx.xxx:500
10/12/01 23:01:32 ii : resend limit exceeded for phase1 exchange
10/12/01 23:01:32 ii : phase1 removal before expire time
10/12/01 23:01:32 DB : phase1 deleted ( obj count = 0 )
10/12/01 23:01:32 DB : policy not found
10/12/01 23:01:32 DB : policy not found
10/12/01 23:01:32 DB : policy not found
10/12/01 23:01:32 DB : policy not found
10/12/01 23:01:32 DB : tunnel stats event canceled ( ref count = 1 )
10/12/01 23:01:32 DB : removing tunnel config references
10/12/01 23:01:32 DB : removing tunnel phase2 references
10/12/01 23:01:32 DB : removing tunnel phase1 references
10/12/01 23:01:32 DB : tunnel deleted ( obj count = 0 )
10/12/01 23:01:32 DB : removing all peer tunnel refrences
10/12/01 23:01:32 DB : peer deleted ( obj count = 0 )
10/12/01 23:01:32 ii : ipc client process thread exit ...
Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20101201/8968f053/attachment-0001.html>
More information about the vpn-help
mailing list