[vpn-help] need help: shrew client on windows 7 to Juniper netscreen SSG320
Neal Katz
nealkatz2 at gmail.com
Fri Jul 23 02:35:58 CDT 2010
hi,
I need some help getting shrew client on windows 7 to connect to a Juniper
netscreen ssg 320 firewall.
I am using shrew 2.1.6-beta 10 (I also tried 2.1.5 and had no luck)
I followed the instructions from
http://www.shrew.net/support/wiki/HowtoJuniperSsg
The error I get from shrew client is "user authentication error" , looking
at the netscreen debug output I see that Xauth is accessed twice,
first successfully and then a 2nd time which fails -- not sure why this
happens.
note: I can't get trace log working on windows 7, is this a known problem ?
Thanks,
Neal
Netscreen Diagnostic output:
mycorp:SSG320M(M)-> debug ike detail
mycorp:SSG320M(M)-> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike
packet, len 542, action 1
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 514
bytes from socket.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 514 bytes.
src port 500
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 514,
nxp 1[SA], exch 4[AG], flag 00
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv : [SA] [KE] [NONCE]
[ID] [VID] [VID] [VID] [VID] [VID]
## 2010-07-23 02:21:26 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2010-07-23 02:21:26 : valid id checking, id type:FQDN, len:30.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > Validate (486):
SA/60 KE/132 NONCE/24 ID/30 VID/12 VID/20 VID/20 VID/20 VID/20
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Receive Id in AG mode,
id-type=2, id=clientvpn.mycorp.com, idlen = 22
## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for
10.0.0.0/24> has static ip.
## 2010-07-23 02:21:26 : locate peer entry for
(2/clientvpn.mycorp.com), by identity.
## 2010-07-23 02:21:26 : locate peer entry for
(2/clientvpn.mycorp.com), by identity.
## 2010-07-23 02:21:26 : Found identity<clientvpn.mycorp.com> in
group <4> user id <8>.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Found peer entry
(dynamicvpnGW) from 124.xxx.xxx.214.
## 2010-07-23 02:21:26 : responder create sa: 124.xxx.xxx.214->209.3.41.90
## 2010-07-23 02:21:26 : init p1sa, pidt = 0x0
## 2010-07-23 02:21:26 : change peer identity for p1 sa, pidt = 0x0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
peer_identity_create_with_uid: uid<0>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > create peer identity
0x7486914
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
peer_identity_add_to_peer: num entry before add <1>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
peer_identity_add_to_peer: num entry after add <2>
## 2010-07-23 02:21:26 : peer identity 7486914 created.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > EDIPI disabled
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getProfileFromP1Proposal->
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id
5), xauth(1)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
profile[1]=<00000007 00000002 00000001 00000002> for p1 proposal (id
7), xauth(1)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
profile[2]=<00000007 00000001 00000001 00000002> for p1 proposal (id
6), xauth(1)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
profile[3]=<00000005 00000001 00000001 00000002> for p1 proposal (id
4), xauth(1)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder create sa:
124.xxx.xxx.214->209.3.41.90
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Responder
starts AGGRESSIVE mode negotiations.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 09 00 26 89 df d6 b7 12
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv XAUTH v6.0 vid
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID
payload (draft-ietf-ipsec-nat-t-ike-00).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID
payload (draft-ietf-ipsec-nat-t-ike-02).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
## 2010-07-23 02:21:26 : 80 00 00 00
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID
payload
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0
## 2010-07-23 02:21:26 : d0 fd 84 51
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID
payload
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
## 2010-07-23 02:21:26 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
payload.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [SA]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Proposal received: xauthflag 1
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: initiator
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> [0] expect: xauthflag 3
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: responder
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 proposal [1] selected.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA Life Type = seconds
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA lifetime (TLV) = 86400
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > dh group 2
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> DH_BG_consume OK. p1 resp
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [KE]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing ISA_KE in phase 1.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NONCE]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing NONCE in phase 1.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [ID]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID received:
type=ID_FQDN, FQDN = clientvpn.mycorp.com, port=0, protocol=0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> process_id need to
update peer entry, cur <dynamicvpnGW>.
## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for
10.0.0.0/24> has static ip.
## 2010-07-23 02:21:26 : locate peer entry for
(2/clientvpn.mycorp.com), by identity.
## 2010-07-23 02:21:26 : locate peer entry for
(2/clientvpn.mycorp.com), by identity.
## 2010-07-23 02:21:26 : Found identity<clientvpn.mycorp.com> in
group <4> user id <8>.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Dynamic peer IP addr,
search peer by identity.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> peer gateway entry has
no peer id configured
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID processed. return 0.
sa->p1_state = 0.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> need to wait for offline
p1 DH work done.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<0/281280a>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job pkaidx
<0> dh_len<128> dmax<64>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job
d<d35db216><230c4b5><ff9b7c7e><f9658ec0>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> re-enter AG after offline DH
done
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 AG Responder
constructing 2nd message.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload
#1)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [SA] for ISAKMP
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: disabled
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> lifetime/lifesize (86400/0)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NetScreen [VID]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [KE] for ISAKMP
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NONCE]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid()
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid: returning 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [ID] for ISAKMP
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use swan4.mycorp.com as IKE p1
ID.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use swan4.mycorp.com as IKE p1
ID.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=22, type=2,
pro=17, port=500,
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NAT-T [VID]: draft 2
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder psk ag mode:
natt vid constructed.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)
constructing remote NAT-D
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)
constructing local NAT-D
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> throw packet to the
peer, paket_len=462
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit : [SA] [VID] [VID]
[VID] [VID] [KE] [NONCE] [ID] [HASH]
## 2010-07-23 02:21:26 : [VID] [NATD] [NATD]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
IP 124.xxx.xxx.214/port 500
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 1 packet (len=462)
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 140, action 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 112
bytes from socket.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 112 bytes.
src port 4500
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 108,
nxp 8[HASH], exch 4[AG], flag 01 E
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 80)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NATD] [NATD]
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > extract payload (80):
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_INIT_EXCH.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [HASH]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=26, type=2, pro=0,
port=0,
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> completing Phase 1
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> sa_pidt = 7486914
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> adjusting phase 1 hash
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> found existing peer identity 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed for
ip <124.xxx.xxx.214>, user<clientvpn.mycorp.com>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed
Aggressive mode negotiation with a <28800>-second lifetime.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth is started:
server, p1responder, aggr mode.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth()
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth(): as:0 ac:-1
enable:1
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
xauthstatus 20.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16520, val 0 added, len 0.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16521, val empty string, type <16521> added, len 0.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16522, val empty string, type <16522> added, len 0.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new d2bb137d)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload
#8)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
20, type 1, identifier 58155.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520,
valint 0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
16521, vallen 0, valstr empty string, type <16521>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
16522, vallen 0, valstr empty string, type <16522>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 72)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
IP 124.xxx.xxx.214/port 4500
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
msgid d2bb137d, len: 72, peer<124.xxx.xxx.214>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
state machine: 20
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<6/1097182f>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96
bytes from socket.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
src port 4500
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,
nxp 8[HASH], exch 5[INFO], flag 01 E
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 7a3a0581)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NOTIF]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Need to pass XAUTH
first. Silently Discard packet.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Delete conn entry...
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...found conn entry(81053a7a)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<6/1097182f>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96
bytes from socket.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
src port 4500
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,
nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG
payload. msgid d2bb137d, msgtype 2, payload ID 58155
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
32, type 2, identifier 58155.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520,
valint 0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
16521, vallen 4, valstr nea
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
16522, vallen 8, valstr testtes
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16520, val 0 added, len 0.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16521, val nea added, len 4.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16522, val testtes added, len 8.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got type: 16520
v<0>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type:
16521
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type:
16522
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering
state machine: 20
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
xauthstatus 20.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_auth_pap: authing
locally: uname neal, passwd mypassword SUCCESS
<======== SUCCESS
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Get config for client(local
auth)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user
<neal> remote setting
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user
IP from pool <dynippool>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Don't do xauth RADIUS
accounting. Send cfg to client directly.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg:
ip 192.168.73.10, v4mask 255.255.255.255 dns1 192.168.1.100, dns2
0.0.0.0, win1 0.0.0.0, win2 0.0.0.0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg
v6: id ::, prefix ::/0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg
v6: dns1 ::, dns2 ::, win1 ::, win2 ::
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 1, val 192.168.73.10 added, len 4.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 2, val 255.255.255.255 added, len 4.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 3, val 192.168.1.100 added, len 4.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 988f8a06)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload
#8)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
32, type 3, identifier 58155.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 1,
vallen 4, valstr 192.168.73.10
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 2,
vallen 4, valstr 255.255.255.255
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,
vallen 4, valstr 192.168.1.100
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 84)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
IP 124.xxx.xxx.214/port 4500
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=92)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
msgid 988f8a06, len: 84, peer<124.xxx.xxx.214>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
state machine: 90
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<6/1097182f>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 108, action 0
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 80
bytes from socket.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 80 bytes.
src port 4500
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 76,
nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 48)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG
payload. msgid 988f8a06, msgtype 4, payload ID 58155
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
16, type 4, identifier 58155.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,
vallen 0, valstr 0.4.0.0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 4,
vallen 0, valstr 0.0.0.0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 3, val 0.0.0.0 added, len 0.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 4, val 0.0.0.0 added, len 0.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering
state machine: 90
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
xauthstatus 90.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
state machine: -1
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
type 16527, val 0 added, len 0.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new a14298f9)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload
#8)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
12, type 3, identifier 58155.
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16527,
valint 0
## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 64)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
IP 124.xxx.xxx.214/port 4500
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
msgid a14298f9, len: 64, peer<124.xxx.xxx.214>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_failed()
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth login FAILED. gw
<dynamicvpnGW>, username <neal>, retry: 0, timeout: 1
<============= FAIL
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_cleanup()
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE Xauth: release
prefix route, ret=<-2>.
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> XAUTH-failed: clear p2sa
for p1sa(0x2455dbc).
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<6/1097182f>
## 2010-07-23 02:21:27 : IKE<0.0.0.0 > from FLOAT port.
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: received 96
bytes from socket.
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ****** Recv packet if
<ethernet0/2> of vsys <Root> ******
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
src port 4500
## 2010-07-23 02:21:27 : IKE<0.0.0.0 > ISAKMP msg: len 92,
nxp 8[HASH], exch 5[INFO], flag 01 E
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Create conn entry...
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...done(new f032721f)
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Recv*: [HASH] [DELETE]
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Process [DELETE]:
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> DELETE payload received,
deleting Phase-1 SA
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Delete conn entry...
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...found conn entry(1f7232f0)
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> IKE msg done: PKI
state<0> IKE state<6/1097182f>
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > dh group 2
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job pkaidx
<0> dh_len<128> dmax<64>
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job
d<900357c1><692e110e><f1a1c30d><c028dc1a>
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > BN, top32 dmax64 zero<no>
## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
transmit timer expired. re-trans msgid<a14298f9>
## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> bad sa, can't send request
## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
transmit timer expired. re-trans msgid<a14298f9>
## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> bad sa, can't send request
## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
transmit timer expired. re-trans msgid<a14298f9>
## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> bad sa, can't send request
## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
transmit timer expired. re-trans msgid<a14298f9>
## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> bad sa, can't send request
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
transmit timer expired. re-trans msgid<a14298f9>
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> bad sa, can't send request
## 2010-07-23 02:21:37 : reap_db. deleting p1sa 2455dbc
## 2010-07-23 02:21:37 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(f99842a1)
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(068a8f98)
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(7d13bbd2)
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> xauth_cleanup()
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Done cleaning up IKE Phase 1
SA
## 2010-07-23 02:21:37 : peer_identity_unregister_p1_sa.
## 2010-07-23 02:21:37 : IKE<0.0.0.0 > delete peer identity
0x7486914
## 2010-07-23 02:21:37 : IKE<0.0.0.0 >
peer_identity_remove_from_peer: num entry before remove <2>
## 2010-07-23 02:21:37 : peer_idt.c peer_identity_unregister_p1_sa
682: pidt deleted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20100723/8ceb11e1/attachment.html>
More information about the vpn-help
mailing list