[vpn-help] need help: shrew client on windows 7 to Juniper netscreen SSG320
Matthew Grooms
mgrooms at shrew.net
Tue Jul 27 11:30:51 CDT 2010
On 7/23/2010 2:35 AM, Neal Katz wrote:
> hi,
> I need some help getting shrew client on windows 7 to connect to a
> Juniper netscreen ssg 320 firewall.
> I am using shrew 2.1.6-beta 10 (I also tried 2.1.5 and had no luck)
> I followed the instructions from
> http://www.shrew.net/support/wiki/HowtoJuniperSsg
>
> The error I get from shrew client is "user authentication error" ,
> looking at the netscreen debug output I see that Xauth is accessed
> twice, first successfully and then a 2nd time which fails -- not sure
> why this happens.
>
> note: I can't get trace log working on windows 7, is this a known problem ?
>
Neal,
This document describes how to access the debug log output. The log
level is probably set to default which displays no output.
http://www.shrew.net/support/wiki/BugReportVpnWindows
Do you have authentication set to Mutual PSK + Xauth and the auto
configuration set to "ike config push"?
-Matthew
> Thanks,
> Neal
>
> Netscreen Diagnostic output:
>
> mycorp:SSG320M(M)-> debug ike detail
> mycorp:SSG320M(M)-> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike
> packet, len 542, action 1
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 514
> bytes from socket.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 514 bytes.
> src port 500
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 514,
> nxp 1[SA], exch 4[AG], flag 00
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv : [SA] [KE] [NONCE]
> [ID] [VID] [VID] [VID] [VID] [VID]
> ## 2010-07-23 02:21:26 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
> ## 2010-07-23 02:21:26 : valid id checking, id type:FQDN, len:30.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > Validate (486):
> SA/60 KE/132 NONCE/24 ID/30 VID/12 VID/20 VID/20 VID/20 VID/20
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Receive Id in AG mode,
> id-type=2, id=clientvpn.mycorp.com <http://clientvpn.mycorp.com/>, idlen
> = 22
> ## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for
> 10.0.0.0/24 <http://10.0.0.0/24>> has static ip.
> ## 2010-07-23 02:21:26 : locate peer entry for
> (2/clientvpn.mycorp.com <http://clientvpn.mycorp.com/>), by identity.
> ## 2010-07-23 02:21:26 : locate peer entry for
> (2/clientvpn.mycorp.com <http://clientvpn.mycorp.com/>), by identity.
> ## 2010-07-23 02:21:26 : Found identity<clientvpn.mycorp.com
> <http://clientvpn.mycorp.com/>> in
> group <4> user id <8>.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Found peer entry
> (dynamicvpnGW) from 124.xxx.xxx.214.
> ## 2010-07-23 02:21:26 : responder create sa: 124.xxx.xxx.214->209.3.41.90
> ## 2010-07-23 02:21:26 : init p1sa, pidt = 0x0
> ## 2010-07-23 02:21:26 : change peer identity for p1 sa, pidt = 0x0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> peer_identity_create_with_uid: uid<0>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > create peer identity 0x7486914
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> peer_identity_add_to_peer: num entry before add <1>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> peer_identity_add_to_peer: num entry after add <2>
> ## 2010-07-23 02:21:26 : peer identity 7486914 created.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > EDIPI disabled
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getProfileFromP1Proposal->
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
> profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id
> 5), xauth(1)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
> profile[1]=<00000007 00000002 00000001 00000002> for p1 proposal (id
> 7), xauth(1)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
> profile[2]=<00000007 00000001 00000001 00000002> for p1 proposal (id
> 6), xauth(1)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find
> profile[3]=<00000005 00000001 00000001 00000002> for p1 proposal (id
> 4), xauth(1)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder create sa:
> 124.xxx.xxx.214->209.3.41.90
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Responder
> starts AGGRESSIVE mode negotiations.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 09 00 26 89 df d6 b7 12
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv XAUTH v6.0 vid
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID
> payload (draft-ietf-ipsec-nat-t-ike-00).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID
> payload (draft-ietf-ipsec-nat-t-ike-02).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
> ## 2010-07-23 02:21:26 : 80 00 00 00
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID
> payload
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0
> ## 2010-07-23 02:21:26 : d0 fd 84 51
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID
> payload
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:
> ## 2010-07-23 02:21:26 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID
> payload.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [SA]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Proposal received: xauthflag 1
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
> encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: initiator
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> [0] expect: xauthflag 3
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
> encr(5)<3DES>, hash(2)<SHA>, group(2)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: responder
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 proposal [1] selected.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA Life Type = seconds
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA lifetime (TLV) = 86400
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > dh group 2
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> DH_BG_consume OK. p1 resp
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [KE]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing ISA_KE in phase 1.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NONCE]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing NONCE in phase 1.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [ID]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID received:
> type=ID_FQDN, FQDN = clientvpn.mycorp.com
> <http://clientvpn.mycorp.com/>, port=0, protocol=0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> process_id need to
> update peer entry, cur <dynamicvpnGW>.
> ## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for
> 10.0.0.0/24 <http://10.0.0.0/24>> has static ip.
> ## 2010-07-23 02:21:26 : locate peer entry for
> (2/clientvpn.mycorp.com <http://clientvpn.mycorp.com/>), by identity.
> ## 2010-07-23 02:21:26 : locate peer entry for
> (2/clientvpn.mycorp.com <http://clientvpn.mycorp.com/>), by identity.
> ## 2010-07-23 02:21:26 : Found identity<clientvpn.mycorp.com
> <http://clientvpn.mycorp.com/>> in
> group <4> user id <8>.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Dynamic peer IP addr,
> search peer by identity.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> peer gateway entry has
> no peer id configured
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID processed. return 0.
> sa->p1_state = 0.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> need to wait for offline
> p1 DH work done.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<0/281280a>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job pkaidx
> <0> dh_len<128> dmax<64>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job
> d<d35db216><230c4b5><ff9b7c7e><f9658ec0>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> re-enter AG after offline
> DH done
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 AG Responder
> constructing 2nd message.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next
> payload #1)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [SA] for ISAKMP
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,
> encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: disabled
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> lifetime/lifesize (86400/0)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NetScreen [VID]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [KE] for ISAKMP
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NONCE]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid()
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid: returning 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [ID] for ISAKMP
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use swan4.mycorp.com
> <http://swan4.mycorp.com/> as IKE p1 ID.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use swan4.mycorp.com
> <http://swan4.mycorp.com/> as IKE p1 ID.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=22, type=2,
> pro=17, port=500,
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NAT-T [VID]: draft 2
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder psk ag mode:
> natt vid constructed.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)
> constructing remote NAT-D
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)
> constructing local NAT-D
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> throw packet to the
> peer, paket_len=462
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit : [SA] [VID] [VID]
> [VID] [VID] [KE] [NONCE] [ID] [HASH]
> ## 2010-07-23 02:21:26 : [VID] [NATD] [NATD]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
> IP 124.xxx.xxx.214/port 500
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 1 packet (len=462)
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 140, action 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 112
> bytes from socket.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 112 bytes.
> src port 4500
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 108,
> nxp 8[HASH], exch 4[AG], flag 01 E
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 80)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NATD] [NATD]
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > extract payload (80):
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_INIT_EXCH.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [HASH]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=26, type=2, pro=0,
> port=0,
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> completing Phase 1
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> sa_pidt = 7486914
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> adjusting phase 1 hash
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> found existing peer identity 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed for
> ip <124.xxx.xxx.214>, user<clientvpn.mycorp.com
> <http://clientvpn.mycorp.com/>>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed
> Aggressive mode negotiation with a <28800>-second lifetime.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth is started:
> server, p1responder, aggr mode.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth()
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth(): as:0 ac:-1
> enable:1
>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> accounting server id 0 (use auth server as acct server).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> xauthstatus 20.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16520, val 0 added, len 0.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16521, val empty string, type <16521> added, len 0.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16522, val empty string, type <16522> added, len 0.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new d2bb137d)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next
> payload #8)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
> 20, type 1, identifier 58155.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520, valint 0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
> 16521, vallen 0, valstr empty string, type <16521>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
> 16522, vallen 0, valstr empty string, type <16522>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 72)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
> IP 124.xxx.xxx.214/port 4500
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
> msgid d2bb137d, len: 72, peer<124.xxx.xxx.214>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
> state machine: 20
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<6/1097182f>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96
> bytes from socket.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
> src port 4500
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,
> nxp 8[HASH], exch 5[INFO], flag 01 E
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 7a3a0581)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NOTIF]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Need to pass XAUTH
> first. Silently Discard packet.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Delete conn entry...
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...found conn entry(81053a7a)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<6/1097182f>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96
> bytes from socket.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
> src port 4500
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,
> nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG
> payload. msgid d2bb137d, msgtype 2, payload ID 58155
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
> 32, type 2, identifier 58155.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520, valint 0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
> 16521, vallen 4, valstr nea
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type
> 16522, vallen 8, valstr testtes
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16520, val 0 added, len 0.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16521, val nea added, len 4.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16522, val testtes added, len 8.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got type:
> 16520 v<0>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type:
> 16521
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type:
> 16522
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering
> state machine: 20
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> accounting server id 0 (use auth server as acct server).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> xauthstatus 20.
>
>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_auth_pap: authing
> locally: uname neal, passwd mypassword SUCCESS
> <======== SUCCESS
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Get config for
> client(local auth)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214>
> ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user
> <neal> remote setting
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user
> IP from pool <dynippool>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Don't do xauth RADIUS
> accounting. Send cfg to client directly.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg:
> ip 192.168.73.10, v4mask 255.255.255.255 dns1 192.168.1.100, dns2
> 0.0.0.0, win1 0.0.0.0, win2 0.0.0.0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg
> v6: id ::, prefix ::/0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg
> v6: dns1 ::, dns2 ::, win1 ::, win2 ::
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 1, val 192.168.73.10 added, len 4.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 2, val 255.255.255.255 added, len 4.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 3, val 192.168.1.100 added, len 4.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 988f8a06)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next
> payload #8)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
> 32, type 3, identifier 58155.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 1,
> vallen 4, valstr 192.168.73.10
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 2,
> vallen 4, valstr 255.255.255.255
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,
> vallen 4, valstr 192.168.1.100
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 84)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
> IP 124.xxx.xxx.214/port 4500
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=92)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
> msgid 988f8a06, len: 84, peer<124.xxx.xxx.214>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
> state machine: 90
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<6/1097182f>
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 108, action 0
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 80
> bytes from socket.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 80 bytes.
> src port 4500
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 76,
> nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 48)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG
> payload. msgid 988f8a06, msgtype 4, payload ID 58155
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
> 16, type 4, identifier 58155.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,
> vallen 0, valstr 0.4.0.0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 4,
> vallen 0, valstr 0.0.0.0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 3, val 0.0.0.0 added, len 0.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 4, val 0.0.0.0 added, len 0.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering
> state machine: 90
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> accounting server id 0 (use auth server as acct server).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:
> xauthstatus 90.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by
> state machine: -1
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr
> type 16527, val 0 added, len 0.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new a14298f9)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next
> payload #8)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength
> 12, type 3, identifier 58155.
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16527, valint 0
> ## 2010-07-23 02:21:26 : IKE<0.0.0.0 >
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 64)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4
> IP 124.xxx.xxx.214/port 4500
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.
> msgid a14298f9, len: 64, peer<124.xxx.xxx.214>
>
>
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_failed()
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth login FAILED. gw
> <dynamicvpnGW>, username <neal>, retry: 0, timeout: 1
> <============= FAIL
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_cleanup()
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE Xauth: release
> prefix route, ret=<-2>.
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> XAUTH-failed: clear p2sa
> for p1sa(0x2455dbc).
> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<6/1097182f>
> ## 2010-07-23 02:21:27 : IKE<0.0.0.0 > from FLOAT port.
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: received 96
> bytes from socket.
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ****** Recv packet if
> <ethernet0/2> of vsys <Root> ******
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.
> src port 4500
> ## 2010-07-23 02:21:27 : IKE<0.0.0.0 > ISAKMP msg: len 92,
> nxp 8[HASH], exch 5[INFO], flag 01 E
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Create conn entry...
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...done(new f032721f)
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Recv*: [HASH] [DELETE]
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Process [DELETE]:
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> DELETE payload received,
> deleting Phase-1 SA
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Delete conn entry...
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...found conn entry(1f7232f0)
> ## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> IKE msg done: PKI
> state<0> IKE state<6/1097182f>
> ## 2010-07-23 02:21:28 : IKE<0.0.0.0 > dh group 2
> ## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job pkaidx
> <0> dh_len<128> dmax<64>
> ## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job
> d<900357c1><692e110e><f1a1c30d><c028dc1a>
> ## 2010-07-23 02:21:28 : IKE<0.0.0.0 > BN, top32 dmax64 zero<no>
> ## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
> transmit timer expired. re-trans msgid<a14298f9>
> ## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> bad sa, can't send request
> ## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
> transmit timer expired. re-trans msgid<a14298f9>
> ## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> bad sa, can't send request
> ## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
> transmit timer expired. re-trans msgid<a14298f9>
> ## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> bad sa, can't send request
> ## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
> transmit timer expired. re-trans msgid<a14298f9>
> ## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> bad sa, can't send request
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg
> transmit timer expired. re-trans msgid<a14298f9>
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> bad sa, can't send request
> ## 2010-07-23 02:21:37 : reap_db. deleting p1sa 2455dbc
> ## 2010-07-23 02:21:37 : terminate_SA: trying to delete SA cause: 0 cond: 2
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(f99842a1)
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(068a8f98)
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(7d13bbd2)
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> xauth_cleanup()
> ## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Done cleaning up IKE Phase
> 1 SA
> ## 2010-07-23 02:21:37 : peer_identity_unregister_p1_sa.
> ## 2010-07-23 02:21:37 : IKE<0.0.0.0 > delete peer identity 0x7486914
> ## 2010-07-23 02:21:37 : IKE<0.0.0.0 >
> peer_identity_remove_from_peer: num entry before remove <2>
> ## 2010-07-23 02:21:37 : peer_idt.c peer_identity_unregister_p1_sa
> 682: pidt deleted.
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list