[vpn-help] SHREW Dial Up Client and SSG 320 with Certificates

Rainer Blaes Rainer.Blaes at astrium.eads.net
Tue Feb 15 08:02:07 CST 2011


Hi everybody,
2 weeks ago we setup a SHREW Dial Up VPN Client 2.1.7 connection to 
our SSG 350 device and the connection is working fine.
Now we got a SSG 320 out of the box and imported the running SSG 350 
configuration into it. Unfortunately the tunnel isn't coming up again
it seems to us that something is wrong within Phase 1. But what?
Pls see here the iked.log entries:

11/02/15 12:04:20 ## : IKE Daemon, ver 2.1.7
11/02/15 12:04:20 ## : Copyright 2010 Shrew Soft Inc.
11/02/15 12:04:20 ## : This product linked OpenSSL 0.9.8h 28 May 2008
11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client\debug\iked.log'
11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
11/02/15 12:04:20 ii : opened 'C:\Programme\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'
11/02/15 12:04:20 ii : rebuilding vnet device list ...
11/02/15 12:04:20 ii : device ROOT\VNET\0000 disabled
11/02/15 12:04:20 ii : network process thread begin ...
11/02/15 12:04:20 ii : pfkey process thread begin ...
11/02/15 12:04:20 ii : ipc server process thread begin ...
11/02/15 12:07:44 ii : ipc client process thread begin ...
11/02/15 12:07:44 <A : peer config add message
11/02/15 12:07:44 DB : peer added ( obj count = 1 )
11/02/15 12:07:44 ii : local address 192.168.11.3 selected for peer
11/02/15 12:07:44 DB : tunnel added ( obj count = 1 )
11/02/15 12:07:44 <A : proposal config message
11/02/15 12:07:44 <A : proposal config message
11/02/15 12:07:44 <A : client config message
11/02/15 12:07:44 <A : xauth username message
11/02/15 12:07:44 <A : xauth password message
11/02/15 12:07:44 <A : remote id 'ref2.esa.int' message
11/02/15 12:07:44 <A : remote cert 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\Screenos.crt' message
11/02/15 12:07:44 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\Screenos.crt' loaded
11/02/15 12:07:44 <A : local cert 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.crt' message
11/02/15 12:07:44 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.crt' loaded11/02/15 12:07:44 <A : local key 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' message
11/02/15 12:07:44 !! : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' load failed, requesting password
11/02/15 12:07:46 <A : file password
11/02/15 12:07:46 <A : local key 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' message
11/02/15 12:07:46 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' loaded11/02/15 12:07:46 <A : remote resource message
11/02/15 12:07:46 <A : remote resource message
11/02/15 12:07:46 <A : peer tunnel enable message
11/02/15 12:07:46 ii : obtained x509 cert subject ( 64 bytes )
11/02/15 12:07:46 DB : new phase1 ( ISAKMP initiator )
11/02/15 12:07:46 DB : exchange type is aggressive
11/02/15 12:07:46 DB : 192.168.11.3:500 <-> 192.168.11.1:500
11/02/15 12:07:46 DB : fa229af570c7fb18:0000000000000000
11/02/15 12:07:46 DB : phase1 added ( obj count = 1 )
11/02/15 12:07:46 >> : security association payload
11/02/15 12:07:46 >> : - proposal #1 payload
11/02/15 12:07:46 >> : -- transform #1 payload
11/02/15 12:07:46 >> : -- transform #2 payload
11/02/15 12:07:46 >> : -- transform #3 payload
11/02/15 12:07:46 >> : -- transform #4 payload
11/02/15 12:07:46 >> : -- transform #5 payload
11/02/15 12:07:46 >> : -- transform #6 payload
11/02/15 12:07:46 >> : -- transform #7 payload
11/02/15 12:07:46 >> : -- transform #8 payload
11/02/15 12:07:46 >> : -- transform #9 payload
11/02/15 12:07:46 >> : -- transform #10 payload
11/02/15 12:07:46 >> : -- transform #11 payload
11/02/15 12:07:46 >> : -- transform #12 payload
11/02/15 12:07:46 >> : -- transform #13 payload
11/02/15 12:07:46 >> : -- transform #14 payload
11/02/15 12:07:46 >> : -- transform #15 payload
11/02/15 12:07:46 >> : -- transform #16 payload
11/02/15 12:07:46 >> : -- transform #17 payload
11/02/15 12:07:46 >> : -- transform #18 payload
11/02/15 12:07:46 >> : key exchange payload
11/02/15 12:07:46 >> : nonce payload
11/02/15 12:07:46 >> : cert request payload
11/02/15 12:07:46 >> : identification payload
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports XAUTH
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports nat-t ( draft v00 )
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports nat-t ( draft v01 )
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports nat-t ( draft v02 )
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports nat-t ( draft v03 )
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports nat-t ( rfc )
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports FRAGMENTATION
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local supports DPDv1
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local is SHREW SOFT compatible
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local is NETSCREEN compatible
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local is SIDEWINDER compatible
11/02/15 12:07:46 >> : vendor id payload
11/02/15 12:07:46 ii : local is CISCO UNITY compatible
11/02/15 12:07:46 >= : cookies fa229af570c7fb18:0000000000000000
11/02/15 12:07:46 >= : message 00000000
11/02/15 12:07:46 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 1245 bytes )
11/02/15 12:07:46 DB : phase1 resend event scheduled ( ref count = 2 )
11/02/15 12:07:51 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:07:56 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:08:01 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:08:06 ii : resend limit exceeded for phase1 exchange
11/02/15 12:08:06 ii : phase1 removal before expire time
11/02/15 12:08:06 DB : phase1 deleted ( obj count = 0 )
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : policy not found
11/02/15 12:08:06 DB : tunnel stats event canceled ( ref count = 1 )
11/02/15 12:08:06 DB : removing tunnel config references
11/02/15 12:08:06 DB : removing tunnel phase2 references
11/02/15 12:08:06 DB : removing tunnel phase1 references
11/02/15 12:08:06 DB : tunnel deleted ( obj count = 0 )
11/02/15 12:08:06 DB : removing all peer tunnel refrences
11/02/15 12:08:06 DB : peer deleted ( obj count = 0 )
11/02/15 12:08:06 ii : ipc client process thread exit ...
11/02/15 12:11:51 ii : ipc client process thread begin ...
11/02/15 12:11:51 <A : peer config add message
11/02/15 12:11:51 DB : peer added ( obj count = 1 )
11/02/15 12:11:51 ii : local address 192.168.11.3 selected for peer
11/02/15 12:11:51 DB : tunnel added ( obj count = 1 )
11/02/15 12:11:51 <A : proposal config message
11/02/15 12:11:51 <A : proposal config message
11/02/15 12:11:51 <A : client config message
11/02/15 12:11:51 <A : xauth username message
11/02/15 12:11:51 <A : xauth password message
11/02/15 12:11:51 <A : remote id 'ref2.esa.int' message
11/02/15 12:11:51 <A : remote cert 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\Screenos.crt' message
11/02/15 12:11:51 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\Screenos.crt' loaded
11/02/15 12:11:51 <A : local cert 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.crt' message
11/02/15 12:11:51 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.crt' loaded11/02/15 12:11:51 <A : local key 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' message
11/02/15 12:11:51 !! : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' load failed, requesting password
11/02/15 12:11:59 <A : file password
11/02/15 12:11:59 <A : local key 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' message
11/02/15 12:11:59 ii : 'C:\Dokumente und Einstellungen\hrdp\Eigene Dateien\Shrew Soft VPN\certs\uhb2.key' loaded11/02/15 12:11:59 <A : remote resource message
11/02/15 12:11:59 <A : remote resource message
11/02/15 12:11:59 <A : peer tunnel enable message
11/02/15 12:11:59 ii : obtained x509 cert subject ( 64 bytes )
11/02/15 12:11:59 DB : new phase1 ( ISAKMP initiator )
11/02/15 12:11:59 DB : exchange type is aggressive
11/02/15 12:11:59 DB : 192.168.11.3:500 <-> 192.168.11.1:500
11/02/15 12:11:59 DB : 221f334a8c0e197f:0000000000000000
11/02/15 12:11:59 DB : phase1 added ( obj count = 1 )
11/02/15 12:11:59 >> : security association payload
11/02/15 12:11:59 >> : - proposal #1 payload
11/02/15 12:11:59 >> : -- transform #1 payload
11/02/15 12:11:59 >> : key exchange payload
11/02/15 12:11:59 >> : nonce payload
11/02/15 12:11:59 >> : cert request payload
11/02/15 12:11:59 >> : identification payload
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports XAUTH
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports nat-t ( draft v00 )
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports nat-t ( draft v01 )
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports nat-t ( draft v02 )
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports nat-t ( draft v03 )
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports nat-t ( rfc )
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports FRAGMENTATION
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local supports DPDv1
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local is SHREW SOFT compatible
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local is NETSCREEN compatible
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local is SIDEWINDER compatible
11/02/15 12:11:59 >> : vendor id payload
11/02/15 12:11:59 ii : local is CISCO UNITY compatible
11/02/15 12:11:59 >= : cookies 221f334a8c0e197f:0000000000000000
11/02/15 12:11:59 >= : message 00000000
11/02/15 12:11:59 -> : send IKE packet 192.168.11.3:500 -> 192.168.11.1:500 ( 585 bytes )
11/02/15 12:11:59 DB : phase1 resend event scheduled ( ref count = 2 )
11/02/15 12:11:59 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes )
11/02/15 12:11:59 DB : phase1 found
11/02/15 12:11:59 ii : processing informational packet ( 64 bytes )
11/02/15 12:11:59 =< : cookies 221f334a8c0e197f:d3c668fbd6a61255
11/02/15 12:11:59 =< : message 00000000
11/02/15 12:11:59 << : notification payload
11/02/15 12:11:59 ii : received peer NO-PROPOSAL-CHOSEN notification
11/02/15 12:11:59 ii : - 192.168.11.1:500 -> 192.168.11.3:500
11/02/15 12:11:59 ii : - isakmp spi = 221f334a8c0e197f:d3c668fbd6a61255
11/02/15 12:11:59 ii : - data size 8
11/02/15 12:12:04 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:12:04 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes )
11/02/15 12:12:04 DB : phase1 found
11/02/15 12:12:04 ii : processing informational packet ( 64 bytes )
11/02/15 12:12:04 =< : cookies 221f334a8c0e197f:b6b9df9481bde6cb
11/02/15 12:12:04 =< : message 00000000
11/02/15 12:12:04 << : notification payload
11/02/15 12:12:04 ii : received peer NO-PROPOSAL-CHOSEN notification
11/02/15 12:12:04 ii : - 192.168.11.1:500 -> 192.168.11.3:500
11/02/15 12:12:04 ii : - isakmp spi = 221f334a8c0e197f:b6b9df9481bde6cb
11/02/15 12:12:04 ii : - data size 8
11/02/15 12:12:09 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:12:09 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes )
11/02/15 12:12:09 DB : phase1 found
11/02/15 12:12:09 ii : processing informational packet ( 64 bytes )
11/02/15 12:12:09 =< : cookies 221f334a8c0e197f:9e28c29bed6baea3
11/02/15 12:12:09 =< : message 00000000
11/02/15 12:12:09 << : notification payload
11/02/15 12:12:09 ii : received peer NO-PROPOSAL-CHOSEN notification
11/02/15 12:12:09 ii : - 192.168.11.1:500 -> 192.168.11.3:500
11/02/15 12:12:09 ii : - isakmp spi = 221f334a8c0e197f:9e28c29bed6baea3
11/02/15 12:12:09 ii : - data size 8
11/02/15 12:12:14 -> : resend 1 phase1 packet(s) 192.168.11.3:500 -> 192.168.11.1:500
11/02/15 12:12:14 <- : recv IKE packet 192.168.11.1:500 -> 192.168.11.3:500 ( 64 bytes )
11/02/15 12:12:14 DB : phase1 found
11/02/15 12:12:14 ii : processing informational packet ( 64 bytes )
11/02/15 12:12:14 =< : cookies 221f334a8c0e197f:b3a30e0e8a811912
11/02/15 12:12:14 =< : message 00000000
11/02/15 12:12:14 << : notification payload
11/02/15 12:12:14 ii : received peer NO-PROPOSAL-CHOSEN notification
11/02/15 12:12:14 ii : - 192.168.11.1:500 -> 192.168.11.3:500
11/02/15 12:12:14 ii : - isakmp spi = 221f334a8c0e197f:b3a30e0e8a811912
11/02/15 12:12:14 ii : - data size 8
11/02/15 12:12:19 ii : resend limit exceeded for phase1 exchange
11/02/15 12:12:19 ii : phase1 removal before expire time
11/02/15 12:12:19 DB : phase1 deleted ( obj count = 0 )
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : policy not found
11/02/15 12:12:19 DB : tunnel stats event canceled ( ref count = 1 )
11/02/15 12:12:19 DB : removing tunnel config references
11/02/15 12:12:19 DB : removing tunnel phase2 references
11/02/15 12:12:19 DB : removing tunnel phase1 references
11/02/15 12:12:19 DB : tunnel deleted ( obj count = 0 )
11/02/15 12:12:19 DB : removing all peer tunnel refrences
11/02/15 12:12:19 DB : peer deleted ( obj count = 0 )
11/02/15 12:12:19 ii : ipc client process thread exit ...

Many thanks in advance!

Rainer


This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified.
---------------------------------------------------------
Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef Stukenborg
Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647  Ust. Ident. Nr. / VAT reg. no. DE167015356

Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/



More information about the vpn-help mailing list