[vpn-help] Problems using shrew to connect to ns5gt
Thorsten Steffen
t.steffen at gmx.de
Sun Feb 27 08:50:11 CST 2011
Hi guys,
I'm trying to connect to Juniper NS5GT (Hardware Version: 1010, Firmware
Version:6.2.0r2.0 Firewall+VPN) with Shrew VPN Client 2.1.7 (running on Win7
64bit) without success.
I used http://www.shrew.net/support/wiki/HowtoJuniperSsg to configure both
sides.
Messages in shrew client window are
===
config loaded for site '222.61.123.22'
configuring client settings...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
user authentication error
tunnel disabled
detached from key daemon ...
===
Error Messages on juniper are
===
2011-02-27 15:27:29 info IKE 62.143.130.124: XAuth login failed
for gateway vpnclient_gateway, username thorsten, retry: 0, timeout: 1.
2011-02-27 15:27:29 info Rejected an IKE packet on ethernet3
from 62.143.130.124:4500 to 222.61.123.22:4500 with cookies e11944da1f039872
and b6cc949745492852 because A Phase 2 packet arrived while XAuth was still
pending.
2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed
Aggressive mode negotiations with a 28800-second lifetime.
2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Completed
for user client.jersa.de.
2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE
responder has detected NAT in front of the remote device.
2011-02-27 15:27:29 info IKE<62.143.130.124> Phase 1: IKE
responder has detected NAT in front of the local device.
2011-02-27 15:27:29 info IKE 62.143.130.124 phase 1:The
symmetric crypto key has been generated successfully.
2011-02-27 15:27:29 info IKE 62.143.130.124 Phase 1: Responder
starts AGGRESSIVE mode negotiations.
===
The pw for user thorsten is correct, I already tried to connect with a wrong
pw and got a different error message.
Shrew Configuration is
===
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase2-keylen:0
s:network-host:222.61.123.22
s:client-auto-mode:push
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:client.jersa.de
s:ident-server-data:vpngw.jersa.de
b:auth-mutual-psk:dGVzdDJURVNU
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:auto
s:policy-list-include:10.1.1.0 / 255.255.255.0
===
Shrew Debug log is
===
11/02/27 15:15:44 ii : ipc client process thread begin ...
11/02/27 15:15:44 <A : peer config add message
11/02/27 15:15:44 DB : peer added ( obj count = 1 )
11/02/27 15:15:44 ii : local address 10.0.0.100 selected for peer
11/02/27 15:15:44 DB : tunnel added ( obj count = 1 )
11/02/27 15:15:44 <A : proposal config message
11/02/27 15:15:44 <A : proposal config message
11/02/27 15:15:44 <A : client config message
11/02/27 15:15:44 <A : xauth username message
11/02/27 15:15:44 <A : xauth password message
11/02/27 15:15:44 <A : local id 'client.jersa.de' message
11/02/27 15:15:44 <A : remote id 'vpngw.jersa.de' message
11/02/27 15:15:44 <A : preshared key message
11/02/27 15:15:44 <A : remote resource message
11/02/27 15:15:44 <A : peer tunnel enable message
11/02/27 15:15:44 DB : new phase1 ( ISAKMP initiator )
11/02/27 15:15:44 DB : exchange type is aggressive
11/02/27 15:15:44 DB : 10.0.0.100:500 <-> 222.61.123.22:500
11/02/27 15:15:44 DB : e11944da1f039872:0000000000000000
11/02/27 15:15:44 DB : phase1 added ( obj count = 1 )
11/02/27 15:15:44 >> : security association payload
11/02/27 15:15:44 >> : - proposal #1 payload
11/02/27 15:15:44 >> : -- transform #1 payload
11/02/27 15:15:44 >> : -- transform #2 payload
11/02/27 15:15:44 >> : -- transform #3 payload
11/02/27 15:15:44 >> : -- transform #4 payload
11/02/27 15:15:44 >> : -- transform #5 payload
11/02/27 15:15:44 >> : -- transform #6 payload
11/02/27 15:15:44 >> : -- transform #7 payload
11/02/27 15:15:44 >> : -- transform #8 payload
11/02/27 15:15:44 >> : -- transform #9 payload
11/02/27 15:15:44 >> : -- transform #10 payload
11/02/27 15:15:44 >> : -- transform #11 payload
11/02/27 15:15:44 >> : -- transform #12 payload
11/02/27 15:15:44 >> : -- transform #13 payload
11/02/27 15:15:44 >> : -- transform #14 payload
11/02/27 15:15:44 >> : -- transform #15 payload
11/02/27 15:15:44 >> : -- transform #16 payload
11/02/27 15:15:44 >> : -- transform #17 payload
11/02/27 15:15:44 >> : -- transform #18 payload
11/02/27 15:15:44 >> : key exchange payload
11/02/27 15:15:44 >> : nonce payload
11/02/27 15:15:44 >> : identification payload
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports XAUTH
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports nat-t ( draft v00 )
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports nat-t ( draft v01 )
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports nat-t ( draft v02 )
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports nat-t ( draft v03 )
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports nat-t ( rfc )
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports FRAGMENTATION
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local supports DPDv1
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local is SHREW SOFT compatible
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local is NETSCREEN compatible
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local is SIDEWINDER compatible
11/02/27 15:15:44 >> : vendor id payload
11/02/27 15:15:44 ii : local is CISCO UNITY compatible
11/02/27 15:15:44 >= : cookies e11944da1f039872:0000000000000000
11/02/27 15:15:44 >= : message 00000000
11/02/27 15:15:44 -> : send IKE packet 10.0.0.100:500 -> 222.61.123.22:500 (
1191 bytes )
11/02/27 15:15:44 DB : phase1 resend event scheduled ( ref count = 2 )
11/02/27 15:15:45 <- : recv IKE packet 222.61.123.22:500 -> 10.0.0.100:500 (
446 bytes )
11/02/27 15:15:45 DB : phase1 found
11/02/27 15:15:45 ii : processing phase1 packet ( 446 bytes )
11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 =< : message 00000000
11/02/27 15:15:45 << : security association payload
11/02/27 15:15:45 << : - propsal #1 payload
11/02/27 15:15:45 << : -- transform #1 payload
11/02/27 15:15:45 ii : unmatched isakmp proposal/transform
11/02/27 15:15:45 ii : key length ( 128 != 256 )
11/02/27 15:15:45 ii : unmatched isakmp proposal/transform
11/02/27 15:15:45 ii : key length ( 128 != 256 )
11/02/27 15:15:45 ii : unmatched isakmp proposal/transform
11/02/27 15:15:45 ii : key length ( 128 != 192 )
11/02/27 15:15:45 ii : unmatched isakmp proposal/transform
11/02/27 15:15:45 ii : key length ( 128 != 192 )
11/02/27 15:15:45 !! : peer violates RFC, transform number mismatch ( 1 != 5
)
11/02/27 15:15:45 ii : matched isakmp proposal #1 transform #1
11/02/27 15:15:45 ii : - transform = ike
11/02/27 15:15:45 ii : - cipher type = aes
11/02/27 15:15:45 ii : - key length = 128 bits
11/02/27 15:15:45 ii : - hash type = md5
11/02/27 15:15:45 ii : - dh group = modp-1024
11/02/27 15:15:45 ii : - auth type = xauth-initiator-psk
11/02/27 15:15:45 ii : - life seconds = 86400
11/02/27 15:15:45 ii : - life kbytes = 0
11/02/27 15:15:45 << : vendor id payload
11/02/27 15:15:45 ii : unknown vendor id ( 28 bytes )
11/02/27 15:15:45 0x : 71957fc3 620a4219 70709668 132e871a 332378fc 0000000b
00000614
11/02/27 15:15:45 << : vendor id payload
11/02/27 15:15:45 ii : peer supports XAUTH
11/02/27 15:15:45 << : vendor id payload
11/02/27 15:15:45 ii : peer supports DPDv1
11/02/27 15:15:45 << : vendor id payload
11/02/27 15:15:45 ii : peer supports HEARTBEAT-NOTIFY
11/02/27 15:15:45 << : key exchange payload
11/02/27 15:15:45 << : nonce payload
11/02/27 15:15:45 << : identification payload
11/02/27 15:15:45 ii : phase1 id match
11/02/27 15:15:45 ii : received = fqdn vpngw.jersa.de
11/02/27 15:15:45 << : hash payload
11/02/27 15:15:45 << : vendor id payload
11/02/27 15:15:45 ii : peer supports nat-t ( draft v02 )
11/02/27 15:15:45 << : nat discovery payload
11/02/27 15:15:45 << : nat discovery payload
11/02/27 15:15:45 ii : nat discovery - local address is translated
11/02/27 15:15:45 ii : switching to src nat-t udp port 4500
11/02/27 15:15:45 ii : switching to dst nat-t udp port 4500
11/02/27 15:15:45 == : DH shared secret ( 128 bytes )
11/02/27 15:15:45 == : SETKEYID ( 16 bytes )
11/02/27 15:15:45 == : SETKEYID_d ( 16 bytes )
11/02/27 15:15:45 == : SETKEYID_a ( 16 bytes )
11/02/27 15:15:45 == : SETKEYID_e ( 16 bytes )
11/02/27 15:15:45 == : cipher key ( 16 bytes )
11/02/27 15:15:45 == : cipher iv ( 16 bytes )
11/02/27 15:15:45 == : phase1 hash_i ( computed ) ( 16 bytes )
11/02/27 15:15:45 >> : hash payload
11/02/27 15:15:45 >> : nat discovery payload
11/02/27 15:15:45 >> : nat discovery payload
11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 >= : message 00000000
11/02/27 15:15:45 >= : encrypt iv ( 16 bytes )
11/02/27 15:15:45 == : encrypt packet ( 88 bytes )
11/02/27 15:15:45 == : stored iv ( 16 bytes )
11/02/27 15:15:45 DB : phase1 resend event canceled ( ref count = 1 )
11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 ->
222.61.123.22:4500 ( 124 bytes )
11/02/27 15:15:45 == : phase1 hash_r ( computed ) ( 16 bytes )
11/02/27 15:15:45 == : phase1 hash_r ( received ) ( 16 bytes )
11/02/27 15:15:45 ii : phase1 sa established
11/02/27 15:15:45 ii : 222.61.123.22:4500 <-> 10.0.0.100:4500
11/02/27 15:15:45 ii : e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 ii : sending peer INITIAL-CONTACT notification
11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500
11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 ii : - data size 0
11/02/27 15:15:45 >> : hash payload
11/02/27 15:15:45 >> : notification payload
11/02/27 15:15:45 == : new informational hash ( 16 bytes )
11/02/27 15:15:45 == : new informational iv ( 16 bytes )
11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 >= : message a0c38ba0
11/02/27 15:15:45 >= : encrypt iv ( 16 bytes )
11/02/27 15:15:45 == : encrypt packet ( 76 bytes )
11/02/27 15:15:45 == : stored iv ( 16 bytes )
11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 ->
222.61.123.22:4500 ( 108 bytes )
11/02/27 15:15:45 DB : phase2 not found
11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 ->
10.0.0.100:4500 ( 76 bytes )
11/02/27 15:15:45 DB : phase1 found
11/02/27 15:15:45 ii : processing config packet ( 76 bytes )
11/02/27 15:15:45 DB : config not found
11/02/27 15:15:45 DB : config added ( obj count = 1 )
11/02/27 15:15:45 == : new config iv ( 16 bytes )
11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 =< : message 55466abc
11/02/27 15:15:45 =< : decrypt iv ( 16 bytes )
11/02/27 15:15:45 == : decrypt packet ( 76 bytes )
11/02/27 15:15:45 <= : trimmed packet padding ( 8 bytes )
11/02/27 15:15:45 <= : stored iv ( 16 bytes )
11/02/27 15:15:45 << : hash payload
11/02/27 15:15:45 << : attribute payload
11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes )
11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes )
11/02/27 15:15:45 ii : configure hash verified
11/02/27 15:15:45 ii : - xauth authentication type
11/02/27 15:15:45 ii : - xauth username
11/02/27 15:15:45 ii : - xauth password
11/02/27 15:15:45 ii : received basic xauth request -
11/02/27 15:15:45 ii : - standard xauth username
11/02/27 15:15:45 ii : - standard xauth password
11/02/27 15:15:45 ii : sending xauth response for thorsten
11/02/27 15:15:45 >> : hash payload
11/02/27 15:15:45 >> : attribute payload
11/02/27 15:15:45 == : new configure hash ( 16 bytes )
11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 >= : message 55466abc
11/02/27 15:15:45 >= : encrypt iv ( 16 bytes )
11/02/27 15:15:45 == : encrypt packet ( 84 bytes )
11/02/27 15:15:45 == : stored iv ( 16 bytes )
11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 ->
222.61.123.22:4500 ( 124 bytes )
11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 )
11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 ->
10.0.0.100:4500 ( 92 bytes )
11/02/27 15:15:45 DB : phase1 found
11/02/27 15:15:45 ii : processing config packet ( 92 bytes )
11/02/27 15:15:45 DB : config found
11/02/27 15:15:45 == : new config iv ( 16 bytes )
11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 =< : message 577a08a9
11/02/27 15:15:45 =< : decrypt iv ( 16 bytes )
11/02/27 15:15:45 == : decrypt packet ( 92 bytes )
11/02/27 15:15:45 <= : trimmed packet padding ( 12 bytes )
11/02/27 15:15:45 <= : stored iv ( 16 bytes )
11/02/27 15:15:45 << : hash payload
11/02/27 15:15:45 << : attribute payload
11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes )
11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes )
11/02/27 15:15:45 ii : configure hash verified
11/02/27 15:15:45 ii : received config push request
11/02/27 15:15:45 ii : - IP4 Address
11/02/27 15:15:45 ii : - IP4 Netmask
11/02/27 15:15:45 ii : - IP4 DNS Server = 10.1.1.1
11/02/27 15:15:45 ii : building config attribute list
11/02/27 15:15:45 ii : - IP4 DNS Server
11/02/27 15:15:45 ii : sending config push acknowledge
11/02/27 15:15:45 >> : hash payload
11/02/27 15:15:45 >> : attribute payload
11/02/27 15:15:45 == : new configure hash ( 16 bytes )
11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 >= : message 577a08a9
11/02/27 15:15:45 >= : encrypt iv ( 16 bytes )
11/02/27 15:15:45 == : encrypt packet ( 60 bytes )
11/02/27 15:15:45 == : stored iv ( 16 bytes )
11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 )
11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 ->
222.61.123.22:4500 ( 92 bytes )
11/02/27 15:15:45 DB : config resend event scheduled ( ref count = 2 )
11/02/27 15:15:45 <- : recv NAT-T:IKE packet 222.61.123.22:4500 ->
10.0.0.100:4500 ( 76 bytes )
11/02/27 15:15:45 DB : phase1 found
11/02/27 15:15:45 ii : processing config packet ( 76 bytes )
11/02/27 15:15:45 DB : config found
11/02/27 15:15:45 == : new config iv ( 16 bytes )
11/02/27 15:15:45 =< : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 =< : message 84591a7f
11/02/27 15:15:45 =< : decrypt iv ( 16 bytes )
11/02/27 15:15:45 == : decrypt packet ( 76 bytes )
11/02/27 15:15:45 <= : trimmed packet padding ( 16 bytes )
11/02/27 15:15:45 <= : stored iv ( 16 bytes )
11/02/27 15:15:45 << : hash payload
11/02/27 15:15:45 << : attribute payload
11/02/27 15:15:45 == : configure hash_i ( computed ) ( 16 bytes )
11/02/27 15:15:45 == : configure hash_c ( computed ) ( 16 bytes )
11/02/27 15:15:45 ii : configure hash verified
11/02/27 15:15:45 ii : received xauth result -
11/02/27 15:15:45 !! : user thorsten authentication failed
11/02/27 15:15:45 DB : phase1 soft event canceled ( ref count = 3 )
11/02/27 15:15:45 DB : phase1 hard event canceled ( ref count = 2 )
11/02/27 15:15:45 DB : phase1 dead event canceled ( ref count = 1 )
11/02/27 15:15:45 ii : sending peer DELETE message
11/02/27 15:15:45 ii : - 10.0.0.100:4500 -> 222.61.123.22:4500
11/02/27 15:15:45 ii : - isakmp spi = e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 ii : - data size 0
11/02/27 15:15:45 >> : hash payload
11/02/27 15:15:45 >> : delete payload
11/02/27 15:15:45 == : new informational hash ( 16 bytes )
11/02/27 15:15:45 == : new informational iv ( 16 bytes )
11/02/27 15:15:45 >= : cookies e11944da1f039872:b6cc949745492852
11/02/27 15:15:45 >= : message a29a73fe
11/02/27 15:15:45 >= : encrypt iv ( 16 bytes )
11/02/27 15:15:45 == : encrypt packet ( 76 bytes )
11/02/27 15:15:45 == : stored iv ( 16 bytes )
11/02/27 15:15:45 -> : send NAT-T:IKE packet 10.0.0.100:4500 ->
222.61.123.22:4500 ( 108 bytes )
11/02/27 15:15:45 DB : config resend event canceled ( ref count = 1 )
11/02/27 15:15:45 DB : config deleted ( obj count = 0 )
11/02/27 15:15:45 ii : phase1 removal before expire time
11/02/27 15:15:45 DB : phase1 deleted ( obj count = 0 )
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : policy not found
11/02/27 15:15:45 DB : tunnel dpd event canceled ( ref count = 3 )
11/02/27 15:15:45 DB : tunnel natt event canceled ( ref count = 2 )
11/02/27 15:15:45 DB : tunnel stats event canceled ( ref count = 1 )
11/02/27 15:15:45 DB : removing tunnel config references
11/02/27 15:15:45 DB : removing tunnel phase2 references
11/02/27 15:15:45 DB : removing tunnel phase1 references
11/02/27 15:15:45 DB : tunnel deleted ( obj count = 0 )
11/02/27 15:15:45 DB : removing all peer tunnel refrences
11/02/27 15:15:45 DB : peer deleted ( obj count = 0 )
11/02/27 15:15:45 ii : ipc client process thread exit ...
===
I think "user thorsten authentication failed" is the relevant message
Juniper Debug log (debug ike detail) is
===
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 1191, action 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 1163 bytes
from socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 1163 bytes. src
port 500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 1163, nxp
1[SA], exch 4[AG], flag 00
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv : [SA] [KE] [NONCE] [ID]
[VID] [VID] [VID] [VID] [VID]
## 2011-02-27 15:34:06 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]
## 2011-02-27 15:34:06 : valid id checking, id type:FQDN, len:23.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > Validate (1135): SA/716
KE/132 NONCE/24 ID/23 VID/12 VID/20 VID/20 VID/20 VID/20
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Receive Id in AG mode,
id-type=2, id=client.jersa.de, idlen = 15
## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by
identity.
## 2011-02-27 15:34:06 : Found identity<client.jersa.de> in group <1> user
id <1>.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Found peer entry
(vpnclient_gateway) from 62.143.130.124.
## 2011-02-27 15:34:06 : responder create sa: 62.143.130.124->222.61.123.22
## 2011-02-27 15:34:06 : init p1sa, pidt = 0x0
## 2011-02-27 15:34:06 : change peer identity for p1 sa, pidt = 0x0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
peer_identity_create_with_uid: uid<0>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > create peer identity
0x622a4c0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer:
num entry before add <1>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > peer_identity_add_to_peer:
num entry after add <2>
## 2011-02-27 15:34:06 : peer identity 622a4c0 created.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > EDIPI disabled
## 2011-02-27 15:34:06 : IKE<62.143.130.124> getProfileFromP1Proposal->
## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[0]=<00000005
00000002 00000001 00000002> for p1 proposal (id 5), xauth(1)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[1]=<00000005
00000001 00000001 00000002> for p1 proposal (id 4), xauth(1)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[2]=<00000007
00000002 00000001 00000002> for p1 proposal (id 7), xauth(1)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> find profile[3]=<00000007
00000001 00000001 00000002> for p1 proposal (id 6), xauth(1)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder create sa:
62.143.130.124->222.61.123.22
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Responder starts
AGGRESSIVE mode negotiations.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_NOSTATE.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 09 00 26 89 df d6 b7 12
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv XAUTH v6.0 vid
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload
(draft-ietf-ipsec-nat-t-ike-00).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv NAT-Traversal VID payload
(draft-ietf-ipsec-nat-t-ike-02).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
## 2011-02-27 15:34:06 : 80 00 00 00
## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID
payload
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0
## 2011-02-27 15:34:06 : d0 fd 84 51
## 2011-02-27 15:34:06 : IKE<62.143.130.124> receive unknown vendor ID
payload
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [VID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Vendor ID:
## 2011-02-27 15:34:06 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
## 2011-02-27 15:34:06 : IKE<62.143.130.124> rcv non-NAT-Traversal VID
payload.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [SA]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(256)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(1)<MD5>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(256)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(1)<MD5>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(192)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(1)<MD5>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(192)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(1)<MD5>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [3] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Proposal received: xauthflag 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: initiator
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [0] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [1] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>,
encr(5)<3DES>, hash(1)<MD5>, group(2)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> [2] expect: xauthflag 3
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(2)<SHA>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: responder
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 proposal [3] selected.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA Life Type = seconds
## 2011-02-27 15:34:06 : IKE<62.143.130.124> SA lifetime (TLV) = 86400
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > dh group 2
## 2011-02-27 15:34:06 : IKE<62.143.130.124> DH_BG_consume OK. p1 resp
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [KE]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing ISA_KE in phase 1.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NONCE]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing NONCE in phase 1.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [ID]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID received: type=ID_FQDN, FQDN
= client.jersa.de, port=0, protocol=0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> process_id need to update peer
entry, cur <vpnclient_gateway>.
## 2011-02-27 15:34:06 : locate peer entry for (2/client.jersa.de), by
identity.
## 2011-02-27 15:34:06 : Found identity<client.jersa.de> in group <1> user
id <1>.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Dynamic peer IP addr, search
peer by identity.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> peer gateway entry has no peer
id configured
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID processed. return 0.
sa->p1_state = 0.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1 AG Responder
constructing 2nd message.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload
#1)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [SA] for ISAKMP
## 2011-02-27 15:34:06 : IKE<62.143.130.124> auth(1)<PRESHRD>, encr(7)<AES>,
hash(1)<MD5>, group(2), keylen(128)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth attribute: disabled
## 2011-02-27 15:34:06 : IKE<62.143.130.124> lifetime/lifesize (86400/0)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NetScreen [VID]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct custom [VID]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [KE] for ISAKMP
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NONCE]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid()
## 2011-02-27 15:34:06 : IKE<62.143.130.124> gen_skeyid: returning 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [ID] for ISAKMP
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1
ID.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Use vpngw.jersa.de as IKE p1
ID.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=18, type=2, pro=17,
port=500,
## 2011-02-27 15:34:06 : IKE<62.143.130.124>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct NAT-T [VID]: draft 2
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder psk ag mode: natt vid
constructed.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing
remote NAT-D
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> responder (psk) constructing
local NAT-D
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [NATD]
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit : [SA] [VID] [VID] [VID]
[VID] [KE] [NONCE] [ID] [HASH]
## 2011-02-27 15:34:06 : [VID] [NATD] [NATD]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP
62.143.130.124/port 500
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 1 packet (len=446)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<5/91180f>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from
socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port
4500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp
8[HASH], exch 4[AG], flag 01 E
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64)
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NATD] [NATD]
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > extract payload (64):
## 2011-02-27 15:34:06 : IKE<62.143.130.124> AG in state OAK_AG_INIT_EXCH.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [NATD]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [HASH]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ID, len=19, type=2, pro=0,
port=0,
## 2011-02-27 15:34:06 : IKE<62.143.130.124>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> completing Phase 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> sa_pidt = 622a4c0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> adjusting phase 1 hash
## 2011-02-27 15:34:06 : IKE<62.143.130.124> found existing peer identity 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed for ip
<62.143.130.124>, user<client.jersa.de>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Phase 1: Completed Aggressive
mode negotiation with a <28800>-second lifetime.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth is started: server,
p1responder, aggr mode.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth()
## 2011-02-27 15:34:06 : IKE<62.143.130.124> start_xauth(): as:0 ac:-1
enable:1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
xauthstatus 20.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16520, val 0 added, len 0.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16521, val empty string, type <16521> added, len 0.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16522, val empty string, type <16522> added, len 0.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 22199719)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload
#8)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH]
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 20,
type 1, identifier 61307.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520,
valint 0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521,
vallen 0, valstr empty string, type <16521>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522,
vallen 0, valstr empty string, type <16522>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 68)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP
62.143.130.124/port 4500
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid
22199719, len: 68, peer<62.143.130.124>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state
machine: 20
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<6/1097182f>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from
socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port
4500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp
8[HASH], exch 5[INFO], flag 01 E
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new b90d3f73)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48)
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [NOTIF]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Need to pass XAUTH first.
Silently Discard packet.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(b90d3f73)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<6/1097182f>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 124, action 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 96 bytes from
socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 96 bytes. src port
4500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 92, nxp
8[HASH], exch 6[XACT_EXCH], flag 01 E
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 64)
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload.
msgid 22199719, msgtype 2, payload ID 61307
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 36,
type 2, identifier 61307.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16520,
valint 0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16521,
vallen 8, valstr thorste
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 16522,
vallen 8, valstr thorste
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16520, val 0 added, len 0.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16521, val thorste added, len 8.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16522, val thorste added, len 8.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got type: 16520
v<0>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type:
16521
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server got var type:
16522
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state
machine: 20
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
xauthstatus 20.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_auth_pap: authing
locally: uname thorsten, passwd *** SUCCESS
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Get config for client(local
auth)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_assign_client_cfg():
Sa->ip_addr = 0x0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user
<thorsten> remote setting
## 2011-02-27 15:34:06 : IKE<62.143.130.124> getting xauth local user IP
from pool <vpnclient>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Don't do xauth RADIUS
accounting. Send cfg to client directly.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg: ip
10.1.2.1, v4mask 255.255.255.255 dns1 10.1.1.1, dns2 0.0.0.0, win1 0.0.0.0,
win2 0.0.0.0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: id
::, prefix ::/0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg_send_client_cfg v6: dns1
::, dns2 ::, win1 ::, win2 ::
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 1,
val 10.1.2.1 added, len 4.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 2,
val 255.255.255.255 added, len 4.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3,
val 10.1.1.1 added, len 4.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 85594f12)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload
#8)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH]
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 32,
type 3, identifier 61307.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 1, vallen
4, valstr 10.1.2.1
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 2, vallen
4, valstr 255.255.255.255
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen
4, valstr 10.1.1.1
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 80)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP
62.143.130.124/port 4500
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=92)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid
85594f12, len: 80, peer<62.143.130.124>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state
machine: 90
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<6/1097182f>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 92, action 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 64 bytes from
socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 64 bytes. src port
4500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 60, nxp
8[HASH], exch 6[XACT_EXCH], flag 01 E
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 32)
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [IKECFG]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [IKECFG]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> processing IKECFG payload.
msgid 85594f12, msgtype 4, payload ID 61307
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12,
type 4, identifier 61307.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > variable attr type 3, vallen
0, valstr 64.137.0.8
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type 3,
val 0.0.0.0 added, len 0.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth server entering state
machine: 90
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
accounting server id 0 (use auth server as acct server).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_process_server:
xauthstatus 90.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth status updated by state
machine: -1
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ikecfg list add attr type
16527, val 0 added, len 0.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new e5ce2681)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct ISAKMP header.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Msg header built (next payload
#8)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Construct [HASH]
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > print ikecfg attribute
payload:
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > next: 0, payloadlength 12,
type 3, identifier 61307.
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > basic attr type 16527,
valint 0
## 2011-02-27 15:34:06 : IKE<0.0.0.0 >
## 2011-02-27 15:34:06 : IKE<62.143.130.124> construct QM HASH
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Xmit*: [HASH] [IKECFG]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Encrypt P2 payload (len 60)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Responder sending IPv4 IP
62.143.130.124/port 4500
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Send Phase 2 packet (len=76)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ikecfg packet sent. msgid
e5ce2681, len: 60, peer<62.143.130.124>
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_failed()
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth login FAILED. gw
<vpnclient_gateway>, username <thorsten>, retry: 0, timeout: 1
## 2011-02-27 15:34:06 : IKE<62.143.130.124> xauth_cleanup()
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE Xauth: release prefix
route, ret=<-2>.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> XAUTH-failed: clear p2sa for
p1sa(0x22b2268).
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<6/1097182f>
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > from FLOAT port.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ike packet, len 108, action 0
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: received 80 bytes from
socket.
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ****** Recv packet if
<ethernet3> of vsys <Root> ******
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Catcher: get 80 bytes. src port
4500
## 2011-02-27 15:34:06 : IKE<0.0.0.0 > ISAKMP msg: len 76, nxp
8[HASH], exch 5[INFO], flag 01 E
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Create conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...done(new 96990a95)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Decrypting payload (length 48)
## 2011-02-27 15:34:06 : IKE<62.143.130.124 > Recv*: [HASH] [DELETE]
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Process [DELETE]:
## 2011-02-27 15:34:06 : IKE<62.143.130.124> DELETE payload received,
deleting Phase-1 SA
## 2011-02-27 15:34:06 : IKE<62.143.130.124> Delete conn entry...
## 2011-02-27 15:34:06 : IKE<62.143.130.124> ...found conn entry(96990a95)
## 2011-02-27 15:34:06 : IKE<62.143.130.124> IKE msg done: PKI state<0> IKE
state<6/1097182f>
## 2011-02-27 15:34:07 : IKE<0.0.0.0 > dh group 2
## 2011-02-27 15:34:08 : reap_db. deleting p1sa 22b2268
## 2011-02-27 15:34:08 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry...
## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(e5ce2681)
## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry...
## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(85594f12)
## 2011-02-27 15:34:08 : IKE<62.143.130.124> Delete conn entry...
## 2011-02-27 15:34:08 : IKE<62.143.130.124> ...found conn entry(22199719)
## 2011-02-27 15:34:08 : IKE<62.143.130.124> xauth_cleanup()
## 2011-02-27 15:34:08 : IKE<62.143.130.124> Done cleaning up IKE Phase 1 SA
## 2011-02-27 15:34:08 : peer_identity_unregister_p1_sa.
## 2011-02-27 15:34:08 : IKE<0.0.0.0 > delete peer identity
0x622a4c0
## 2011-02-27 15:34:08 : IKE<0.0.0.0 >
peer_identity_remove_from_peer: num entry before remove <2>
## 2011-02-27 15:34:08 : peer_idt.c peer_identity_unregister_p1_sa 682: pidt
deleted.
===
I think "xauth login FAILED. gw <vpnclient_gateway>, username <thorsten>,
retry: 0, timeout: 1" is the relevant message.
Timestamps don't match because I took the debugs at different points of
time.
Configuration of juniper is
===
unset key protection enable
set clock ntp
set clock timezone 1
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Videoserver TCP 9999" protocol tcp src-port 0-65535 dst-port
9999-9999
set service "pcanywhere" protocol tcp src-port 0-65535 dst-port 5631-5631
set service "pcanywhere" + udp src-port 0-65535 dst-port 5632-5632
set service "POP3s" protocol tcp src-port 0-65535 dst-port 995-995
set service "SMTPs" protocol tcp src-port 0-65535 dst-port 465-465
set alg appleichat enable
unset alg appleichat re-assembly enable
unset alg p2p enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "untrust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "vpn"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "vpn" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet1 nat
set interface ethernet2 ip 10.99.99.1/24
set interface ethernet2 nat
set interface ethernet3 ip 222.61.123.22/30
set interface ethernet3 route
unset interface vlan1 ip
set interface ethernet1 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet2 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage telnet
unset interface ethernet1 manage snmp
set interface ethernet3 manage ssh
set interface ethernet3 manage ssl
set interface ethernet3 vip interface-ip 9999 "HTTP" 10.99.99.99
unset interface ethernet1 dhcp server config next-server-ip
unset interface ethernet1 dhcp server config updatable
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 0
set hostname nsjs
set dbuf usb filesize 0
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns3 0.0.0.0
set dns host name ns-5gt-205 10.1.1.1
set dns proxy
set dns proxy enable
set dns server-select domain * outgoing-interface ethernet3 primary-server
212.202.215.1 secondary-server 212.202.215.2 tertiary-server 194.8.194.60
set address "Trust" "10.1.1.0/24" 10.1.1.0 255.255.255.0
set address "DMZ" "10.255.255.0/24" 10.255.255.0 255.255.255.0
set address "DMZ" "10.99.99.0/24" 10.99.99.0 255.255.255.0
set ippool "vpnclient" 10.1.2.1 10.1.2.10
set user "thorsten" uid 2
set user "thorsten" type xauth
set user "thorsten" remote ippool "vpnclient"
set user "thorsten" password "***"
unset user "thorsten" type auth
set user "thorsten" "enable"
set user "vpnclient_ph1id" uid 1
set user "vpnclient_ph1id" ike-id fqdn "client.jersa.de" share-limit 2
set user "vpnclient_ph1id" type ike
set user "vpnclient_ph1id" "enable"
set user-group "vpnclient_group" id 1
set user-group "vpnclient_group" user "vpnclient_ph1id"
set crypto-policy
exit
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr local-id
"vpngw.jersa.de" outgoing-interface "ethernet3" preshare "***" proposal
"pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" dpd-liveness interval 30
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpnclient"
set xauth default dns1 10.1.1.1
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" replay tunnel
idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5"
"nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5"
set vpn "vpnclient_tunnel" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 11 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 11 disable
set policy id 11
exit
set policy id 1 from "Trust" to "Untrust" "10.1.1.0/24" "Any" "DNS" permit
log
set policy id 1
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "NTP"
set service "pcanywhere"
set service "PING"
set service "POP3"
set service "POP3s"
set service "SMTP"
set service "SMTPs"
set service "TRACEROUTE"
set service "Videoserver TCP 9999"
exit
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "UDP-ANY" deny log
set policy id 4
exit
set policy id 12 from "Untrust" to "DMZ" "Any" "Any" "ANY" permit log
set policy id 12 disable
set policy id 12
exit
set policy id 2 from "Untrust" to "DMZ" "Any" "VIP(ethernet3)" "HTTP"
permit log
set policy id 2
set service "HTTPS"
set service "Videoserver TCP 9999"
exit
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 3
exit
set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log
set policy id 5
exit
set policy id 6 from "Trust" to "DMZ" "10.1.1.0/24" "10.99.99.0/24" "HTTP"
permit log
set policy id 6
set service "HTTPS"
set service "PING"
exit
set policy id 7 from "Trust" to "DMZ" "Any" "Any" "ANY" deny log
set policy id 7
exit
set policy id 16 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 16 disable
set policy id 16
exit
set policy id 15 name "vpnclient_inbound" from "Untrust" to "Trust"
"Dial-Up VPN" "10.1.1.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 0x2 log
set policy id 15
exit
set policy id 8 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 8
exit
set policy id 13 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
set policy id 13 disable
set policy id 13
exit
set policy id 9 from "DMZ" to "Trust" "Any" "Any" "ANY" deny log
set policy id 9
exit
set policy id 14 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 14 disable
set policy id 14
exit
set policy id 10 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 10
exit
set log cli enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ssl port 23143
set ntp server "192.53.103.103"
set ntp server backup1 "192.53.103.104"
set ntp server backup2 "192.53.103.108"
set ntp interval 1440
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet3 gateway *** permanent
set route 10.1.1.0/24 vrouter "trust-vr" preference 20 metric 1
set route 10.99.99.0/24 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
===
Does anybody have an idea what's going wrong?
Many thanks in advance
Thorsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110227/5ba06aa6/attachment-0001.html>
More information about the vpn-help
mailing list