[vpn-help] Cannot get dhcp over ipsec working with 2.1.7

Nicola Bressan nicola.bressan at smc.it
Tue Jun 14 03:29:23 CDT 2011 

Hi all,

i'm trying to configure DHCP over IPSec with Shrew soft VPN Client and my
Firewall (Arkoon).

I've setup correctly the Arkoon FW, when I connect assigning a fixed IP, the
VPN connection goes fine, when I flash DHCP over IPsec in Shrew client I get
this LOG on fw:

 

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [RFC 3947] method set to=110

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [FRAGMENTATION 80000000]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [Dead Peer Detection]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd8451]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [Cisco-Unity]

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
responding to Main Mode from unknown peer 94.XX.YY.84

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R1: sent MR1, expecting MI2

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R2: sent MR2, expecting MI3

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Main
mode peer ID is ID_DER_ASN1_DN:
'E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT'

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.8484 #21:
Issuer CA certificate is trusted: 'CN=Fast360
CA,OU=CED,O=******.,L=*******,C=IT'

Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Issuer
CA certificate is trusted: 'CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT'

Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
switched from "conn_13" to "conn_11"

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: I am
sending my cert

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: NAT-T:
new port 1655/1705

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Dead
Peer Detection (RFC 3706): enabled

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
ignoring informational payload, type IPSEC_INITIAL_CONTACT

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received and ignored informational message

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: cannot
respond to IPsec SA request because no connection is known for
82.XX.YY.143[CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT]:17/67...
94.XX.YY.84
[E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT]:17/67=
==10.X.Y.15/32

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_ID_INFORMATION to 94.XX.YY.84:1705

Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x698f4631 (perhaps this is a duplicated packet)

Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_MESSAGE_ID to 94.XX.YY.84:1705

Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received Delete SA payload: deleting ISAKMP State #21

Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84: deleting
connection "conn_11" instance with peer 94.XX.YY.84 {isakmp=#0/ipsec=#0}

 

The same config with fixed IP goes ok. 

VPN is defined as per two ends, one is remote lan, the other is the
user/object with defined cert and virtual ip addressing.

 

Any hint on how to debug better?

Thanks,

Nicola

 


Descrizione: image002 



Bressan Nicola | System & Security Engineer 


Via Roma, 4 int. 18 - 31020 Villorba (TV) - Italy 


Tel: +39.0422.9125 | E-Mail: nicola.bressan at smc.it 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110614/5215cf3e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 7541 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110614/5215cf3e/attachment-0001.jpg>

More information about the vpn-help mailing list