[vpn-help] Cannot get dhcp over ipsec working with 2.1.7
Nicola Bressan
nicola.bressan at smc.it
Tue Jun 14 03:29:23 CDT 2011
Hi all,
i'm trying to configure DHCP over IPSec with Shrew soft VPN Client and my
Firewall (Arkoon).
I've setup correctly the Arkoon FW, when I connect assigning a fixed IP, the
VPN connection goes fine, when I flash DHCP over IPsec in Shrew client I get
this LOG on fw:
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [RFC 3947] method set to=110
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [Dead Peer Detection]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [Cisco-Unity]
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
responding to Main Mode from unknown peer 94.XX.YY.84
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Main
mode peer ID is ID_DER_ASN1_DN:
'E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT'
Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.8484 #21:
Issuer CA certificate is trusted: 'CN=Fast360
CA,OU=CED,O=******.,L=*******,C=IT'
Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Issuer
CA certificate is trusted: 'CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT'
Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
switched from "conn_13" to "conn_11"
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: I am
sending my cert
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: NAT-T:
new port 1655/1705
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Dead
Peer Detection (RFC 3706): enabled
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received and ignored informational message
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: cannot
respond to IPsec SA request because no connection is known for
82.XX.YY.143[CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT]:17/67...
94.XX.YY.84
[E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT]:17/67=
==10.X.Y.15/32
Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_ID_INFORMATION to 94.XX.YY.84:1705
Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x698f4631 (perhaps this is a duplicated packet)
Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_MESSAGE_ID to 94.XX.YY.84:1705
Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received Delete SA payload: deleting ISAKMP State #21
Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84: deleting
connection "conn_11" instance with peer 94.XX.YY.84 {isakmp=#0/ipsec=#0}
The same config with fixed IP goes ok.
VPN is defined as per two ends, one is remote lan, the other is the
user/object with defined cert and virtual ip addressing.
Any hint on how to debug better?
Thanks,
Nicola
Descrizione: image002
Bressan Nicola | System & Security Engineer
Via Roma, 4 int. 18 - 31020 Villorba (TV) - Italy
Tel: +39.0422.9125 | E-Mail: nicola.bressan at smc.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110614/5215cf3e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 7541 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110614/5215cf3e/attachment-0001.jpg>
More information about the vpn-help
mailing list