[vpn-help] Connection failure with client. Debug information doesn't seem helpful.

Thu Jun 30 23:15:10 CDT 2011

Hi,

I am looking to configured my FC14 box as an IPSEC client to connect to
my office VPN.  I do not know what server the office VPN is using.  All
I know are the specs that they have given me.  This is my first attempt 
in getting the IPSEC tunnel to work from Linux.  I don't know if anyone 
else has managed successfully.  I do know that Mac users have gotten it 
working with ipsecuritas.

I do have a working example of it running in Windows using TheGreenBow 
client.

I have been given the following files:
ericb.p12
ericb.pem
ericb.key
(and password for the key/p12 files)

I know the following settings (from looking at the functinoal TGB client
and someone who has gotten it to work with ipsecuritas in Mac):

Gateway IP
Network Addr/CIDR: 10.9.40.0/22
Phase 1:
    - Lifetime 1800
    - DH Group: 1024(2)
    - Encryption: AES 128
    - Authen: SHA-1
    - Exchange: Main

Phase 2:
    - PFS Group: 1024(2)
    - Encryption: AES 128
    - Authen: HMAC SHA-1

NAT-T: force

Can anyone please help me with getting this configuration to work?  I
have attempted to set up the tunnel with the client, but I must be doing 
something incorrect.  When I try to connect, I get the following error 
messages:

config loaded for site 'xx.xx.160.179'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon ...

I enabled debug messages, but that didn't seem to give me a whole lot 
more information:
/var/log/ike/iked.log:
11/07/01 00:01:52 ## : IKE Daemon, ver 2.1.7
11/07/01 00:01:52 ## : Copyright 2010 Shrew Soft Inc.
11/07/01 00:01:52 ## : This product linked OpenSSL 1.0.0d-fips 8 Feb 2011
11/07/01 00:01:52 K! : recv X_SPDDUMP message failure ( errno = 2 )
11/07/01 00:01:58 !! : '/home/eric/Documents/VPN/ericb.p12' load failed, 
requesting password
11/07/01 00:02:32 !! : unprocessed payload data
11/07/01 00:02:32 !! : unprocessed payload data
11/07/01 00:02:32 !! : unhandled phase1 payload 'unknown' ( 245 )
11/07/01 00:02:32 !! : unprocessed payload data

/var/log/ike/ike-decrypt.pcap is empty.

Just for completeness, here is the vpn profile file:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:phase1-dhgroup:2
n:phase1-keylen:128
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:128
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:xx.xx.160.179
s:client-auto-mode:dhcp
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:0.0.0.0
s:client-dns-suffix:
s:auth-method:mutual-rsa
s:ident-client-type:address
s:ident-server-type:any
s:auth-server-cert:/home/eric/Documents/VPN/ericb.p12
s:auth-client-cert:/home/eric/Documents/VPN/ericb.pem
s:auth-client-key:/home/eric/Documents/VPN/ericb.key
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:auto

Thanks for any help that you can provide!  It is possible that I have 
some settings that are inconsistent, but am not sure what I should be 
setting them to.

Thanks!

Eric