[vpn-help] shrew soft client and zywall 5 -no LAN to LAN traffic, phase2 not operating?

Dr. Adrian Bratt adrian at integratedanalog.com
Sun Aug 4 10:28:05 CDT 2013 

Hi,

I hope you can help me with the last little bit of getting my config 
setup. ITs driving me nuts!!

I have a local netwok 192.168.1.xx which has my laptop and shrew client 
on it.
I have a  remote network 192.168.0.xxx whic houses various machines behind
a zywall 5 box. I think I have phase1 working OK, according to the help 
setup
for the zywall 5 (thanks for that) but I just cannot get any ping from 
lan to lan.

I think my phase 2 may be the problem (but I copied it  to the letter 
from the
help file.)

 From a cmd window in the laptop a ping request gets the reply,

C:\Users\adrian>ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.77: Destination host unreachable.
Request timed out.

Shrew debug Log is below.

Thanks

Adrian

============
13/08/04 16:25:47 ## : IKE Daemon, ver 2.2.2
13/08/04 16:25:47 ## : Copyright 2013 Shrew Soft Inc.
13/08/04 16:25:47 ## : This product linked OpenSSL 1.0.1c 10 May 2012
13/08/04 16:25:47 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client\debug\iked.log'
13/08/04 16:25:47 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client/debug/dump-ike-decrypt.cap'
13/08/04 16:25:47 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client/debug/dump-ike-encrypt.cap'
13/08/04 16:25:47 ii : rebuilding vnet device list ...
13/08/04 16:25:47 ii : device ROOT\VNET\0000 disabled
13/08/04 16:25:47 ii : network process thread begin ...
13/08/04 16:25:47 ii : pfkey process thread begin ...
13/08/04 16:25:47 ii : ipc server process thread begin ...
13/08/04 16:26:18 ii : ipc client process thread begin ...
13/08/04 16:26:18 <A : peer config add message
13/08/04 16:26:18 <A : proposal config message
13/08/04 16:26:18 <A : proposal config message
13/08/04 16:26:18 <A : client config message
13/08/04 16:26:18 <A : local id 'client.shrew.net' message
13/08/04 16:26:18 <A : preshared key message
13/08/04 16:26:18 <A : remote resource message
13/08/04 16:26:18 <A : peer tunnel enable message
13/08/04 16:26:18 DB : peer added ( obj count = 1 )
13/08/04 16:26:18 ii : local address 192.168.1.2 selected for peer
13/08/04 16:26:18 DB : tunnel added ( obj count = 1 )
13/08/04 16:26:18 DB : new phase1 ( ISAKMP initiator )
13/08/04 16:26:18 DB : exchange type is aggressive
13/08/04 16:26:18 DB : 192.168.1.2:500 <-> 62.172.216.32:500
13/08/04 16:26:18 DB : dea4efc89aee4258:0000000000000000
13/08/04 16:26:18 DB : phase1 added ( obj count = 1 )
13/08/04 16:26:18 >> : security association payload
13/08/04 16:26:18 >> : - proposal #1 payload
13/08/04 16:26:18 >> : -- transform #1 payload
13/08/04 16:26:18 >> : key exchange payload
13/08/04 16:26:18 >> : nonce payload
13/08/04 16:26:18 >> : identification payload
13/08/04 16:26:18 >> : vendor id payload
13/08/04 16:26:18 ii : local supports FRAGMENTATION
13/08/04 16:26:18 >> : vendor id payload
13/08/04 16:26:18 ii : local is SHREW SOFT compatible
13/08/04 16:26:18 >> : vendor id payload
13/08/04 16:26:18 ii : local is NETSCREEN compatible
13/08/04 16:26:18 >> : vendor id payload
13/08/04 16:26:18 ii : local is SIDEWINDER compatible
13/08/04 16:26:18 >> : vendor id payload
13/08/04 16:26:18 ii : local is CISCO UNITY compatible
13/08/04 16:26:18 >= : cookies dea4efc89aee4258:0000000000000000
13/08/04 16:26:18 >= : message 00000000
13/08/04 16:26:18 -> : send IKE packet 192.168.1.2:500 -> 
62.172.216.32:500 ( 400 bytes )
13/08/04 16:26:18 DB : phase1 resend event scheduled ( ref count = 2 )
13/08/04 16:26:19 <- : recv IKE packet 62.172.216.32:500 -> 
192.168.1.2:500 ( 356 bytes )
13/08/04 16:26:19 DB : phase1 found
13/08/04 16:26:19 ii : processing phase1 packet ( 356 bytes )
13/08/04 16:26:19 =< : cookies dea4efc89aee4258:4421b0da7a44155e
13/08/04 16:26:19 =< : message 00000000
13/08/04 16:26:19 << : security association payload
13/08/04 16:26:19 << : - propsal #1 payload
13/08/04 16:26:19 << : -- transform #1 payload
13/08/04 16:26:19 ii : matched isakmp proposal #1 transform #1
13/08/04 16:26:19 ii : - transform    = ike
13/08/04 16:26:19 ii : - cipher type  = 3des
13/08/04 16:26:19 ii : - key length   = default
13/08/04 16:26:19 ii : - hash type    = md5
13/08/04 16:26:19 ii : - dh group     = group2 ( modp-1024 )
13/08/04 16:26:19 ii : - auth type    = psk
13/08/04 16:26:19 ii : - life seconds = 3600
13/08/04 16:26:19 ii : - life kbytes  = 0
13/08/04 16:26:19 << : key exchange payload
13/08/04 16:26:19 << : nonce payload
13/08/04 16:26:19 << : identification payload
13/08/04 16:26:19 ii : phase1 id match
13/08/04 16:26:19 ii : received = ipv4-host 62.172.216.32
13/08/04 16:26:19 << : hash payload
13/08/04 16:26:19 << : vendor id payload
13/08/04 16:26:19 ii : peer supports nat-t ( rfc )
13/08/04 16:26:19 << : vendor id payload
13/08/04 16:26:19 ii : peer supports nat-t ( draft v00 )
13/08/04 16:26:19 << : vendor id payload
13/08/04 16:26:19 ii : peer supports DPDv1
13/08/04 16:26:19 << : vendor id payload
13/08/04 16:26:19 ii : peer is ZYWALL compatible
13/08/04 16:26:19 ii : nat-t is disabled locally
13/08/04 16:26:19 == : DH shared secret ( 128 bytes )
13/08/04 16:26:19 == : SETKEYID ( 16 bytes )
13/08/04 16:26:19 == : SETKEYID_d ( 16 bytes )
13/08/04 16:26:19 == : SETKEYID_a ( 16 bytes )
13/08/04 16:26:19 == : SETKEYID_e ( 16 bytes )
13/08/04 16:26:19 == : cipher key ( 32 bytes )
13/08/04 16:26:19 == : cipher iv ( 8 bytes )
13/08/04 16:26:19 == : phase1 hash_i ( computed ) ( 16 bytes )
13/08/04 16:26:19 >> : hash payload
13/08/04 16:26:19 >= : cookies dea4efc89aee4258:4421b0da7a44155e
13/08/04 16:26:19 >= : message 00000000
13/08/04 16:26:19 >= : encrypt iv ( 8 bytes )
13/08/04 16:26:19 == : encrypt packet ( 48 bytes )
13/08/04 16:26:19 == : stored iv ( 8 bytes )
13/08/04 16:26:19 DB : phase1 resend event canceled ( ref count = 1 )
13/08/04 16:26:19 -> : send IKE packet 192.168.1.2:500 -> 
62.172.216.32:500 ( 80 bytes )
13/08/04 16:26:19 == : phase1 hash_r ( computed ) ( 16 bytes )
13/08/04 16:26:19 == : phase1 hash_r ( received ) ( 16 bytes )
13/08/04 16:26:19 ii : phase1 sa established
13/08/04 16:26:19 ii : 62.172.216.32:500 <-> 192.168.1.2:500
13/08/04 16:26:19 ii : dea4efc89aee4258:4421b0da7a44155e
13/08/04 16:26:19 ii : sending peer INITIAL-CONTACT notification
13/08/04 16:26:19 ii : - 192.168.1.2:500 -> 62.172.216.32:500
13/08/04 16:26:19 ii : - isakmp spi = dea4efc89aee4258:4421b0da7a44155e
13/08/04 16:26:19 ii : - data size 0
13/08/04 16:26:19 >> : hash payload
13/08/04 16:26:19 >> : notification payload
13/08/04 16:26:19 == : new informational hash ( 16 bytes )
13/08/04 16:26:19 == : new informational iv ( 8 bytes )
13/08/04 16:26:19 >= : cookies dea4efc89aee4258:4421b0da7a44155e
13/08/04 16:26:19 >= : message 2573a69e
13/08/04 16:26:19 >= : encrypt iv ( 8 bytes )
13/08/04 16:26:19 == : encrypt packet ( 76 bytes )
13/08/04 16:26:19 == : stored iv ( 8 bytes )
13/08/04 16:26:19 -> : send IKE packet 192.168.1.2:500 -> 
62.172.216.32:500 ( 104 bytes )
13/08/04 16:26:19 DB : config added ( obj count = 1 )
13/08/04 16:26:19 ii : configuration method is manual
13/08/04 16:26:19 DB : phase2 not found
13/08/04 16:26:19 ii : enabled adapter ROOT\VNET\0000
13/08/04 16:26:19 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
13/08/04 16:26:20 ii : apapter ROOT\VNET\0000 MTU is 1000
13/08/04 16:26:20 ii : generating IPSEC security policies at UNIQUE level
13/08/04 16:26:20 ii : creating NONE INBOUND policy ANY:62.172.216.32:* 
-> ANY:192.168.1.2:*
13/08/04 16:26:20 DB : policy added ( obj count = 1 )
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 ii : creating NONE OUTBOUND policy ANY:192.168.1.2:* 
-> ANY:62.172.216.32:*
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 ii : created NONE policy route for 62.172.216.32/32
13/08/04 16:26:20 DB : policy added ( obj count = 2 )
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 ii : creating NONE INBOUND policy ANY:192.168.1.1:* -> 
ANY:192.168.0.77:*
13/08/04 16:26:20 DB : policy added ( obj count = 3 )
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 ii : creating NONE OUTBOUND policy ANY:192.168.0.77:* 
-> ANY:192.168.1.1:*
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy added ( obj count = 4 )
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 ii : creating IPSEC INBOUND policy 
ANY:192.168.1.0/24:* -> ANY:192.168.0.77:*
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy added ( obj count = 5 )
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 ii : creating IPSEC OUTBOUND policy ANY:192.168.0.77:* 
-> ANY:192.168.1.0/24:*
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 ii : created IPSEC policy route for 192.168.1.0/24
13/08/04 16:26:20 DB : policy added ( obj count = 6 )
13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
13/08/04 16:26:20 DB : policy found
13/08/04 16:26:20 ii : split DNS is disabled

More information about the vpn-help mailing list