[vpn-help] Connecting to Cisco VPN concentrator with Xauth and certificates

John Serink jserink2004 at yahoo.com
Mon May 6 10:34:55 CDT 2013 

Hi All:

Nice SW, very interesting.

I've set the log level to debug and am doing tail -f /var/log/iked.log...

A fw questions:
1. How do we know if the SW has correctly read our CAcert?
2. How do we know if the SW has correctly read our client cert?
3. How do we know if the SW has correctly read our private key?


it looks to me like the certs are being sent but I'm not sure, can someone comment?
13/05/06 23:30:14 << : security association payload
13/05/06 23:30:14 << : - propsal #1 payload 
13/05/06 23:30:14 << : -- transform #1 payload 
13/05/06 23:30:14 ii : matched isakmp proposal #1 transform #1
13/05/06 23:30:14 ii : - transform    = ike
13/05/06 23:30:14 ii : - cipher type  = 3des
13/05/06 23:30:14 ii : - key length   = default
13/05/06 23:30:14 ii : - hash type    = md5
13/05/06 23:30:14 ii : - dh group     = group2 ( modp-1024 )
13/05/06 23:30:14 ii : - auth type    = xauth-initiator-rsa
13/05/06 23:30:14 ii : - life seconds = 86400
13/05/06 23:30:14 ii : - life kbytes  = 0
13/05/06 23:30:14 << : vendor id payload
13/05/06 23:30:14 ii : peer supports nat-t ( rfc )
13/05/06 23:30:14 << : vendor id payload
13/05/06 23:30:14 ii : unknown vendor id ( 20 bytes )
13/05/06 23:30:14 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
13/05/06 23:30:14 >> : key exchange payload
13/05/06 23:30:14 >> : nonce payload
13/05/06 23:30:14 >> : cert request payload
13/05/06 23:30:14 >> : nat discovery payload
13/05/06 23:30:14 >> : nat discovery payload
13/05/06 23:30:14 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:14 >= : message 00000000
13/05/06 23:30:14 DB : phase1 resend event canceled ( ref count = 1 )
13/05/06 23:30:14 -> : send IKE packet 192.168.0.35:500 -> 218.101.54.25:500 ( 257 bytes )
13/05/06 23:30:14 DB : phase1 resend event scheduled ( ref count = 2 )
13/05/06 23:30:15 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
13/05/06 23:30:15 DB : phase1 found
13/05/06 23:30:15 ii : processing phase1 packet ( 473 bytes )
13/05/06 23:30:15 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:15 =< : message 00000000
13/05/06 23:30:15 << : key exchange payload
13/05/06 23:30:15 << : nonce payload
13/05/06 23:30:15 << : cert request payload
13/05/06 23:30:15 << : vendor id payload
13/05/06 23:30:15 ii : peer is CISCO UNITY compatible
13/05/06 23:30:15 << : vendor id payload
13/05/06 23:30:15 ii : peer supports XAUTH
13/05/06 23:30:15 << : vendor id payload
13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes )
13/05/06 23:30:15 0x : 7a108e42 5f1c29b5 593f9565 b035210b
13/05/06 23:30:15 << : vendor id payload
13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes )
13/05/06 23:30:15 0x : 1f07f70e aa6514d3 b0fa9654 2a500100
13/05/06 23:30:15 << : nat discovery payload
13/05/06 23:30:15 << : nat discovery payload
13/05/06 23:30:15 ii : nat discovery - local address is translated
13/05/06 23:30:15 ii : switching to src nat-t udp port 4500
13/05/06 23:30:15 ii : switching to dst nat-t udp port 4500
13/05/06 23:30:15 == : DH shared secret ( 128 bytes )
13/05/06 23:30:15 == : SETKEYID ( 16 bytes )
13/05/06 23:30:15 == : SETKEYID_d ( 16 bytes )
13/05/06 23:30:15 == : SETKEYID_a ( 16 bytes )
13/05/06 23:30:15 == : SETKEYID_e ( 16 bytes )
13/05/06 23:30:15 == : cipher key ( 32 bytes )
13/05/06 23:30:15 == : cipher iv ( 8 bytes )
13/05/06 23:30:15 >> : identification payload
13/05/06 23:30:15 >> : certificate payload
13/05/06 23:30:15 == : phase1 hash_i ( computed ) ( 16 bytes )
13/05/06 23:30:15 >> : signature payload
13/05/06 23:30:15 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:15 >= : message 00000000
13/05/06 23:30:15 >= : encrypt iv ( 8 bytes )
13/05/06 23:30:15 == : encrypt packet ( 1706 bytes )
13/05/06 23:30:15 == : stored iv ( 8 bytes )
13/05/06 23:30:15 DB : phase1 resend event canceled ( ref count = 1 )
13/05/06 23:30:15 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 1740 bytes )
13/05/06 23:30:23 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
13/05/06 23:30:23 DB : phase1 found
13/05/06 23:30:23 ww : initiator port values should only float once per session
13/05/06 23:30:23 ii : processing phase1 packet ( 473 bytes )
13/05/06 23:30:23 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:23 =< : message 00000000
13/05/06 23:30:23 << : ignoring duplicate key excahnge payload
13/05/06 23:30:23 !! : unprocessed payload data
13/05/06 23:30:23 << : ignoring duplicate nonce payload
13/05/06 23:30:23 !! : unprocessed payload data
13/05/06 23:30:23 !! : unhandled phase1 payload 'unknown' ( 244 )
13/05/06 23:30:23 !! : unprocessed payload data
13/05/06 23:30:23 ii : sending peer DELETE message
13/05/06 23:30:23 ii : - 192.168.0.35:4500 -> 218.101.54.25:4500
13/05/06 23:30:23 ii : - isakmp spi = d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:23 ii : - data size 0
13/05/06 23:30:23 >> : hash payload
13/05/06 23:30:23 >> : delete payload
13/05/06 23:30:23 == : new informational hash ( 16 bytes )
13/05/06 23:30:23 == : new informational iv ( 8 bytes )
13/05/06 23:30:23 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:23 >= : message 3b625f76
13/05/06 23:30:23 >= : encrypt iv ( 8 bytes )
13/05/06 23:30:23 == : encrypt packet ( 76 bytes )
13/05/06 23:30:23 == : stored iv ( 8 bytes )
13/05/06 23:30:23 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 108 bytes )
13/05/06 23:30:23 ii : phase1 removal before expire time
13/05/06 23:30:23 DB : phase1 deleted ( obj count = 0 )
13/05/06 23:30:23 DB : policy not found
13/05/06 23:30:23 DB : policy not found
13/05/06 23:30:23 DB : policy not found
13/05/06 23:30:23 DB : policy not found
13/05/06 23:30:23 DB : removing tunnel config references
13/05/06 23:30:23 DB : removing tunnel phase2 references
13/05/06 23:30:23 DB : removing tunnel phase1 references
13/05/06 23:30:23 DB : tunnel deleted ( obj count = 0 )
13/05/06 23:30:23 DB : removing all peer tunnel references
13/05/06 23:30:23 DB : peer deleted ( obj count = 0 )
13/05/06 23:30:23 ii : ipc client process thread exit ...
13/05/06 23:30:39 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
13/05/06 23:30:39 DB : phase1 not found
13/05/06 23:30:39 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer
13/05/06 23:30:39 ww : d0206ace8cde3e11:8fd7295f5f1d29b5
13/05/06 23:30:55 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 76 bytes )
13/05/06 23:30:55 DB : phase1 not found
13/05/06 23:30:55 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer
13/05/06 23:30:55 ww : 1d62c573424c488b:ade67cd1a4ae13ba


It dies before making it past the ike neg.

Any suggestions?

Cheers,
john

More information about the vpn-help mailing list