[vpn-help] Connecting to Cisco VPN concentrator with Xauth and certificates

Kevin VPN kvpn at live.com
Mon May 6 21:03:56 CDT 2013 

On 05/06/2013 11:34 AM, John Serink wrote:
> Hi All:
>
> Nice SW, very interesting.
>
> I've set the log level to debug and am doing tail -f /var/log/iked.log...
>
> A fw questions:
> 1. How do we know if the SW has correctly read our CAcert?
> 2. How do we know if the SW has correctly read our client cert?
> 3. How do we know if the SW has correctly read our private key?
>
>
> it looks to me like the certs are being sent but I'm not sure, can someone comment?
> 13/05/06 23:30:14 << : security association payload
> 13/05/06 23:30:14 << : - propsal #1 payload
> 13/05/06 23:30:14 << : -- transform #1 payload
> 13/05/06 23:30:14 ii : matched isakmp proposal #1 transform #1
> 13/05/06 23:30:14 ii : - transform    = ike
> 13/05/06 23:30:14 ii : - cipher type  = 3des
> 13/05/06 23:30:14 ii : - key length   = default
> 13/05/06 23:30:14 ii : - hash type    = md5
> 13/05/06 23:30:14 ii : - dh group     = group2 ( modp-1024 )
> 13/05/06 23:30:14 ii : - auth type    = xauth-initiator-rsa
> 13/05/06 23:30:14 ii : - life seconds = 86400
> 13/05/06 23:30:14 ii : - life kbytes  = 0
> 13/05/06 23:30:14 << : vendor id payload
> 13/05/06 23:30:14 ii : peer supports nat-t ( rfc )
> 13/05/06 23:30:14 << : vendor id payload
> 13/05/06 23:30:14 ii : unknown vendor id ( 20 bytes )
> 13/05/06 23:30:14 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
> 13/05/06 23:30:14 >> : key exchange payload
> 13/05/06 23:30:14 >> : nonce payload
> 13/05/06 23:30:14 >> : cert request payload
> 13/05/06 23:30:14 >> : nat discovery payload
> 13/05/06 23:30:14 >> : nat discovery payload
> 13/05/06 23:30:14 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:14 >= : message 00000000
> 13/05/06 23:30:14 DB : phase1 resend event canceled ( ref count = 1 )
> 13/05/06 23:30:14 -> : send IKE packet 192.168.0.35:500 -> 218.101.54.25:500 ( 257 bytes )
> 13/05/06 23:30:14 DB : phase1 resend event scheduled ( ref count = 2 )
> 13/05/06 23:30:15 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
> 13/05/06 23:30:15 DB : phase1 found
> 13/05/06 23:30:15 ii : processing phase1 packet ( 473 bytes )
> 13/05/06 23:30:15 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:15 =< : message 00000000
> 13/05/06 23:30:15 << : key exchange payload
> 13/05/06 23:30:15 << : nonce payload
> 13/05/06 23:30:15 << : cert request payload
> 13/05/06 23:30:15 << : vendor id payload
> 13/05/06 23:30:15 ii : peer is CISCO UNITY compatible
> 13/05/06 23:30:15 << : vendor id payload
> 13/05/06 23:30:15 ii : peer supports XAUTH
> 13/05/06 23:30:15 << : vendor id payload
> 13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes )
> 13/05/06 23:30:15 0x : 7a108e42 5f1c29b5 593f9565 b035210b
> 13/05/06 23:30:15 << : vendor id payload
> 13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes )
> 13/05/06 23:30:15 0x : 1f07f70e aa6514d3 b0fa9654 2a500100
> 13/05/06 23:30:15 << : nat discovery payload
> 13/05/06 23:30:15 << : nat discovery payload
> 13/05/06 23:30:15 ii : nat discovery - local address is translated
> 13/05/06 23:30:15 ii : switching to src nat-t udp port 4500
> 13/05/06 23:30:15 ii : switching to dst nat-t udp port 4500
> 13/05/06 23:30:15 == : DH shared secret ( 128 bytes )
> 13/05/06 23:30:15 == : SETKEYID ( 16 bytes )
> 13/05/06 23:30:15 == : SETKEYID_d ( 16 bytes )
> 13/05/06 23:30:15 == : SETKEYID_a ( 16 bytes )
> 13/05/06 23:30:15 == : SETKEYID_e ( 16 bytes )
> 13/05/06 23:30:15 == : cipher key ( 32 bytes )
> 13/05/06 23:30:15 == : cipher iv ( 8 bytes )
> 13/05/06 23:30:15 >> : identification payload
> 13/05/06 23:30:15 >> : certificate payload
> 13/05/06 23:30:15 == : phase1 hash_i ( computed ) ( 16 bytes )
> 13/05/06 23:30:15 >> : signature payload
> 13/05/06 23:30:15 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:15 >= : message 00000000
> 13/05/06 23:30:15 >= : encrypt iv ( 8 bytes )
> 13/05/06 23:30:15 == : encrypt packet ( 1706 bytes )
> 13/05/06 23:30:15 == : stored iv ( 8 bytes )
> 13/05/06 23:30:15 DB : phase1 resend event canceled ( ref count = 1 )
> 13/05/06 23:30:15 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 1740 bytes )
> 13/05/06 23:30:23 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
> 13/05/06 23:30:23 DB : phase1 found
> 13/05/06 23:30:23 ww : initiator port values should only float once per session
> 13/05/06 23:30:23 ii : processing phase1 packet ( 473 bytes )
> 13/05/06 23:30:23 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:23 =< : message 00000000
> 13/05/06 23:30:23 << : ignoring duplicate key excahnge payload
> 13/05/06 23:30:23 !! : unprocessed payload data
> 13/05/06 23:30:23 << : ignoring duplicate nonce payload
> 13/05/06 23:30:23 !! : unprocessed payload data
> 13/05/06 23:30:23 !! : unhandled phase1 payload 'unknown' ( 244 )
> 13/05/06 23:30:23 !! : unprocessed payload data
> 13/05/06 23:30:23 ii : sending peer DELETE message
> 13/05/06 23:30:23 ii : - 192.168.0.35:4500 -> 218.101.54.25:4500
> 13/05/06 23:30:23 ii : - isakmp spi = d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:23 ii : - data size 0
> 13/05/06 23:30:23 >> : hash payload
> 13/05/06 23:30:23 >> : delete payload
> 13/05/06 23:30:23 == : new informational hash ( 16 bytes )
> 13/05/06 23:30:23 == : new informational iv ( 8 bytes )
> 13/05/06 23:30:23 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:23 >= : message 3b625f76
> 13/05/06 23:30:23 >= : encrypt iv ( 8 bytes )
> 13/05/06 23:30:23 == : encrypt packet ( 76 bytes )
> 13/05/06 23:30:23 == : stored iv ( 8 bytes )
> 13/05/06 23:30:23 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 108 bytes )
> 13/05/06 23:30:23 ii : phase1 removal before expire time
> 13/05/06 23:30:23 DB : phase1 deleted ( obj count = 0 )
> 13/05/06 23:30:23 DB : policy not found
> 13/05/06 23:30:23 DB : policy not found
> 13/05/06 23:30:23 DB : policy not found
> 13/05/06 23:30:23 DB : policy not found
> 13/05/06 23:30:23 DB : removing tunnel config references
> 13/05/06 23:30:23 DB : removing tunnel phase2 references
> 13/05/06 23:30:23 DB : removing tunnel phase1 references
> 13/05/06 23:30:23 DB : tunnel deleted ( obj count = 0 )
> 13/05/06 23:30:23 DB : removing all peer tunnel references
> 13/05/06 23:30:23 DB : peer deleted ( obj count = 0 )
> 13/05/06 23:30:23 ii : ipc client process thread exit ...
> 13/05/06 23:30:39 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes )
> 13/05/06 23:30:39 DB : phase1 not found
> 13/05/06 23:30:39 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer
> 13/05/06 23:30:39 ww : d0206ace8cde3e11:8fd7295f5f1d29b5
> 13/05/06 23:30:55 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 76 bytes )
> 13/05/06 23:30:55 DB : phase1 not found
> 13/05/06 23:30:55 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer
> 13/05/06 23:30:55 ww : 1d62c573424c488b:ade67cd1a4ae13ba
>
>
> It dies before making it past the ike neg.
>

Hi John,

Shrew doesn't seem to like the fact that it tries to switch to 
NAT-Translation (NAT-T) on port 4500, but that the gateway insists on 
responding on port 500.

I don't see any complaints about certificates, but the log is not complete.

More information about the vpn-help mailing list