<div><font size="-1">verify_cert off;</font></div>
<div><font size="-1">log :</font></div>
<div>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr valign="top">
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap"><br></td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: respond new phase 1 negotiation: 192.168.20.133[500]<=>192.168.20.240[500] </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">2 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: begin Aggressive mode. </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">3 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: received Vendor ID: CISCO-UNITY </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">4 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">5 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: received Vendor ID: RFC 3947 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">6 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: received broken Microsoft ID: FRAGMENTATION </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">7 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: received Vendor ID: DPD </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">8 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: Selected NAT-T version: RFC 3947 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">9 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: Adding remote and local NAT-D payloads. </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">10 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: Hashing 192.168.20.240[500] with algo #2 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">11 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:22 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: Hashing 192.168.20.133[500] with algo #2 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">12 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:23 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: NAT not detected </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">13 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:23 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: ISAKMP-SA established 192.168.20.133[500]-192.168.20.240[500] spi:14660c5f08d82402:aa7052ec72ccc334 </td>
<td nowrap="nowrap" valign="center"> </td></tr>
<tr valign="top">
<td> </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">14 </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">Nov 22 18:24:23 </td>
<td style="background-color: rgb(142, 230, 122);">info </td>
<td style="background-color: rgb(142, 230, 122);" nowrap="nowrap">racoon </td>
<td style="background-color: rgb(142, 230, 122);">INFO: Using port 0 </td></tr></tbody></table></div>
<div><font size="-1">and </font></div>
<div><font size="-1">iptalbes </font></div>
<div><font size="-1"># Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006<br>*tproxy<br>:PREROUTING ACCEPT [7656:612953]<br>:OUTPUT ACCEPT [1:73]<br>COMMIT<br># Completed on Wed Nov 22 18:26:27 2006<br># Generated by iptables-save
v1.3.5 on Wed Nov 22 18:26:27 2006<br>*raw<br>:PREROUTING ACCEPT [40176:6334687]<br>:OUTPUT ACCEPT [38555:7046209]<br>COMMIT<br># Completed on Wed Nov 22 18:26:27 2006<br># Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
<br>*nat<br>:PREROUTING ACCEPT [6177:417641]<br>:POSTROUTING ACCEPT [1:73]<br>:OUTPUT ACCEPT [1:73]<br>-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination
<a href="http://192.168.1.122/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.122:80</a> <br>-A PREROUTING -i eth0 -p tcp -m tcp --dport 22222 -j DNAT --to-destination <a href="http://192.168.1.2:22/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.1.2:22</a> <br>-A PREROUTING -d <a href="http://192.168.26.0/255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.26.0/255.255.255.0</a> -i eth0 -j NETMAP --to <a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a><br>-A PREROUTING -d <a href="http://20.0.0.0/255.255.255.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
20.0.0.0/255.255.255.254</a> -i eth0 -j NETMAP --to <a href="http://10.0.0.0/31" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.0.0.0/31</a><br>-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A POSTROUTING -s <a href="http://192.168.2.0/255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/255.255.255.0
</a> -o eth0 -j MASQUERADE <br>-A POSTROUTING -s <a href="http://192.168.1.0/255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.1.0/255.255.255.0</a> -o eth0 -j MASQUERADE <br>-A POSTROUTING -s <a href="http://192.168.2.0/255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/255.255.255.0</a> -o eth0 -j NETMAP --to
<a href="http://192.168.26.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.26.0/24</a>
<br>-A POSTROUTING -s <a href="http://10.0.0.0/255.255.255.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.0.0.0/255.255.255.254</a> -o eth0 -j NETMAP --to <a href="http://20.0.0.0/31" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
20.0.0.0/31</a><br>-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<br>COMMIT<br># Completed on Wed Nov 22 18:26:27 2006<br># Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006<br>*mangle<br>:PREROUTING ACCEPT [40176:6334687]<br>:INPUT ACCEPT [40172:6334290]<br>:FORWARD ACCEPT [4:397]
<br>:OUTPUT ACCEPT [38555:7046209]<br>:POSTROUTING ACCEPT [38559:7046606]<br>COMMIT<br># Completed on Wed Nov 22 18:26:27 2006<br># Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006<br>*filter<br>:INPUT ACCEPT [7654:612811]
<br>:FORWARD DROP [0:0]<br>:OUTPUT ACCEPT [1:73]<br>:ACCEPTLOG - [0:0]<br>:DROPLOG - [0:0]<br>:FORWARD_ADV - [0:0]<br>:FORWARD_DMZ - [0:0]<br>:FORWARD_USR - [0:0]<br>:INPUT_ADV - [0:0]<br>:INPUT_USR - [0:0]<br>:REJECTLOG - [0:0]
<br>-A INPUT -i lo -j ACCEPT <br>-A INPUT -j INPUT_ADV <br>-A INPUT -j INPUT_USR <br>-A FORWARD -j FORWARD_ADV <br>-A FORWARD -j FORWARD_USR <br>-A FORWARD -j FORWARD_DMZ <br>-A OUTPUT -o lo -j ACCEPT <br>-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<br>-A ACCEPTLOG -j LOG <br>-A ACCEPTLOG -j ACCEPT <br>-A DROPLOG -j LOG <br>-A DROPLOG -j DROP <br>-A FORWARD_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A FORWARD_DMZ -i eth1 -o eth0 -j ACCEPT <br>-A FORWARD_DMZ -i eth0 -o eth1 -j ACCEPT
<br>-A FORWARD_DMZ -i eth2 -j ACCEPT <br>-A FORWARD_DMZ -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A FORWARD_DMZ -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A INPUT_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT
<br>-A REJECTLOG -j LOG <br>-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable <br>COMMIT<br># Completed on Wed Nov 22 18:26:27 2006</font></div>
<div><font size="-1"> </font></div>
<div><font size="-1">eth0 <a href="http://192.168.20.133/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.20.133</a> eth1 <a href="http://192.168.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.1.1</a></font></div>
<div><font size="-1"> </font></div>
<div><font size="-1">ip route</font></div>
<div><font size="-1"><a href="http://192.168.20.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.20.0/24</a> dev eth0 proto kernel scope link src <a href="http://192.168.20.133/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.20.133</a> <br><a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a> dev eth2 proto kernel scope link src
<a href="http://192.168.2.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.1</a> <br><a href="http://192.168.1.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.1.0/24</a> dev eth1 proto kernel scope link src <a href="http://192.168.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1</a></font></div>
<div><font size="-1"> </font></div>
<div><font size="-1">and thank you very much</font></div>
<font size="-1"><br></font><br><br><div><span class="gmail_quote">2006/11/23, Matthew Grooms <<a href="mailto:mgrooms@shrew.net">mgrooms@shrew.net</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Zhao,<br><br>Thanks for trying out the VPN Client. If you see esp packets being<br>emitted from the client ( passing both phase1 and phase2 ), it is very<br>likely close to working.<br><br>To start, it would be a good idea to reconfigure your client address
<br>range to start with .1 instead of .0 as this can cause problems. I will<br>see if I can sneak in an ipsec-tools fix to prevent this from happening<br>before we branch for 0.7.<br><br>For example ...<br><br>mode_cfg {<br>
pool_size 253;<br> network4 <a href="http://192.168.1.1">192.168.1.1</a>;<br> netmask4 <a href="http://255.255.255.0">255.255.255.0</a>;<br> dns4 <a href="http://192.168.20.1">192.168.20.1</a>
;<br> auth_source system;<br>}<br><br>Also, does your debian gateway have selinux or a firewall like iptables<br>installed? As for the certificate verification not working, could you<br>run racoon with the -d option and forward me the relevant debug output
<br>regarding this issue.<br><br>Thanks,<br><br>-Matthew<br></blockquote></div><br><br clear="all"><br>-- <br>Best regards,<br><br>Tongyi ,Zhao