<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">Hello,<br>
<br>
I'm trying to connect to a "Group VPN" on a Linksys RV042 using the
ShrewSoft client v 2.0.1. The VPN is set up to authenticate based on a
client FQDN and shared secret, and the router's LAN-side subnet is
included in the client's Policy tab for that connection. Phase 1 and
Phase 2 are Diffie-Hellman Group 2/AES-256/MD5 with perfect forward
secrecy on phase 2. <br>
<br>
I've attached a router log and an IKE log from the client for a
connection attempt below. It looks like Phase 1 is completing
successfully, but the router and client hang at the start (?) of Phase
2 with the router saying "Received informational payload, type
IPSEC_INITIAL_CONTACT" and the client saying"phase 2 not found." Any
suggestions for how to debug this or for alternate configurations would
be greatly appreciated. Thanks in advance!<br>
<br>
</font>
<blockquote><font face="Arial">Oct 8 10:49:45 2007 VPN Log
Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log Ignoring
Vendor ID payload [4a131c8107035845...]</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log Ignoring
Vendor ID payload [4048b7d56ebce885...]</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log Received
Vendor ID payload Type = [Dead Peer Detection]</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log Ignoring
Vendor ID payload Type = [Cisco-Unity]</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log [Tunnel
Negotiation Info] <<< Responder Received Aggressive Mode 1st
packet</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log
Aggressive mode peer ID is ID_USER_FQDN: '<a class="moz-txt-link-abbreviated" href="mailto:md5-1@assia-inc.com">md5-1@assia-inc.com</a>'</font><br>
<font face="Arial">Oct 8 10:49:45 2007 VPN Log
Responding to Aggressive Mode from 67.152.82.178</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log [Tunnel
Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log [Tunnel
Negotiation Info] <<< Responder Received Aggressive Mode 3rd
packet</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log
Aggressive mode peer ID is ID_USER_FQDN: '<a class="moz-txt-link-abbreviated" href="mailto:md5-1@assia-inc.com">md5-1@assia-inc.com</a>'</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log [Tunnel
Negotiation Info] Aggressive Mode Phase 1 SA Established</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log [Tunnel
Negotiation Info] Initiator Cookies = 35ca e22 fd29 d6c2</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log [Tunnel
Negotiation Info] Responder Cookies = 984d deda d02d 4191</font><br>
<font face="Arial">Oct 8 10:49:46 2007 VPN Log Received
informational payload, type IPSEC_INITIAL_CONTACT</font><br>
<br>
<br>
<font face="Arial">## : IKE Daemon, ver 2.0.1</font><br>
<font face="Arial">## : Copyright 2007 Shrew Soft Inc.</font><br>
<font face="Arial">## : This product linked OpenSSL 0.9.8e 23 Feb 2007</font><br>
<font face="Arial">ii : opened C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'</font><br>
<font face="Arial">ii : opened C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike.cap'</font><br>
<font face="Arial">ii : rebuilding vnet device list ...</font><br>
<font face="Arial">ii : device ROOT\VNET\0000 disabled</font><br>
<font face="Arial">ii : device ROOT\VNET\0001 disabled</font><br>
<font face="Arial">ii : network process thread begin ...</font><br>
<font face="Arial">ii : pfkey process thread begin ...</font><br>
<font face="Arial">ii : admin process thread begin ...</font><br>
<font face="Arial"><A : peer config add message</font><br>
<font face="Arial">DB : peer ref increment ( ref count = 1, peer
count = 0 )</font><br>
<font face="Arial">DB : peer added</font><br>
<font face="Arial">ii : local address 192.168.0.102:500 selected for
peer</font><br>
<font face="Arial">DB : tunnel ref increment ( ref count = 1, tunnel
count = 0 )</font><br>
<font face="Arial">DB : peer ref increment ( ref count = 2, peer
count = 1 )</font><br>
<font face="Arial">DB : tunnel added</font><br>
<font face="Arial"><A : proposal config message</font><br>
<font face="Arial"><A : proposal config message</font><br>
<font face="Arial"><A : client config message</font><br>
<font face="Arial"><A : local id '<a class="moz-txt-link-abbreviated" href="mailto:md5-1@assia-inc.com">md5-1@assia-inc.com</a>' message</font><br>
<font face="Arial"><A : preshared key message</font><br>
<font face="Arial"><A : remote resource message</font><br>
<font face="Arial"><A : peer tunnel enable message</font><br>
<font face="Arial">DB : new phase1 ( ISAKMP initiator )</font><br>
<font face="Arial">DB : exchange type is aggressive</font><br>
<font face="Arial">DB : 192.168.0.102:500 <-> 67.152.82.162:500</font><br>
<font face="Arial">DB : 35cae202fd29d6c2:0000000000000000</font><br>
<font face="Arial">DB : phase1 ref increment ( ref count = 1, phase1
count = 0 )</font><br>
<font face="Arial">DB : tunnel ref increment ( ref count = 2, tunnel
count = 1 )</font><br>
<font face="Arial">DB : phase1 added</font><br>
<font face="Arial">>> : security association payload</font><br>
<font face="Arial">>> : - proposal #1 payload </font><br>
<font face="Arial">>> : -- transform #1 payload </font><br>
<font face="Arial">>> : key exchange payload</font><br>
<font face="Arial">>> : nonce payload</font><br>
<font face="Arial">>> : identification payload</font><br>
<font face="Arial">>> : vendor id payload</font><br>
<font face="Arial">>> : vendor id payload</font><br>
<font face="Arial">>> : vendor id payload</font><br>
<font face="Arial">>> : vendor id payload</font><br>
<font face="Arial">>> : vendor id payload</font><br>
<font face="Arial">-> : send IKE packet 192.168.0.102:500 ->
67.152.82.162:500 ( 403 bytes )</font><br>
<font face="Arial">DB : phase1 ref increment ( ref count = 2, phase1
count = 1 )</font><br>
<font face="Arial">DB : phase1 ref decrement ( ref count = 1, phase1
count = 1 )</font><br>
<font face="Arial"><- : recv IKE packet 67.152.82.162:500 ->
192.168.0.102:500 ( 272 bytes )</font><br>
<font face="Arial">DB : phase1 found</font><br>
<font face="Arial">DB : phase1 ref increment ( ref count = 2, phase1
count = 1 )</font><br>
<font face="Arial"><< : security association payload</font><br>
<font face="Arial"><< : - propsal #1 payload </font><br>
<font face="Arial"><< : -- transform #1 payload </font><br>
<font face="Arial">ii : matched isakmp proposal #1 transform #1</font><br>
<font face="Arial">ii : - transform = ike</font><br>
<font face="Arial">ii : - cipher type = aes</font><br>
<font face="Arial">ii : - key length = 256 bits</font><br>
<font face="Arial">ii : - hash type = md5</font><br>
<font face="Arial">ii : - dh group = modp-1024</font><br>
<font face="Arial">ii : - auth type = psk</font><br>
<font face="Arial">ii : - life seconds = 28800</font><br>
<font face="Arial">ii : - life kbytes = 0</font><br>
<font face="Arial"><< : key exchange payload</font><br>
<font face="Arial"><< : nonce payload</font><br>
<font face="Arial"><< : identification payload</font><br>
<font face="Arial">ii : phase1 id match ( natt prevents ip match )</font><br>
<font face="Arial">ii : phase1 id match ( ipv4-host 67.152.82.162 )</font><br>
<font face="Arial"><< : hash payload</font><br>
<font face="Arial">== : DH shared secret ( 128 bytes )</font><br>
<font face="Arial">== : SETKEYID ( 16 bytes )</font><br>
<font face="Arial">== : SETKEYID_d ( 16 bytes )</font><br>
<font face="Arial">== : SETKEYID_a ( 16 bytes )</font><br>
<font face="Arial">== : SETKEYID_e ( 16 bytes )</font><br>
<font face="Arial">== : cipher key ( 32 bytes )</font><br>
<font face="Arial">== : cipher iv ( 16 bytes )</font><br>
<font face="Arial">== : phase1 hash_i ( computed ) ( 16 bytes )</font><br>
<font face="Arial">>> : hash payload</font><br>
<font face="Arial">>= : encrypt iv ( 16 bytes )</font><br>
<font face="Arial">=> : encrypt packet ( 48 bytes )</font><br>
<font face="Arial">== : stored iv ( 16 bytes )</font><br>
<font face="Arial">DB : phase1 ref decrement ( ref count = 1, phase1
count = 1 )</font><br>
<font face="Arial">-> : send IKE packet 192.168.0.102:500 ->
67.152.82.162:500 ( 88 bytes )</font><br>
<font face="Arial">DB : phase1 ref increment ( ref count = 2, phase1
count = 1 )</font><br>
<font face="Arial">== : phase1 hash_r ( computed ) ( 16 bytes )</font><br>
<font face="Arial">== : phase1 hash_r ( received ) ( 16 bytes )</font><br>
<font face="Arial">ii : phase1 sa established</font><br>
<font face="Arial">ii : 67.152.82.162:500 <-> 192.168.0.102:500</font><br>
<font face="Arial">ii : 35cae202fd29d6c2:984ddedad02d4191</font><br>
<font face="Arial">DB : phase1 ref decrement ( ref count = 1, phase1
count = 1 )</font><br>
<font face="Arial">ii : sending peer INITIAL-CONTACT notification</font><br>
<font face="Arial">ii : - 192.168.0.102:500 -> 67.152.82.162:500</font><br>
<font face="Arial">ii : - isakmp spi =
35cae202fd29d6c2:984ddedad02d4191</font><br>
<font face="Arial">ii : - data size 0</font><br>
<font face="Arial">>> : hash payload</font><br>
<font face="Arial">>> : notification payload</font><br>
<font face="Arial">== : new informational hash ( 16 bytes )</font><br>
<font face="Arial">== : new phase2 iv ( 16 bytes )</font><br>
<font face="Arial">>= : encrypt iv ( 16 bytes )</font><br>
<font face="Arial">=> : encrypt packet ( 76 bytes )</font><br>
<font face="Arial">== : stored iv ( 16 bytes )</font><br>
<font face="Arial">-> : send IKE packet 192.168.0.102:500 ->
67.152.82.162:500 ( 104 bytes )</font><br>
<font face="Arial">DB : config ref increment ( ref count = 1, config
count = 0 )</font><br>
<font face="Arial">DB : tunnel ref increment ( ref count = 3, tunnel
count = 1 )</font><br>
<font face="Arial">DB : config added</font><br>
<font face="Arial">ii : xauth is not required</font><br>
<font face="Arial">ii : building config attribute list</font><br>
<font face="Arial">ii : excluding unity attribute set</font><br>
<font face="Arial">ii : - IP4 DNS Server</font><br>
<font face="Arial">ii : sending config pull request</font><br>
<font face="Arial">== : new phase2 iv ( 16 bytes )</font><br>
<font face="Arial">>> : hash payload</font><br>
<font face="Arial">>> : attribute payload</font><br>
<font face="Arial">== : new configure hash ( 16 bytes )</font><br>
<font face="Arial">>= : encrypt iv ( 16 bytes )</font><br>
<font face="Arial">=> : encrypt packet ( 60 bytes )</font><br>
<font face="Arial">== : stored iv ( 16 bytes )</font><br>
<font face="Arial">-> : send IKE packet 192.168.0.102:500 ->
67.152.82.162:500 ( 88 bytes )</font><br>
<font face="Arial">DB : config ref increment ( ref count = 2, config
count = 1 )</font><br>
<font face="Arial">DB : config ref decrement ( ref count = 1, config
count = 1 )</font><br>
<font face="Arial">DB : phase1 ref increment ( ref count = 2, phase1
count = 1 )</font><br>
<font face="Arial">DB : phase2 not found</font><br>
<font face="Arial">DB : phase1 ref decrement ( ref count = 1, phase1
count = 1 )</font><br>
<font face="Arial">ii : resending 1 exchange packet(s)</font><br>
<font face="Arial">ii : resending 1 exchange packet(s)</font><br>
<font face="Arial">ii : exchange packet resend limit exceeded</font><br>
<font face="Arial">DB : config deleted ( config count 0 )</font><br>
<font face="Arial">DB : tunnel ref decrement ( ref count = 2, tunnel
count = 1 )<br>
<br>
</font></blockquote>
<br>
<font face="Arial"><br>
</font>
</body>
</html>