<div dir="ltr">Matthew,<br><br>This is great. Robert just helped you isolate my bug which he is now experiencing. And told us why you can't reproduce.<br><br>Note his IPs<br> IPv4 Address. . . . . . . . . . . : 192.168.113.46(Preferred)<br>
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br> IPv4 Address. . . . . . . . . . . : 192.168.113.55(Preferred)<br> Subnet Mask . . . . . . . . . . . : 255.255.255.0<br><br>remind you of anything (it sure does for me). Only he found what I never even though to test. I also have multiple address blocks set in my policy! I am not by my laptop right now but I will try and test tonight. I bet you if I bring it down to 1 address block it will suddenly work!<br>
<br>Do you have time to work on this yet or not really?<br><br><div class="gmail_quote">On Mon, Jan 12, 2009 at 2:39 PM, Robert Myhren <span dir="ltr"><<a href="mailto:myhren@gmail.com">myhren@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi!<br><br>I have installed Shrew vpn client (v.2.1.4 ) on Windows Vista 64.<br>The client is connecting to a Cisco IOS.<br>
<br>The tunnel is created as expected.<br><br>The Cisco gateway announces several subnets.<br><a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> <a href="http://10.220.0.0/16" target="_blank">10.220.0.0/16</a> and 192.192.168.113.0/24.<br>
<br>Now, if I define more than one subnet, or if is set to auto under "Policy",<br>then I am not able to access any of the networks.<br><br>If I define only one network manually under "Policy", then it works for that subnet.<br>
<br>I have found this in the logs,<br>failed to create IPSEC policy route for <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a><br><br>Any help is greatly appreciated.<br><br>Regards,<br><br>Robert <br><br>
<br>LOG OUTPUT BELOW:<br>
<br>ipconfig output:<br>Ethernet adapter Local Area Connection* 17:<br><br> Connection-specific DNS Suffix . : <a href="http://pillar.as" target="_blank">pillar.as</a><br> Description . . . . . . . . . . . : Shrew Soft Virtual Adapter<br>
Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00<br> DHCP Enabled. . . . . . . . . . . : No<br> Autoconfiguration Enabled . . . . : Yes<br> Link-local IPv6 Address . . . . . : fe80::4583:1a90:d144:b362%21(Preferred)<br>
IPv4 Address. . . . . . . . . . . : 192.168.113.46(Preferred)<br> Subnet Mask . . . . . . . . . . . : 255.255.255.0<br> IPv4 Address. . . . . . . . . . . : 192.168.113.55(Preferred)<br> Subnet Mask . . . . . . . . . . . : 255.255.255.0<br>
Default Gateway . . . . . . . . . :<br> DNS Servers . . . . . . . . . . . : 192.168.3.101<br> 195.159.0.100<br> NetBIOS over Tcpip. . . . . . . . : Disabled<br><br>route output:<br>
Interface List<br> 21 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter<br> 15 ...02 00 4e 43 50 49 ...... NCP Secure Client Virtual NDIS6 Adapter<br> 12 ...00 1f 3b bf 30 7b ...... Intel(R) Wireless WiFi Link 4965AGN<br>
10 ...00 1c 23 50 65 38 ...... Broadcom NetXtreme 57xx Gigabit Controller<br> 1 ........................... Software Loopback Interface 1<br> 20 ...00 00 00 00 00 00 00 e0 isatap.{B06A9A31-24A5-48F1-A151-1D518CEAD8CB}<br>
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface<br> 18 ...00 00 00 00 00 00 00 e0 <a href="http://isatap.bb.online.no" target="_blank">isatap.bb.online.no</a><br> 48 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3<br>
19 ...00 00 00 00 00 00 00 e0 6TO4 Adapter<br>===========================================================================<br><br>IPv4 Route Table<br>===========================================================================<br>
Active Routes:<br>Network Destination Netmask Gateway Interface Metric<br> 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.199 10<br> 10.220.0.0 255.255.0.0 On-link 15 51<br>
10.220.255.255 255.255.255.255 On-link 15 306<br> 91.203.116.34 255.255.255.255 On-link 15 51<br> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306<br>
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306<br> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306<br> 192.168.0.0 255.255.255.0 On-link 192.168.0.199 266<br>
192.168.0.199 255.255.255.255 On-link 192.168.0.199 266<br> 192.168.0.255 255.255.255.255 On-link 192.168.0.199 266<br> 192.168.3.0 255.255.255.0 On-link 192.168.113.26 51<br>
192.168.3.255 255.255.255.255 On-link 192.168.113.26 306<br> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306<br> 224.0.0.0 240.0.0.0 On-link 192.168.0.199 266<br>
224.0.0.0 240.0.0.0 On-link 192.168.113.26 306<br> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306<br> 255.255.255.255 255.255.255.255 On-link 192.168.0.199 266<br>
255.255.255.255 255.255.255.255 On-link 192.168.113.26 306<br>===========================================================================<br>Persistent Routes:<br> None<br><br>IPv6 Route Table<br>===========================================================================<br>
Active Routes:<br> If Metric Network Destination Gateway<br> 1 306 ::1/128 On-link<br> 10 266 fe80::/64 On-link<br> 21 306 fe80::/64 On-link<br> 21 306 fe80::4583:1a90:d144:b362/128<br>
On-link<br> 10 266 fe80::b5ed:a21:4099:cbd/128<br> On-link<br> 1 306 ff00::/8 On-link<br> 10 266 ff00::/8 On-link<br>
21 306 ff00::/8 On-link<br>===========================================================================<br>Persistent Routes:<br> None<br><br>IKE service log:<br>09/01/12 13:33:33 ii : ipc client process thread begin ...<br>
09/01/12 13:33:33 <A : peer config add message<br>09/01/12 13:33:33 DB : peer added ( obj count = 1 )<br>09/01/12 13:33:33 ii : local address <a href="http://192.168.0.199:500" target="_blank">192.168.0.199:500</a> selected for peer<br>
09/01/12 13:33:33 DB : tunnel added ( obj count = 1 )<br>09/01/12 13:33:33 <A : proposal config message<br>09/01/12 13:33:33 <A : proposal config message<br>09/01/12 13:33:33 <A : client config message<br>09/01/12 13:33:33 <A : xauth username message<br>
09/01/12 13:33:33 <A : xauth password message<br>09/01/12 13:33:33 <A : local id 'BC' message<br>09/01/12 13:33:33 <A : remote id '<a href="http://BC-R01.basis-consulting.no" target="_blank">BC-R01.basis-consulting.no</a>' message<br>
09/01/12 13:33:33 <A : preshared key message<br>09/01/12 13:33:33 <A : peer tunnel enable message<br>09/01/12 13:33:33 DB : new phase1 ( ISAKMP initiator )<br>09/01/12 13:33:33 DB : exchange type is aggressive<br>09/01/12 13:33:33 DB : <a href="http://192.168.0.199:500" target="_blank">192.168.0.199:500</a> <-> <a href="http://195.159.111.66:500" target="_blank">195.159.111.66:500</a><br>
09/01/12 13:33:33 DB : 0226893edab8a100:0000000000000000<br>09/01/12 13:33:33 DB : phase1 added ( obj count = 1 )<br>09/01/12 13:33:33 >> : security association payload<br>09/01/12 13:33:33 >> : - proposal #1 payload <br>
09/01/12 13:33:33 >> : -- transform #1 payload <br>09/01/12 13:33:33 >> : -- transform #2 payload <br>09/01/12 13:33:33 >> : -- transform #3 payload <br>09/01/12 13:33:33 >> : -- transform #4 payload <br>
09/01/12 13:33:33 >> : -- transform #5 payload <br>09/01/12 13:33:33 >> : -- transform #6 payload <br>09/01/12 13:33:33 >> : -- transform #7 payload <br>09/01/12 13:33:33 >> : -- transform #8 payload <br>
09/01/12 13:33:33 >> : -- transform #9 payload <br>09/01/12 13:33:33 >> : -- transform #10 payload <br>09/01/12 13:33:33 >> : -- transform #11 payload <br>09/01/12 13:33:33 >> : -- transform #12 payload <br>
09/01/12 13:33:33 >> : -- transform #13 payload <br>09/01/12 13:33:33 >> : -- transform #14 payload <br>09/01/12 13:33:33 >> : -- transform #15 payload <br>09/01/12 13:33:33 >> : -- transform #16 payload <br>
09/01/12 13:33:33 >> : -- transform #17 payload <br>09/01/12 13:33:33 >> : -- transform #18 payload <br>09/01/12 13:33:33 >> : key exchange payload<br>09/01/12 13:33:33 >> : nonce payload<br>09/01/12 13:33:33 >> : identification payload<br>
09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local supports XAUTH<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local supports nat-t ( draft v00 )<br>09/01/12 13:33:33 >> : vendor id payload<br>
09/01/12 13:33:33 ii : local supports nat-t ( draft v01 )<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local supports nat-t ( draft v02 )<br>09/01/12 13:33:33 >> : vendor id payload<br>
09/01/12 13:33:33 ii : local supports nat-t ( draft v03 )<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local supports nat-t ( rfc )<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local supports FRAGMENTATION<br>
09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local is SHREW SOFT compatible<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local is NETSCREEN compatible<br>09/01/12 13:33:33 >> : vendor id payload<br>
09/01/12 13:33:33 ii : local is SIDEWINDER compatible<br>09/01/12 13:33:33 >> : vendor id payload<br>09/01/12 13:33:33 ii : local is CISCO UNITY compatible<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:0000000000000000<br>
09/01/12 13:33:33 >= : message 00000000<br>09/01/12 13:33:33 -> : send IKE packet <a href="http://192.168.0.199:500" target="_blank">192.168.0.199:500</a> -> <a href="http://195.159.111.66:500" target="_blank">195.159.111.66:500</a> ( 1158 bytes )<br>
09/01/12 13:33:33 DB : phase1 resend event scheduled ( ref count = 2 )<br>09/01/12 13:33:33 <- : recv IKE packet <a href="http://195.159.111.66:500" target="_blank">195.159.111.66:500</a> -> <a href="http://192.168.0.199:500" target="_blank">192.168.0.199:500</a> ( 438 bytes )<br>
09/01/12 13:33:33 DB : phase1 found<br>09/01/12 13:33:33 ii : processing phase1 packet ( 438 bytes )<br>09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 =< : message 00000000<br>
09/01/12 13:33:33 << : security association payload<br>09/01/12 13:33:33 << : - propsal #1 payload <br>09/01/12 13:33:33 << : -- transform #1 payload <br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != aes )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>09/01/12 13:33:33 ii : cipher type ( 3des != blowfish )<br>09/01/12 13:33:33 ii : unmatched isakmp proposal/transform<br>
09/01/12 13:33:33 ii : hash type ( hmac-sha != hmac-md5 )<br>09/01/12 13:33:33 !! : peer violates RFC, transform number mismatch ( 1 != 14 )<br>09/01/12 13:33:33 ii : matched isakmp proposal #1 transform #1<br>09/01/12 13:33:33 ii : - transform = ike<br>
09/01/12 13:33:33 ii : - cipher type = 3des<br>09/01/12 13:33:33 ii : - key length = default<br>09/01/12 13:33:33 ii : - hash type = sha1<br>09/01/12 13:33:33 ii : - dh group = modp-1024<br>09/01/12 13:33:33 ii : - auth type = xauth-initiator-psk<br>
09/01/12 13:33:33 ii : - life seconds = 86400<br>09/01/12 13:33:33 ii : - life kbytes = 0<br>09/01/12 13:33:33 << : vendor id payload<br>09/01/12 13:33:33 ii : peer is CISCO UNITY compatible<br>09/01/12 13:33:33 << : vendor id payload<br>
09/01/12 13:33:33 ii : peer supports DPDv1<br>09/01/12 13:33:33 << : vendor id payload<br>09/01/12 13:33:33 ii : unknown vendor id ( 16 bytes )<br>09/01/12 13:33:33 0x : 901d27bc 48919240 e61a88fc 07f35213<br>09/01/12 13:33:33 << : vendor id payload<br>
09/01/12 13:33:33 ii : peer supports XAUTH<br>09/01/12 13:33:33 << : vendor id payload<br>09/01/12 13:33:33 ii : peer supports nat-t ( rfc )<br>09/01/12 13:33:33 << : key exchange payload<br>09/01/12 13:33:33 << : identification payload<br>
09/01/12 13:33:33 ii : phase1 id match <br>09/01/12 13:33:33 ii : received = fqdn <a href="http://BC-R01.basis-consulting.no" target="_blank">BC-R01.basis-consulting.no</a><br>09/01/12 13:33:33 << : nonce payload<br>
09/01/12 13:33:33 << : hash payload<br>
09/01/12 13:33:33 << : nat discovery payload<br>09/01/12 13:33:33 << : nat discovery payload<br>09/01/12 13:33:33 ii : nat discovery - local address is translated<br>09/01/12 13:33:33 ii : switching to nat-t udp port 4500<br>
09/01/12 13:33:33 == : DH shared secret ( 128 bytes )<br>09/01/12 13:33:33 == : SETKEYID ( 20 bytes )<br>09/01/12 13:33:33 == : SETKEYID_d ( 20 bytes )<br>09/01/12 13:33:33 == : SETKEYID_a ( 20 bytes )<br>09/01/12 13:33:33 == : SETKEYID_e ( 20 bytes )<br>
09/01/12 13:33:33 == : cipher key ( 40 bytes )<br>09/01/12 13:33:33 == : cipher iv ( 8 bytes )<br>09/01/12 13:33:33 == : phase1 hash_i ( computed ) ( 20 bytes )<br>09/01/12 13:33:33 >> : hash payload<br>09/01/12 13:33:33 >> : nat discovery payload<br>
09/01/12 13:33:33 >> : nat discovery payload<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 >= : message 00000000<br>09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )<br>
09/01/12 13:33:33 == : encrypt packet ( 100 bytes )<br>09/01/12 13:33:33 == : stored iv ( 8 bytes )<br>09/01/12 13:33:33 DB : phase1 resend event canceled ( ref count = 1 )<br>09/01/12 13:33:33 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 132 bytes )<br>
09/01/12 13:33:33 == : phase1 hash_r ( computed ) ( 20 bytes )<br>09/01/12 13:33:33 == : phase1 hash_r ( received ) ( 20 bytes )<br>09/01/12 13:33:33 ii : phase1 sa established<br>09/01/12 13:33:33 ii : <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> <-> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a><br>
09/01/12 13:33:33 ii : 226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 ii : sending peer INITIAL-CONTACT notification<br>09/01/12 13:33:33 ii : - <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a><br>
09/01/12 13:33:33 ii : - isakmp spi = 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 ii : - data size 0<br>09/01/12 13:33:33 >> : hash payload<br>09/01/12 13:33:33 >> : notification payload<br>09/01/12 13:33:33 == : new informational hash ( 20 bytes )<br>
09/01/12 13:33:33 == : new informational iv ( 8 bytes )<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 >= : message fa803be7<br>09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )<br>
09/01/12 13:33:33 == : encrypt packet ( 80 bytes )<br>09/01/12 13:33:33 == : stored iv ( 8 bytes )<br>09/01/12 13:33:33 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 116 bytes )<br>
09/01/12 13:33:33 DB : phase2 not found<br>09/01/12 13:33:33 <- : recv NAT-T:IKE packet <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> -> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> ( 76 bytes )<br>
09/01/12 13:33:33 DB : phase1 found<br>09/01/12 13:33:33 ii : processing config packet ( 76 bytes )<br>09/01/12 13:33:33 DB : config not found<br>09/01/12 13:33:33 DB : config added ( obj count = 1 )<br>09/01/12 13:33:33 == : new config iv ( 8 bytes )<br>
09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 =< : message 87640ecc<br>09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )<br>09/01/12 13:33:33 == : decrypt packet ( 76 bytes )<br>
09/01/12 13:33:33 <= : trimmed packet padding ( 8 bytes )<br>09/01/12 13:33:33 <= : stored iv ( 8 bytes )<br>09/01/12 13:33:33 << : hash payload<br>09/01/12 13:33:33 << : attribute payload<br>09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )<br>
09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )<br>09/01/12 13:33:33 ii : configure hash verified<br>09/01/12 13:33:33 !! : warning, missing required xauth type attribute<br>09/01/12 13:33:33 ii : received xauth request - <br>
09/01/12 13:33:33 ii : added standard xauth username attribute<br>09/01/12 13:33:33 ii : added standard xauth password attribute<br>09/01/12 13:33:33 ii : sending xauth response for robert<br>09/01/12 13:33:33 >> : hash payload<br>
09/01/12 13:33:33 >> : attribute payload<br>09/01/12 13:33:33 == : new configure hash ( 20 bytes )<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 >= : message 87640ecc<br>
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )<br>09/01/12 13:33:33 == : encrypt packet ( 86 bytes )<br>09/01/12 13:33:33 == : stored iv ( 8 bytes )<br>09/01/12 13:33:33 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 124 bytes )<br>
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )<br>09/01/12 13:33:33 <- : recv NAT-T:IKE packet <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> -> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> ( 68 bytes )<br>
09/01/12 13:33:33 DB : phase1 found<br>09/01/12 13:33:33 ii : processing config packet ( 68 bytes )<br>09/01/12 13:33:33 DB : config found<br>09/01/12 13:33:33 == : new config iv ( 8 bytes )<br>09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240<br>
09/01/12 13:33:33 =< : message a27cf1aa<br>09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )<br>09/01/12 13:33:33 == : decrypt packet ( 68 bytes )<br>09/01/12 13:33:33 <= : trimmed packet padding ( 4 bytes )<br>09/01/12 13:33:33 <= : stored iv ( 8 bytes )<br>
09/01/12 13:33:33 << : hash payload<br>09/01/12 13:33:33 << : attribute payload<br>09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )<br>09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )<br>
09/01/12 13:33:33 ii : configure hash verified<br>09/01/12 13:33:33 ii : received xauth result - <br>09/01/12 13:33:33 ii : user robert authentication succeeded<br>09/01/12 13:33:33 ii : sending xauth acknowledge<br>09/01/12 13:33:33 >> : hash payload<br>
09/01/12 13:33:33 >> : attribute payload<br>09/01/12 13:33:33 == : new configure hash ( 20 bytes )<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 >= : message a27cf1aa<br>
09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )<br>09/01/12 13:33:33 == : encrypt packet ( 60 bytes )<br>09/01/12 13:33:33 == : stored iv ( 8 bytes )<br>09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )<br>
09/01/12 13:33:33 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 92 bytes )<br>
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )<br>
09/01/12 13:33:33 ii : building config attribute list<br>09/01/12 13:33:33 ii : - IP4 Address<br>09/01/12 13:33:33 ii : - Address Expiry<br>09/01/12 13:33:33 ii : - IP4 Netamask<br>09/01/12 13:33:33 ii : - IP4 DNS Server<br>
09/01/12 13:33:33 ii : - IP4 WINS Server<br>09/01/12 13:33:33 ii : - DNS Suffix<br>09/01/12 13:33:33 ii : - Split DNS Domain<br>09/01/12 13:33:33 ii : - IP4 Split Network Include<br>09/01/12 13:33:33 ii : - IP4 Split Network Exclude<br>
09/01/12 13:33:33 ii : - Save Password<br>09/01/12 13:33:33 == : new config iv ( 8 bytes )<br>09/01/12 13:33:33 ii : sending config pull request<br>09/01/12 13:33:33 >> : hash payload<br>09/01/12 13:33:33 >> : attribute payload<br>
09/01/12 13:33:33 == : new configure hash ( 20 bytes )<br>09/01/12 13:33:33 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 >= : message a15127cd<br>09/01/12 13:33:33 >= : encrypt iv ( 8 bytes )<br>
09/01/12 13:33:33 == : encrypt packet ( 100 bytes )<br>09/01/12 13:33:33 == : stored iv ( 8 bytes )<br>09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )<br>09/01/12 13:33:33 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 132 bytes )<br>
09/01/12 13:33:33 DB : config resend event scheduled ( ref count = 2 )<br>09/01/12 13:33:33 <- : recv NAT-T:IKE packet <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> -> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> ( 188 bytes )<br>
09/01/12 13:33:33 DB : phase1 found<br>09/01/12 13:33:33 ii : processing config packet ( 188 bytes )<br>09/01/12 13:33:33 DB : config found<br>09/01/12 13:33:33 =< : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:33 =< : message a15127cd<br>
09/01/12 13:33:33 =< : decrypt iv ( 8 bytes )<br>09/01/12 13:33:33 == : decrypt packet ( 188 bytes )<br>09/01/12 13:33:33 <= : trimmed packet padding ( 3 bytes )<br>09/01/12 13:33:33 <= : stored iv ( 8 bytes )<br>
09/01/12 13:33:33 << : hash payload<br>09/01/12 13:33:33 << : attribute payload<br>09/01/12 13:33:33 == : configure hash_i ( computed ) ( 20 bytes )<br>09/01/12 13:33:33 == : configure hash_c ( computed ) ( 20 bytes )<br>
09/01/12 13:33:33 ii : configure hash verified<br>09/01/12 13:33:33 ii : received config pull response<br>09/01/12 13:33:33 ii : - IP4 Address = 192.168.113.64<br>09/01/12 13:33:33 ii : - Address Expiry = 2136015104<br>09/01/12 13:33:33 ii : - IP4 Netmask = 255.255.255.0<br>
09/01/12 13:33:33 ii : - IP4 DNS Server = 192.168.3.101<br>09/01/12 13:33:33 ii : - IP4 DNS Server = 195.159.0.100<br>09/01/12 13:33:33 ii : - DNS Suffix = <a href="http://pillar.as" target="_blank">pillar.as</a><br>09/01/12 13:33:33 ii : - Split Domain<br>
09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:<a href="http://192.168.3.0/24:*" target="_blank">192.168.3.0/24:*</a><br>09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:<a href="http://10.220.0.0/16:*" target="_blank">10.220.0.0/16:*</a><br>
09/01/12 13:33:33 ii : - IP4 Split Network Include = ANY:<a href="http://91.203.116.34/32:*" target="_blank">91.203.116.34/32:*</a><br>09/01/12 13:33:33 ii : - IP4 Split Network Exclude = ANY:<a href="http://0.0.0.0/32:*" target="_blank">0.0.0.0/32:*</a> ( invalid subnet ignored )<br>
09/01/12 13:33:33 ii : - Save Password = 0<br>09/01/12 13:33:33 DB : config resend event canceled ( ref count = 1 )<br>09/01/12 13:33:35 ii : VNET adapter MTU is 1500<br>09/01/12 13:33:35 ii : enabled adapter ROOT\VNET\0000<br>
09/01/12 13:33:35 ii : creating IPSEC INBOUND policy ANY:<a href="http://192.168.3.0/24:*" target="_blank">192.168.3.0/24:*</a> -> ANY:192.168.113.64:*<br>09/01/12 13:33:35 DB : policy added ( obj count = 1 )<br>09/01/12 13:33:35 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:35 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:* -> ANY:<a href="http://192.168.3.0/24:*" target="_blank">192.168.3.0/24:*</a><br>09/01/12 13:33:35 K< : recv pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:35 DB : policy found<br>
09/01/12 13:33:40 !! : failed to create IPSEC policy route for <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a><br>09/01/12 13:33:40 DB : policy added ( obj count = 2 )<br>09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:40 ii : creating IPSEC INBOUND policy ANY:<a href="http://10.220.0.0/16:*" target="_blank">10.220.0.0/16:*</a> -> ANY:192.168.113.64:*<br>09/01/12 13:33:40 DB : policy added ( obj count = 3 )<br>09/01/12 13:33:40 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:40 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:* -> ANY:<a href="http://10.220.0.0/16:*" target="_blank">10.220.0.0/16:*</a><br>09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:40 DB : policy found<br>
09/01/12 13:33:40 ii : calling init phase2 for initial policy<br>09/01/12 13:33:40 DB : policy found<br>09/01/12 13:33:40 DB : policy found<br>09/01/12 13:33:40 DB : tunnel found<br>09/01/12 13:33:40 DB : new phase2 ( IPSEC initiator )<br>
09/01/12 13:33:40 DB : phase2 added ( obj count = 1 )<br>09/01/12 13:33:40 K> : send pfkey GETSPI ESP message<br>09/01/12 13:33:40 K< : recv pfkey X_SPDADD UNSPEC message<br>09/01/12 13:33:40 DB : policy found<br>09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message<br>
09/01/12 13:33:40 DB : phase2 found<br>09/01/12 13:33:40 ii : updated spi for 1 ipsec-esp proposal<br>09/01/12 13:33:40 DB : phase1 found<br>09/01/12 13:33:40 >> : hash payload<br>09/01/12 13:33:40 >> : security association payload<br>
09/01/12 13:33:40 >> : - proposal #1 payload <br>09/01/12 13:33:40 >> : -- transform #1 payload <br>09/01/12 13:33:40 >> : -- transform #2 payload <br>09/01/12 13:33:40 >> : -- transform #3 payload <br>
09/01/12 13:33:40 >> : -- transform #4 payload <br>09/01/12 13:33:40 >> : -- transform #5 payload <br>09/01/12 13:33:40 >> : -- transform #6 payload <br>09/01/12 13:33:40 >> : -- transform #7 payload <br>
09/01/12 13:33:40 >> : -- transform #8 payload <br>09/01/12 13:33:40 >> : -- transform #9 payload <br>09/01/12 13:33:40 >> : -- transform #10 payload <br>09/01/12 13:33:40 >> : -- transform #11 payload <br>
09/01/12 13:33:40 >> : -- transform #12 payload <br>09/01/12 13:33:40 >> : -- transform #13 payload <br>09/01/12 13:33:40 >> : -- transform #14 payload <br>09/01/12 13:33:40 >> : -- transform #15 payload <br>
09/01/12 13:33:40 >> : -- transform #16 payload <br>09/01/12 13:33:40 >> : -- transform #17 payload <br>09/01/12 13:33:40 >> : -- transform #18 payload <br>09/01/12 13:33:40 >> : nonce payload<br>
09/01/12 13:33:40 >> : identification payload<br>
09/01/12 13:33:40 >> : identification payload<br>09/01/12 13:33:40 == : phase2 hash_i ( input ) ( 632 bytes )<br>09/01/12 13:33:40 == : phase2 hash_i ( computed ) ( 20 bytes )<br>09/01/12 13:33:40 == : new phase2 iv ( 8 bytes )<br>
09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:40 >= : message a8c542ad<br>09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )<br>09/01/12 13:33:40 == : encrypt packet ( 680 bytes )<br>
09/01/12 13:33:40 == : stored iv ( 8 bytes )<br>09/01/12 13:33:40 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 716 bytes )<br>
09/01/12 13:33:40 DB : phase2 resend event scheduled ( ref count = 2 )<br>09/01/12 13:33:40 <- : recv NAT-T:IKE packet <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> -> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> ( 188 bytes )<br>
09/01/12 13:33:40 DB : phase1 found<br>09/01/12 13:33:40 ii : processing phase2 packet ( 188 bytes )<br>09/01/12 13:33:40 DB : phase2 found<br>09/01/12 13:33:40 =< : cookies 0226893edab8a100:65da80a148909240<br>09/01/12 13:33:40 =< : message a8c542ad<br>
09/01/12 13:33:40 =< : decrypt iv ( 8 bytes )<br>09/01/12 13:33:40 == : decrypt packet ( 188 bytes )<br>09/01/12 13:33:40 <= : trimmed packet padding ( 4 bytes )<br>09/01/12 13:33:40 <= : stored iv ( 8 bytes )<br>
09/01/12 13:33:40 << : hash payload<br>09/01/12 13:33:40 << : security association payload<br>09/01/12 13:33:40 << : - propsal #1 payload <br>09/01/12 13:33:40 << : -- transform #1 payload <br>09/01/12 13:33:40 << : nonce payload<br>
09/01/12 13:33:40 << : identification payload<br>09/01/12 13:33:40 << : identification payload<br>09/01/12 13:33:40 << : notification payload<br>09/01/12 13:33:40 == : phase2 hash_r ( input ) ( 156 bytes )<br>
09/01/12 13:33:40 == : phase2 hash_r ( computed ) ( 20 bytes )<br>09/01/12 13:33:40 == : phase2 hash_r ( received ) ( 20 bytes )<br>09/01/12 13:33:40 ii : unmatched ipsec-esp proposal/transform<br>09/01/12 13:33:40 ii : msg auth ( hmac-sha != hmac-md5 )<br>
09/01/12 13:33:40 !! : peer violates RFC, transform number mismatch ( 1 != 2 )<br>09/01/12 13:33:40 ii : matched ipsec-esp proposal #1 transform #2<br>09/01/12 13:33:40 ii : - transform = esp-aes<br>09/01/12 13:33:40 ii : - key length = 256 bits<br>
09/01/12 13:33:40 ii : - encap mode = udp-tunnel ( rfc )<br>09/01/12 13:33:40 ii : - msg auth = hmac-sha<br>09/01/12 13:33:40 ii : - pfs dh group = none<br>09/01/12 13:33:40 ii : - life seconds = 3600<br>09/01/12 13:33:40 ii : - life kbytes = 0<br>
09/01/12 13:33:40 DB : policy found<br>09/01/12 13:33:40 ii : received peer RESPONDER-LIFETIME notification<br>09/01/12 13:33:40 ii : - <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> -> <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a><br>
09/01/12 13:33:40 ii : - ipsec-esp spi = 0x1efc8af8<br>09/01/12 13:33:40 ii : - data size 12<br>09/01/12 13:33:40 K> : send pfkey GETSPI ESP message<br>09/01/12 13:33:40 ii : phase2 ids accepted<br>09/01/12 13:33:40 ii : - loc ANY:192.168.113.64:* -> ANY:<a href="http://192.168.3.0/24:*" target="_blank">192.168.3.0/24:*</a><br>
09/01/12 13:33:40 ii : - rmt ANY:<a href="http://192.168.3.0/24:*" target="_blank">192.168.3.0/24:*</a> -> ANY:192.168.113.64:*<br>09/01/12 13:33:40 ii : phase2 sa established<br>09/01/12 13:33:40 ii : <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> <-> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a><br>
09/01/12 13:33:40 == : phase2 hash_p ( input ) ( 45 bytes )<br>09/01/12 13:33:40 == : phase2 hash_p ( computed ) ( 20 bytes )<br>09/01/12 13:33:40 >> : hash payload<br>09/01/12 13:33:40 >= : cookies 0226893edab8a100:65da80a148909240<br>
09/01/12 13:33:40 >= : message a8c542ad<br>09/01/12 13:33:40 >= : encrypt iv ( 8 bytes )<br>09/01/12 13:33:40 == : encrypt packet ( 52 bytes )<br>09/01/12 13:33:40 == : stored iv ( 8 bytes )<br>09/01/12 13:33:40 DB : phase2 resend event canceled ( ref count = 1 )<br>
09/01/12 13:33:40 -> : send NAT-T:IKE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a> ( 84 bytes )<br>
09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )<br>
09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )<br>09/01/12 13:33:40 K> : send pfkey UPDATE ESP message<br>09/01/12 13:33:40 == : spi cipher key data ( 32 bytes )<br>09/01/12 13:33:40 == : spi hmac key data ( 20 bytes )<br>
09/01/12 13:33:40 K> : send pfkey UPDATE ESP message<br>09/01/12 13:33:40 K< : recv pfkey GETSPI ESP message<br>09/01/12 13:33:40 DB : phase2 found<br>09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message<br>09/01/12 13:33:40 K< : recv pfkey UPDATE ESP message<br>
09/01/12 13:33:45 !! : failed to create IPSEC policy route for <a href="http://10.220.0.0/16" target="_blank">10.220.0.0/16</a><br>09/01/12 13:33:45 DB : policy added ( obj count = 4 )<br>09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:45 ii : creating IPSEC INBOUND policy ANY:<a href="http://91.203.116.34/32:*" target="_blank">91.203.116.34/32:*</a> -> ANY:192.168.113.64:*<br>09/01/12 13:33:45 DB : policy added ( obj count = 5 )<br>09/01/12 13:33:45 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:45 ii : creating IPSEC OUTBOUND policy ANY:192.168.113.64:* -> ANY:<a href="http://91.203.116.34/32:*" target="_blank">91.203.116.34/32:*</a><br>09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:45 DB : policy found<br>
09/01/12 13:33:45 K< : recv pfkey X_SPDADD UNSPEC message<br>09/01/12 13:33:45 DB : policy found<br>09/01/12 13:33:48 DB : phase1 found<br>09/01/12 13:33:48 -> : send NAT-T:KEEP-ALIVE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a><br>
09/01/12 13:33:50 !! : failed to create IPSEC policy route for <a href="http://91.203.116.34/32" target="_blank">91.203.116.34/32</a><br>09/01/12 13:33:50 DB : policy added ( obj count = 6 )<br>09/01/12 13:33:50 K> : send pfkey X_SPDADD UNSPEC message<br>
09/01/12 13:33:50 ii : split DNS bypassed ( no split domains defined )<br>09/01/12 13:33:50 K< : recv pfkey X_SPDADD UNSPEC message<br>09/01/12 13:33:50 DB : policy found<br>09/01/12 13:34:04 DB : phase1 found<br>09/01/12 13:34:04 -> : send NAT-T:KEEP-ALIVE packet <a href="http://192.168.0.199:4500" target="_blank">192.168.0.199:4500</a> -> <a href="http://195.159.111.66:4500" target="_blank">195.159.111.66:4500</a><br>
<br>
<br>_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
<br></blockquote></div><br></div>