hi,<div> I need some help getting shrew client on windows 7 to connect to a Juniper netscreen ssg 320 firewall.</div><div>I am using shrew 2.1.6-beta 10 (I also tried 2.1.5 and had no luck)</div><div>I followed the instructions from <a href="http://www.shrew.net/support/wiki/HowtoJuniperSsg">http://www.shrew.net/support/wiki/HowtoJuniperSsg</a></div>
<div><br></div><div>The error I get from shrew client is "user authentication error" , looking at the netscreen debug output I see that Xauth is accessed twice, first successfully and then a 2nd time which fails -- not sure why this happens.</div>
<div><br></div><div>note: I can't get trace log working on windows 7, is this a known problem ?</div><div><br></div><div>Thanks,</div><div>Neal</div><div><br></div><div>Netscreen Diagnostic output:</div><div><br></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: medium; border-collapse: collapse; "><div id=":2k" class="ii gt" style="font-size: 13px; margin-top: 5px; margin-right: 15px; margin-bottom: 5px; margin-left: 15px; padding-bottom: 20px; ">
mycorp:SSG320M(M)-> debug ike detail<br>mycorp:SSG320M(M)-> ## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike<br>packet, len 542, action 1<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 514<br>
bytes from socket.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if<br><ethernet0/2> of vsys <Root> ******<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 514 bytes.<br>
src port 500<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 514,<br>nxp 1[SA], exch 4[AG], flag 00<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv : [SA] [KE] [NONCE]<br>[ID] [VID] [VID] [VID] [VID] [VID]<br>
## 2010-07-23 02:21:26 : [VID] [VID] [VID] [VID] [VID] [VID] [VID]<br>## 2010-07-23 02:21:26 : valid id checking, id type:FQDN, len:30.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > Validate (486):<br>SA/60 KE/132 NONCE/24 ID/30 VID/12 VID/20 VID/20 VID/20 VID/20<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Receive Id in AG mode,<br>id-type=2, id=<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>, idlen = 22<br>
## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for<br><a href="http://10.0.0.0/24" target="_blank" style="color: rgb(42, 93, 176); ">10.0.0.0/24</a>> has static ip.<br>## 2010-07-23 02:21:26 : locate peer entry for<br>
(2/<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>), by identity.<br>## 2010-07-23 02:21:26 : locate peer entry for<br>(2/<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>), by identity.<br>
## 2010-07-23 02:21:26 : Found identity<<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>> in<br>group <4> user id <8>.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Found peer entry<br>
(dynamicvpnGW) from 124.xxx.xxx.214.<br>## 2010-07-23 02:21:26 : responder create sa: 124.xxx.xxx.214->209.3.41.90<br>## 2010-07-23 02:21:26 : init p1sa, pidt = 0x0<br>## 2010-07-23 02:21:26 : change peer identity for p1 sa, pidt = 0x0<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>peer_identity_create_with_uid: uid<0><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > create peer identity 0x7486914<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>
peer_identity_add_to_peer: num entry before add <1><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>peer_identity_add_to_peer: num entry after add <2><br>## 2010-07-23 02:21:26 : peer identity 7486914 created.<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > EDIPI disabled<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getProfileFromP1Proposal-><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find<br>profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id<br>
5), xauth(1)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find<br>profile[1]=<00000007 00000002 00000001 00000002> for p1 proposal (id<br>7), xauth(1)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find<br>
profile[2]=<00000007 00000001 00000001 00000002> for p1 proposal (id<br>6), xauth(1)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> find<br>profile[3]=<00000005 00000001 00000001 00000002> for p1 proposal (id<br>
4), xauth(1)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder create sa:<br>124.xxx.xxx.214->209.3.41.90<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Responder<br>starts AGGRESSIVE mode negotiations.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>
## 2010-07-23 02:21:26 : 09 00 26 89 df d6 b7 12<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv XAUTH v6.0 vid<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>
## 2010-07-23 02:21:26 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID<br>payload (draft-ietf-ipsec-nat-t-ike-00).<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv NAT-Traversal VID<br>
payload (draft-ietf-ipsec-nat-t-ike-02).<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>
## 2010-07-23 02:21:26 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3<br>## 2010-07-23 02:21:26 : 80 00 00 00<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID payload<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0<br>## 2010-07-23 02:21:26 : d0 fd 84 51<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> receive unknown vendor ID payload<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>
## 2010-07-23 02:21:26 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [VID]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Vendor ID:<br>## 2010-07-23 02:21:26 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> rcv non-NAT-Traversal VID payload.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [SA]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Proposal received: xauthflag 1<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,<br>
encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: initiator<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> [0] expect: xauthflag 3<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,<br>encr(5)<3DES>, hash(2)<SHA>, group(2)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: responder<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 proposal [1] selected.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA Life Type = seconds<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> SA lifetime (TLV) = 86400<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > dh group 2<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> DH_BG_consume OK. p1 resp<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [KE]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing ISA_KE in phase 1.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NONCE]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing NONCE in phase 1.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [ID]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID received:<br>type=ID_FQDN, FQDN = <a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>, port=0, protocol=0<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> process_id need to<br>update peer entry, cur <dynamicvpnGW>.<br>## 2010-07-23 02:21:26 : IKE<118.175.66.109> peer <Gateway for<br><a href="http://10.0.0.0/24" target="_blank" style="color: rgb(42, 93, 176); ">10.0.0.0/24</a>> has static ip.<br>
## 2010-07-23 02:21:26 : locate peer entry for<br>(2/<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>), by identity.<br>## 2010-07-23 02:21:26 : locate peer entry for<br>
(2/<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>), by identity.<br>## 2010-07-23 02:21:26 : Found identity<<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>> in<br>
group <4> user id <8>.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Dynamic peer IP addr,<br>search peer by identity.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> peer gateway entry has<br>
no peer id configured<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID processed. return 0.<br>sa->p1_state = 0.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> need to wait for offline<br>p1 DH work done.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>state<0> IKE state<0/281280a><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job pkaidx<br><0> dh_len<128> dmax<64><br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > finished job<br>d<d35db216><230c4b5><ff9b7c7e><f9658ec0><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_NOSTATE.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> re-enter AG after offline DH done<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1 AG Responder<br>constructing 2nd message.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload #1)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [SA] for ISAKMP<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> auth(1)<PRESHRD>,<br>
encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth attribute: disabled<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> lifetime/lifesize (86400/0)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NetScreen [VID]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct custom [VID]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [KE] for ISAKMP<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NONCE]<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid()<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> gen_skeyid: returning 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [ID] for ISAKMP<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use <a href="http://swan4.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">swan4.mycorp.com</a> as IKE p1 ID.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Use <a href="http://swan4.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">swan4.mycorp.com</a> as IKE p1 ID.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=22, type=2,<br>
pro=17, port=500,<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct NAT-T [VID]: draft 2<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder psk ag mode:<br>
natt vid constructed.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)<br>constructing remote NAT-D<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> responder (psk)<br>
constructing local NAT-D<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [NATD]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> throw packet to the<br>peer, paket_len=462<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit : [SA] [VID] [VID]<br>
[VID] [VID] [KE] [NONCE] [ID] [HASH]<br>## 2010-07-23 02:21:26 : [VID] [NATD] [NATD]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4<br>IP 124.xxx.xxx.214/port 500<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 1 packet (len=462)<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 140, action 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 112<br>
bytes from socket.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if<br><ethernet0/2> of vsys <Root> ******<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 112 bytes.<br>
src port 4500<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 108,<br>nxp 8[HASH], exch 4[AG], flag 01 E<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 80)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NATD] [NATD]<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > extract payload (80):<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> AG in state OAK_AG_INIT_EXCH.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [NATD]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [HASH]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ID, len=26, type=2, pro=0, port=0,<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> completing Phase 1<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> sa_pidt = 7486914<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> adjusting phase 1 hash<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> found existing peer identity 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed for<br>ip <124.xxx.xxx.214>, user<<a href="http://clientvpn.mycorp.com/" target="_blank" style="color: rgb(42, 93, 176); ">clientvpn.mycorp.com</a>><br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Phase 1: Completed<br>Aggressive mode negotiation with a <28800>-second lifetime.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth is started:<br>server, p1responder, aggr mode.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth()<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> start_xauth(): as:0 ac:-1 enable:1<br><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>
accounting server id 0 (use auth server as acct server).<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>xauthstatus 20.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 16520, val 0 added, len 0.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>type 16521, val empty string, type <16521> added, len 0.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 16522, val empty string, type <16522> added, len 0.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new d2bb137d)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload #8)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength<br>20, type 1, identifier 58155.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520, valint 0<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type<br>16521, vallen 0, valstr empty string, type <16521><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type<br>16522, vallen 0, valstr empty string, type <16522><br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 72)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4<br>IP 124.xxx.xxx.214/port 4500<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.<br>
msgid d2bb137d, len: 72, peer<124.xxx.xxx.214><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by<br>state machine: 20<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>
state<0> IKE state<6/1097182f><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96<br>
bytes from socket.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if<br><ethernet0/2> of vsys <Root> ******<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.<br>
src port 4500<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,<br>nxp 8[HASH], exch 5[INFO], flag 01 E<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 7a3a0581)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [NOTIF]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Need to pass XAUTH<br>
first. Silently Discard packet.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Delete conn entry...<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...found conn entry(81053a7a)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>
state<0> IKE state<6/1097182f><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 96<br>
bytes from socket.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if<br><ethernet0/2> of vsys <Root> ******<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.<br>
src port 4500<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 92,<br>nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG<br>
payload. msgid d2bb137d, msgtype 2, payload ID 58155<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength<br>
32, type 2, identifier 58155.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16520, valint 0<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type<br>16521, vallen 4, valstr nea<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type<br>16522, vallen 8, valstr testtes<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 16520, val 0 added, len 0.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>type 16521, val nea added, len 4.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 16522, val testtes added, len 8.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got type: 16520 v<0><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type: 16521<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server got var type: 16522<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering<br>state machine: 20<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>
accounting server id 0 (use auth server as acct server).<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>xauthstatus 20.<br><br><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_auth_pap: authing<br>
locally: uname neal, passwd mypassword SUCCESS<br><======== SUCCESS<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Get config for client(local auth)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214><br>
ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user<br><neal> remote setting<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> getting xauth local user<br>
IP from pool <dynippool><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Don't do xauth RADIUS<br>accounting. Send cfg to client directly.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg:<br>
ip 192.168.73.10, v4mask 255.255.255.255 dns1 192.168.1.100, dns2<br>0.0.0.0, win1 0.0.0.0, win2 0.0.0.0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg<br>v6: id ::, prefix ::/0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg_send_client_cfg<br>
v6: dns1 ::, dns2 ::, win1 ::, win2 ::<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>type 1, val 192.168.73.10 added, len 4.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 2, val 255.255.255.255 added, len 4.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>type 3, val 192.168.1.100 added, len 4.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new 988f8a06)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload #8)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength<br>
32, type 3, identifier 58155.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 1,<br>vallen 4, valstr 192.168.73.10<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 2,<br>
vallen 4, valstr 255.255.255.255<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,<br>vallen 4, valstr 192.168.1.100<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 84)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4<br>
IP 124.xxx.xxx.214/port 4500<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=92)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.<br>msgid 988f8a06, len: 84, peer<124.xxx.xxx.214><br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by<br>state machine: 90<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>state<0> IKE state<6/1097182f><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > from FLOAT port.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ike packet, len 108, action 0<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: received 80<br>bytes from socket.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ****** Recv packet if<br>
<ethernet0/2> of vsys <Root> ******<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Catcher: get 80 bytes.<br>src port 4500<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ISAKMP msg: len 76,<br>
nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Decrypting payload (length 48)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Recv*: [HASH] [IKECFG]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Process [IKECFG]:<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> processing IKECFG<br>payload. msgid 988f8a06, msgtype 4, payload ID 58155<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength<br>
16, type 4, identifier 58155.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 3,<br>vallen 0, valstr 0.4.0.0<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > variable attr type 4,<br>vallen 0, valstr 0.0.0.0<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>type 3, val 0.0.0.0 added, len 0.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 4, val 0.0.0.0 added, len 0.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth server entering<br>state machine: 90<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>accounting server id 0 (use auth server as acct server).<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_process_server:<br>xauthstatus 90.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth status updated by<br>state machine: -1<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > ikecfg list add attr<br>
type 16527, val 0 added, len 0.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Create conn entry...<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ...done(new a14298f9)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct ISAKMP header.<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Msg header built (next payload #8)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Construct [HASH]<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > print ikecfg attribute payload:<br>
## 2010-07-23 02:21:26 : IKE<0.0.0.0 > next: 0, payloadlength<br>12, type 3, identifier 58155.<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 > basic attr type 16527, valint 0<br>## 2010-07-23 02:21:26 : IKE<0.0.0.0 ><br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> construct QM HASH<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Xmit*: [HASH] [IKECFG]<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Encrypt P2 payload (len 64)<br>
## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Responder sending IPv4<br>IP 124.xxx.xxx.214/port 4500<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> Send Phase 2 packet (len=76)<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> ikecfg packet sent.<br>
msgid a14298f9, len: 64, peer<124.xxx.xxx.214><br><br><br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_failed()<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth login FAILED. gw<br><dynamicvpnGW>, username <neal>, retry: 0, timeout: 1<br>
<============= FAIL<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> xauth_cleanup()<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE Xauth: release<br>prefix route, ret=<-2>.<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> XAUTH-failed: clear p2sa<br>
for p1sa(0x2455dbc).<br>## 2010-07-23 02:21:26 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>state<0> IKE state<6/1097182f><br>## 2010-07-23 02:21:27 : IKE<0.0.0.0 > from FLOAT port.<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ike packet, len 124, action 0<br>
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: received 96<br>bytes from socket.<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ****** Recv packet if<br><ethernet0/2> of vsys <Root> ******<br>
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Catcher: get 96 bytes.<br>src port 4500<br>## 2010-07-23 02:21:27 : IKE<0.0.0.0 > ISAKMP msg: len 92,<br>nxp 8[HASH], exch 5[INFO], flag 01 E<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Create conn entry...<br>
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...done(new f032721f)<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Decrypting payload (length 64)<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Recv*: [HASH] [DELETE]<br>
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Process [DELETE]:<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> DELETE payload received,<br>deleting Phase-1 SA<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> Delete conn entry...<br>
## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> ...found conn entry(1f7232f0)<br>## 2010-07-23 02:21:27 : IKE<124.xxx.xxx.214> IKE msg done: PKI<br>state<0> IKE state<6/1097182f><br>## 2010-07-23 02:21:28 : IKE<0.0.0.0 > dh group 2<br>
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job pkaidx<br><0> dh_len<128> dmax<64><br>## 2010-07-23 02:21:28 : IKE<0.0.0.0 > finished job<br>d<900357c1><692e110e><f1a1c30d><c028dc1a><br>
## 2010-07-23 02:21:28 : IKE<0.0.0.0 > BN, top32 dmax64 zero<no><br>## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg<br>transmit timer expired. re-trans msgid<a14298f9><br>## 2010-07-23 02:21:29 : IKE<124.xxx.xxx.214> bad sa, can't send request<br>
## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg<br>transmit timer expired. re-trans msgid<a14298f9><br>## 2010-07-23 02:21:31 : IKE<124.xxx.xxx.214> bad sa, can't send request<br>## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg<br>
transmit timer expired. re-trans msgid<a14298f9><br>## 2010-07-23 02:21:33 : IKE<124.xxx.xxx.214> bad sa, can't send request<br>## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg<br>transmit timer expired. re-trans msgid<a14298f9><br>
## 2010-07-23 02:21:35 : IKE<124.xxx.xxx.214> bad sa, can't send request<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ignore_ack: ikecfg<br>transmit timer expired. re-trans msgid<a14298f9><br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> bad sa, can't send request<br>
## 2010-07-23 02:21:37 : reap_db. deleting p1sa 2455dbc<br>## 2010-07-23 02:21:37 : terminate_SA: trying to delete SA cause: 0 cond: 2<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(f99842a1)<br>
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(068a8f98)<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Delete conn entry...<br>
## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> ...found conn entry(7d13bbd2)<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> xauth_cleanup()<br>## 2010-07-23 02:21:37 : IKE<124.xxx.xxx.214> Done cleaning up IKE Phase 1 SA<br>
## 2010-07-23 02:21:37 : peer_identity_unregister_p1_sa.<br>## 2010-07-23 02:21:37 : IKE<0.0.0.0 > delete peer identity 0x7486914<br>## 2010-07-23 02:21:37 : IKE<0.0.0.0 ><br>peer_identity_remove_from_peer: num entry before remove <2><br>
## 2010-07-23 02:21:37 : peer_idt.c peer_identity_unregister_p1_sa<br>682: pidt deleted.<br></div><div><br></div><div class="hq gt" style="font-size: 13px; margin-top: 5px; margin-right: 15px; margin-bottom: 15px; margin-left: 15px; clear: both; ">
</div><div class="hi" style="background-image: none; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(247, 247, 247); padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; width: auto; border-bottom-left-radius: 6px 6px; border-bottom-right-radius: 6px 6px; background-position: initial initial; background-repeat: initial initial; ">
</div><div class="gA gt" style="font-size: 13px; background-image: none; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(247, 247, 247); padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; width: auto; border-bottom-left-radius: 6px 6px; border-bottom-right-radius: 6px 6px; background-position: initial initial; background-repeat: initial initial; ">
</div></span></div>