Windows 7 Dial Up Client <=========> SSG 350 192.168.11.3 192.168.11.1 esc-igs-fw-> get db stream ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ike packet, len 1245, action 1 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Catcher: received 1217 bytes from socket. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ****** Recv packet if of vsys ****** ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Catcher: get 1217 bytes. src port 500 ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ISAKMP msg: len 1217, nxp 1[SA], exch 4[AG], flag 00 ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Recv : [SA] [KE] [NONCE] [CERT-REQ] [ID] [VID] [VID] [VID] [VID] ## 2011-01-28 14:28:02 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] [VID] ## 2011-01-28 14:28:02 : valid id checking, id type:ASN1_DN, len:72. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > Validate (1189): SA/716 KE/132 NONCE/24 CERT-REQ..5/5 ID/72 VID/12 VID/20 VID/20 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Receive Id (type=DN) in AG mode, retrieve DN=Email=uhb2@ref2.esa.int,OU=ESA,CN=UHB , idlen = 38 ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > peer dn has 3 elements. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > compare user id<14>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: input ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <0>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000001> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <0><8bfff5a4>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <1>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000002> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <1><8bfff5ab>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <2>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <2><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <3>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <3><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <4>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for . ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <4><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <5>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <5><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <6>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000040> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <6><8bfff5bf>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <7>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for . ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <7><00000000>. ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<3> ## 2011-01-28 14:28:02 : normalize_one: temp len<7> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<0> elemlen<7> ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<3> ## 2011-01-28 14:28:02 : normalize_one: temp len<7> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<1> elemlen<14> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<17> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<20> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<24> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<27> ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<17> ## 2011-01-28 14:28:02 : normalize_one: temp len<24> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<6> elemlen<51> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<55> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: resultlen<55>ret<0> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:CN=UHB ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:OU=ESA ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:Email=uhb2@ref2.esa.int ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > count_num_required_elems: ret num elem<3>. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > no container identity requirement. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > wild card identity matched. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ID match found. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > user id found<14>. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > group id found<10>. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Found peer entry (VPN_P1_GW) from 192.168.11.3. ## 2011-01-28 14:28:02 : responder create sa: 192.168.11.3->192.168.11.1 ## 2011-01-28 14:28:02 : init p1sa, pidt = 0x0 ## 2011-01-28 14:28:02 : change peer identity for p1 sa, pidt = 0x0 ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > create peer identity 0x84ce450 ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2011-01-28 14:28:02 : peer identity 84ce450 created. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > EDIPI disabled ## 2011-01-28 14:28:02 : IKE<192.168.11.3> getProfileFromP1Proposal-> ## 2011-01-28 14:28:02 : IKE<192.168.11.3> find profile[0]=<00000005 00000002 00000003 00000002> for p1 proposal (id 11), xauth(1) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder create sa: 192.168.11.3->192.168.11.1 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1: Responder starts AGGRESSIVE mode negotiations. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> AG in state OAK_AG_NOSTATE. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 09 00 26 89 df d6 b7 12 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv XAUTH v6.0 vid ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00). ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 16 f6 ca 16 e4 a4 06 6d 83 82 1a 0f 0a ea a8 62 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02). ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 2011-01-28 14:28:02 : 80 00 00 00 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> receive unknown vendor ID payload ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : f1 4b 94 b7 bf f1 fe f0 27 73 b8 c4 9f ed ed 26 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 16 6f 93 2d 55 eb 64 d8 e4 df 4f d3 7e 23 13 f0 ## 2011-01-28 14:28:02 : d0 fd 84 51 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> receive unknown vendor ID payload ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 84 04 ad f9 cd a0 57 60 b2 ca 29 2e 4b ff 53 7b ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Vendor ID: ## 2011-01-28 14:28:02 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [SA]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(1), group(2), keylen(256) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(2), group(2), keylen(256) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(1), group(2), keylen(192) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(2), group(2), keylen(192) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(1), group(2), keylen(128) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(7), hash(2), group(2), keylen(128) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(1), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1 proposal [0] selected. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> SA Life Type = seconds ## 2011-01-28 14:28:02 : IKE<192.168.11.3> SA lifetime (TLV) = 86400 ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > dh group 2 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> DH_BG_consume OK. p1 resp ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [KE]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing ISA_KE in phase 1. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [NONCE]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing NONCE in phase 1. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [ID]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID received: type=ID_DER_ASN1_DN, DN = Email=uhb2@ref2.esa.int,OU=ESA,CN=UHB, port = 0, protocol=0 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> process_id need to update peer entry, cur . ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > peer dn has 3 elements. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > compare user id<14>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: input ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <0>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000001> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <0><8bffee7c>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <1>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000002> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <1><8bffee83>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <2>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <2><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <3>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <3><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <4>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for . ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <4><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <5>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <5><00000000>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <6>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000040> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <6><8bffee97>. ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <7>. ## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for . ## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got <7><00000000>. ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<3> ## 2011-01-28 14:28:02 : normalize_one: temp len<7> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<0> elemlen<7> ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<3> ## 2011-01-28 14:28:02 : normalize_one: temp len<7> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<1> elemlen<14> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<17> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<20> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<24> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<27> ## 2011-01-28 14:28:02 : normalize_one_elem: input ## 2011-01-28 14:28:02 : normalize_one_elem: content ## 2011-01-28 14:28:02 : normalize_one: A temp in_len<17> ## 2011-01-28 14:28:02 : normalize_one: temp len<24> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<6> elemlen<51> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> elemlen<55> ## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: resultlen<55>ret<0> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:CN=UHB ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:OU=ESA ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ct:Email=uhb2@ref2.esa.int ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > count_num_required_elems: ret num elem<3>. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > no container identity requirement. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > wild card identity matched. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > ID match found. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > user id found<14>. ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > group id found<10>. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Dynamic peer IP addr, search peer by identity. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> peer gateway entry has no peer id configured ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID processed. return 0. sa->p1_state = 0. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [CERT-REQ..5]: ## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing ISA_CERT_REQ starts, type=4. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> process_cert_req done. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> need to wait for offline p1 DH work done. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> IKE msg done: PKI state<0> IKE state<0/281290a> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> ## 2011-01-28 14:28:02 : IKE<0.0.0.0 > finished job d<33045e5c><17a0bb5d> ## 2011-01-28 14:28:02 : IKE<192.168.11.3> AG in state OAK_AG_NOSTATE. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> re-enter AG after offline DH done ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1 AG Responder constructing 2nd message. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct ISAKMP header. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Msg header built (next payload #1) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [SA] for ISAKMP ## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3), encr(5)<3DES>, hash(2), group(2) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: disabled ## 2011-01-28 14:28:02 : IKE<192.168.11.3> lifetime/lifesize (86400/0) ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct NetScreen [VID] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [KE] for ISAKMP ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NONCE] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> gen_skeyid() ## 2011-01-28 14:28:02 : IKE<192.168.11.3> gen_skeyid: returning 0 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [ID] for ISAKMP ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Use FQDN "ref2.esa.int" in local certificate subject alternative name as IKE p1 ID. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [CERT] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> construct_cert(), first cert. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> construct_cert(), cert type = 4, certlen = 1090 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Direct CA, peer wants X509, will send one X509 cert. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> one X509 cert ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder constructing cert req ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [CERT-REQ] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct NAT-T [VID]: draft 2 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder rsa sig ag mode: natt vid constructed. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder (pki) constructing remote NAT-D ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NATD] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder (pki) constructing local NAT-D ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NATD] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [SIG] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> constructing RSA signature. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Use FQDN "ref2.esa.int" in local certificate subject alternative name as IKE p1 ID. ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID, len=16, type=2, pro=17, port=500, ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ## 2011-01-28 14:28:02 : IKE<192.168.11.3> ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > digest when construct sig ## 2011-01-28 14:28:02 : 6d 46 eb 8f d7 43 d0 bb c0 7b 95 87 e5 25 bd 9b ## 2011-01-28 14:28:02 : 8e cb fa f4 00 00 00 00 d1 7e 37 00 40 51 82 03 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> throw packet to the peer, paket_len=1776 ## 2011-01-28 14:28:02 : IKE<192.168.11.3 > Xmit : [SA] [VID] [VID] [VID] [VID] [KE] [NONCE] [ID] [CERT] ## 2011-01-28 14:28:02 : [CERT-REQ] [VID] [NATD] [NATD] [SIG] ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder sending IPv4 IP 192.168.11.3/port 500 ## 2011-01-28 14:28:02 : IKE<192.168.11.3> Send Phase 1 packet (len=1776) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ike packet, len 1912, action 0 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: received 1884 bytes from socket. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ****** Recv packet if of vsys ****** ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: get 1884 bytes. src port 500 ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ISAKMP msg: len 1884, nxp 6[CERT], exch 4[AG], flag 01 E ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Decrypting payload (length 1856) ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [CERT] [SIG] [NATD] [NATD] ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > extract payload (1856): ## 2011-01-28 14:28:03 : IKE<192.168.11.3> AG in state OAK_AG_INIT_EXCH. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [NATD]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [NATD]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [CERT]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Processing CERT payload. Cert Type = 4, Cert Length = 1281. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> IKE msg done: PKI state<1> IKE state<5/1097191f> ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ike packet, len 112, action 0 ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > I got hit by mail. 1 ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > message from PKI, msg id=f001 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> enter PKI_CID_VERIFY_CERT_RSP ## 2011-01-28 14:28:03 : IKE<192.168.11.3> AG in state OAK_AG_INIT_EXCH. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [CERT]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Processing CERT payload. Cert Type = 4, Cert Length = 1281. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> in cert, name ## 2011-01-28 14:28:03 : IKE<192.168.11.3> recv cert with IPV4(0.0.0.0), FQDN(none), RFC822(none) ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > Cert NotAfter=Jan 25 09:44:09 2021 GMT ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Cert_time(759491049) current(444148083) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [SIG]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> processing ISA_SIG. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ***** Got public key for 192.168.11.3 ***** ## 2011-01-28 14:28:03 : IKE<192.168.11.3> processing RSA sig ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ID, len=68, type=9, pro=0, port=0, ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > his_digest ## 2011-01-28 14:28:03 : 65 f4 54 97 b9 ba 40 fe cb c8 68 2e 55 76 dd d6 ## 2011-01-28 14:28:03 : 47 b1 a7 75 00 00 00 00 35 5a 39 00 40 51 82 03 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> pki_msg: pki state<0>ike state<6/1097193f> ## 2011-01-28 14:28:03 : IKE<192.168.11.3> completing Phase 1 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> sa_pidt = 84ce450 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> found existing peer identity 0 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Phase 1: Completed for ip <192.168.11.3>, user ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Phase 1: Completed Aggressive mode negotiation with a <28800>-second lifetime. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> xauth is started: server, p1responder, aggr mode. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> start_xauth() ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val empty string, type <16521> added, len 0. ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val empty string, type <16522> added, len 0. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Create conn entry... ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ...done(new bd9e572e) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Construct ISAKMP header. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Msg header built (next payload #8) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Construct [HASH] ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > next: 0, payloadlength 20, type 1, identifier 5934. ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > variable attr type 16521, vallen 0, valstr empty string, type <16521> ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > variable attr type 16522, vallen 0, valstr empty string, type <16522> ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ## 2011-01-28 14:28:03 : IKE<192.168.11.3> construct QM HASH ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Xmit*: [HASH] [IKECFG] ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Encrypt P2 payload (len 72) --- more --- ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Responder sending IPv4 IP 192.168.11.3/port 500 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Send Phase 2 packet (len=76) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ikecfg packet sent. msgid bd9e572e, len: 72, peer<192.168.11.3> ## 2011-01-28 14:28:03 : IKE<192.168.11.3> xauth status updated by state machine: 20 ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: received 84 bytes from socket. ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ****** Recv packet if of vsys ****** ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: get 84 bytes. src port 500 ## 2011-01-28 14:28:03 : IKE<0.0.0.0 > ISAKMP msg: len 84, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Create conn entry... ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ...done(new a77ca448) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Decrypting payload (length 56) ## 2011-01-28 14:28:03 : IKE<192.168.11.3 > Recv*: [HASH] [DELETE] ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]: ## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, deleting Phase-1 SA ## 2011-01-28 14:28:03 : IKE<192.168.11.3> Delete conn entry... ## 2011-01-28 14:28:03 : IKE<192.168.11.3> ...found conn entry(48a47ca7) ## 2011-01-28 14:28:03 : IKE<192.168.11.3> IKE msg done: PKI state<0> IKE state<6/1097193f> ## 2011-01-28 14:28:04 : IKE<0.0.0.0 > dh group 2 ## 2011-01-28 14:28:04 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<128> dmax<64> ## 2011-01-28 14:28:04 : IKE<0.0.0.0 > finished job d<4244e532><954798b2> ## 2011-01-28 14:28:04 : IKE<0.0.0.0 > BN, top32 dmax64 zero ## 2011-01-28 14:28:09 : IKE<192.168.11.3> ikecfg transmit timer expired. re-trans ## 2011-01-28 14:28:09 : IKE<192.168.11.3> bad sa, can't send request ## 2011-01-28 14:28:15 : IKE<192.168.11.3> ikecfg transmit timer expired. re-trans ## 2011-01-28 14:28:15 : IKE<192.168.11.3> bad sa, can't send request ## 2011-01-28 14:28:21 : IKE<192.168.11.3> ikecfg transmit timer expired. re-trans ## 2011-01-28 14:28:21 : IKE<192.168.11.3> bad sa, can't send request ## 2011-01-28 14:28:27 : IKE<192.168.11.3> ikecfg transmit timer expired. re-trans ## 2011-01-28 14:28:27 : IKE<192.168.11.3> bad sa, can't send request ## 2011-01-28 14:28:32 : reap_db. deleting p1sa 2178e38 ## 2011-01-28 14:28:32 : terminate_SA: trying to delete SA cause: 0 cond: 2 ## 2011-01-28 14:28:32 : IKE<192.168.11.3> Delete conn entry... ## 2011-01-28 14:28:32 : IKE<192.168.11.3> ...found conn entry(2e579ebd) ## 2011-01-28 14:28:32 : IKE<192.168.11.3> xauth login ABORTED. gw , username <>, retry: 0 ## 2011-01-28 14:28:42 : IKE<192.168.11.3> xauth login EXPIRED and TERMINATED. username <>, ip<0.0.0.0/0.0.0.0> ## 2011-01-28 14:28:42 : IKE<192.168.11.3> IKE Xauth: release prefix route, ret=<-2>. ## 2011-01-28 14:29:02 : reap_db. deleting p1sa 2178e38 ## 2011-01-28 14:29:02 : terminate_SA: trying to delete SA cause: 0 cond: 2 ## 2011-01-28 14:29:02 : IKE<192.168.11.3> xauth_cleanup() ## 2011-01-28 14:29:02 : IKE<192.168.11.3> Done cleaning up IKE Phase 1 SA ## 2011-01-28 14:29:02 : peer_identity_unregister_p1_sa. ## 2011-01-28 14:29:02 : IKE<0.0.0.0 > delete peer identity 0x84ce450 ## 2011-01-28 14:29:02 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2011-01-28 14:29:02 : peer_idt.c peer_identity_unregister_p1_sa 668: pidt deleted.