<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Testo fumetto Carattere";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.StileMessaggioDiPostaElettronica17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.TestofumettoCarattere
{mso-style-name:"Testo fumetto Carattere";
mso-style-priority:99;
mso-style-link:"Testo fumetto";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=IT link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal>i’m trying to configure DHCP over IPSec with Shrew soft VPN Client and my Firewall (Arkoon).<o:p></o:p></p><p class=MsoNormal>I’ve setup correctly the Arkoon FW, when I connect assigning a fixed IP, the VPN connection goes fine, when I flash DHCP over IPsec in Shrew client I get this LOG on fw:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: received Vendor ID payload [RFC 3947] method set to=110<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring Vendor ID payload [FRAGMENTATION 80000000]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655: ignoring Vendor ID payload [Cisco-Unity]<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: responding to Main Mode from unknown peer 94.XX.YY.84<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: STATE_MAIN_R1: sent MR1, expecting MI2<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: STATE_MAIN_R2: sent MR2, expecting MI3<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Main mode peer ID is ID_DER_ASN1_DN: 'E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT'<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.8484 #21: Issuer CA certificate is trusted: 'CN=Fast360 CA,OU=CED,O=******.,L=*******,C=IT'<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Issuer CA certificate is trusted: 'CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT'<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: switched from "conn_13" to "conn_11"<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: I am sending my cert<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: NAT-T: new port 1655/1705<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1024}<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Dead Peer Detection (RFC 3706): enabled<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: ignoring informational payload, type IPSEC_INITIAL_CONTACT<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: received and ignored informational message<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: cannot respond to IPsec SA request because no connection is known for 82.XX.YY.143[CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT]:17/67... 94.XX.YY.84 [E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT]:17/67===10.X.Y.15/32<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending encrypted notification INVALID_ID_INFORMATION to 94.XX.YY.84:1705<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x698f4631 (perhaps this is a duplicated packet)<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending encrypted notification INVALID_MESSAGE_ID to 94.XX.YY.84:1705<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: received Delete SA payload: deleting ISAKMP State #21<o:p></o:p></p><p class=MsoNormal>Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84: deleting connection "conn_11" instance with peer 94.XX.YY.84 {isakmp=#0/ipsec=#0}<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The same config with fixed IP goes ok. <o:p></o:p></p><p class=MsoNormal>VPN is defined as per two ends, one is remote lan, the other is the user/object with defined cert and virtual ip addressing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any hint on how to debug better?<o:p></o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Nicola<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=399 style='width:299.25pt;border-collapse:collapse'><tr style='height:48.0pt'><td width=131 valign=top style='width:98.25pt;border:none;border-top:solid #CCCCCC 1.0pt;padding:0cm 0cm 4.5pt 0cm;height:48.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:black;mso-fareast-language:IT'><img width=118 height=82 id="Immagine_x0020_1" src="cid:image001.jpg@01CC2A7A.A88E3350" alt="Descrizione: image002"></span></i><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> <o:p></o:p></span></p></td><td valign=top style='border:none;border-top:solid #CCCCCC 1.0pt;padding:0cm 0cm 4.5pt 0cm;height:48.0pt'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td nowrap valign=top style='padding:0cm 0cm 4.5pt 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'><br>Bressan Nicola</span></b><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> </span><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:#666666;mso-fareast-language:IT'>|</span><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> </span><b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'>S</span></b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:#666666;mso-fareast-language:IT'>ystem & </span><b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'>S</span></b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:#666666;mso-fareast-language:IT'>ecurity </span><b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'>E</span></b><span lang=EN-US style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:#666666;mso-fareast-language:IT'>ngineer</span><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> <o:p></o:p></span></p></td></tr><tr><td nowrap valign=top style='padding:0cm 0cm 4.5pt 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray;mso-fareast-language:IT'>Via Roma, 4 int. 18 - 31020 Villorba (TV) - Italy</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> <o:p></o:p></span></p></td></tr><tr><td nowrap valign=top style='padding:0cm 0cm 4.5pt 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'>T</span></b><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray;mso-fareast-language:IT'>el: +39.0422.9125 | </span><b><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:red;mso-fareast-language:IT'>E</span></b><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray;mso-fareast-language:IT'>-Mail: nicola.bressan@smc.it</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:IT'> <o:p></o:p></span></p></td></tr></table></td></tr></table><p class=MsoNormal><span style='mso-fareast-language:IT'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>