* Andreas Steffen (andreas.steffen_at_strongsec.com) wrote:
> Chad Carr wrote:
> >
> > On Wed, 27 Mar 2002 07:37:30 +0100
> > "Andreas Steffen" <andreas.steffen_at_strongsec.com> wrote:
> >
> > > The problem is the single quote in O=Chad's IPSec Client. The ID string
> > > is exported as an environment variable to the updown script and wreaks
> > > havoc there. As a workaround generate a certificate without single
> > > quotes in the distinguished name. I'm going to check if the ID string
> > > must be double-quoted before exporting it.
> >
> > Very good. I have done so, but get the following log now. Is there
> > anyway that I can help document this log file? Obviously, there is enough
> > information in the file to allow troubleshooting of any connection
> > problem, but unless you know the source code, it is quite difficult. I am
> > writing detailed documentation on my entire process that I will post to
> > the list (as well as the LEAF list and another hardware list that I am
> > on), but if there is anything I can do to help document this fully, please
> > email me directly, and I will do my best. If you can just give me some
> > initial guidance, I will be off and running...thanks again for your assistance.
> >
>
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #1: sent MR3, ISAKMP SA established
>
> Fine - Main Mode works
>
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
>
> Peer did not get first MR3 message (Problem ?)
>
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #2: responding to Quick Mode
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #2: up-client command exited with status 2
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #1: ignoring Delete SA payload
> > Mar 28 06:50:20 wlanfw Pluto[1301]: "w2k-road-warriors" 192.168.3.10 #1: received and ignored informational message
>
> Your peer has a problem and sends an informational message.
> Please check the log on the peer side
The only problem I can seem to find in my win2k log file is the following:
3-27: 06:59:55:2e0
3-27: 06:59:55:2e0 Resume: (get) SA = 0x0023ab88 from 192.168.3.1
3-27: 06:59:55:2e0 ISAKMP Header: (V1.0), len = 1644
3-27: 06:59:55:2e0 I-COOKIE e9764cfa3de95f51
3-27: 06:59:55:2e0 R-COOKIE fae7405a09149e84
3-27: 06:59:55:2e0 exchange: Oakley Main Mode
3-27: 06:59:55:2e0 flags: 1 ( encrypted )
3-27: 06:59:55:2e0 next payload: ID
3-27: 06:59:55:2e0 message ID: 00000000
3-27: 06:59:55:2e0 Doing tripleDES
3-27: 06:59:55:2e0 invalid payload received
3-27: 06:59:55:2e0 GetPacket failed cbad034b
3-27: 06:59:55:2e0
These exact same peers work great with preshared keys. Changing to x.509
certificates breaks their communication. I can't figure this out as both sides
seems to think that Main Mode has completed with fantastic results and they
should now both be on the same page as far as encryption of Quick Mode payloads
is concerned.
Has anyone seen this before?
---------------------------------------------------------------------------
Chad Carr ccarr_at_franzdoodle.com
---------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST