RE: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCa ll ISDN/Modem Connection = Mission Impossible ?

• Next message: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Previous message: DIDIER Laurent: "[Users] nat problem"
• Next in thread: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Reply: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Maybe reply: John Sullivan: "RE: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCa ll ISDN/Modem Connection = Mission Impossible ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        If I'm reading your diagram correctly, you have a routing problem.
I'm assuming your ADSL router is at home in front of the WindowsXP station
and providing a DHCP administered address to the windows XP station from the
192.168.0.0/24 network. I have always found one of the best network
troubleshooting methodologies is to "think like a packet." Your station
establishes a tunnel successfully. It then generates the ping packet and
successfully sends it across the tunnel to the internal network which I
assume is 192.168.0.0/24. The target station receives the ping and fashions
the response. The destination address will be the WindowsXP station at
192.168.0.x. It checks the address against the subnet mask, sees that it is
on the same network and then ARPs for the MAC address. Since the WindowsXP
station is not on the same local segment, a reply is never received to the
ARP so the ping reply is never put on the wire. If I have interpreted your
diagram correctly, change your home network to something different from
192.168.0.0/24. Hope this helps - John

> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880

-----Original Message-----
From: Andreas Dorn [mailto:kreiselkicker_at_compuserve.de]
Sent: Tuesday, April 23, 2002 5:48 AM
To: users_at_lists.freeswan.org
Subject: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall
ISDN/Modem Connection = Mission Impossible ?

hello !
maybe some kind person could help me out of this. there must be
something about it.
i hope i´m not on "mission impossible". i spent quite some time on tis
but i cannot find the trick.
i appreciate any comment.
thank you
andy

scenario:

______________________________
|Linux/FreeSwan1.96/x.509patch|
|192.168.0.5/24 |
|ip-forwarding enabled |
|"cobraHost" |
______________________________----LAN------
 
_|______________________________________________________
                                         |Netgear RT314(ADSL-Router)
|
                                         |Local-IP:192.168.0.1/24
|
                                         |DHCP Server / DNS
Server/Forwarder for 192.168.0.0/24 |
                                         |NAT/Firewall
|
                                         |PORT 500 forwarded to
192.168.0.5 |
                                         |Protocol 50/51 forwarding
enabled |
                                         |dns registered as
"somehost.dyndns.org" |
 
_|______________________________________________________
________________ | |
|LAN |------------------LAN----- A
|192.168.0.0/24| D
________________ S
                                                L
                                                |
________________ |
|Notebook |---ISDN/MODEM-----INTERNET------
|WinXP |
|SSH Sentinel |
|(1.3 b47) |
|some public ip|
|callbycall |
|provider |
________________

i configured freeswan and the ssh sentinel as described in
http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf

the freeswan ipsec.conf:

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftcert=cobraHost.pem
        auto=add
        pfs=yes

conn roadwarrior
        right=%any

conn roadwarrior-net
        leftsubnet=192.168.0.0/24
        right=%any

i added a VPN Connection to SSH Sentinel with security
gateway="somehost.dyndns.org" and remote network 192.168.0.0/24 and no
dhcp

i managed all the certificate stuff and tested the connection with the
notebook locally plugged into LAN, works fine !
(but i think thats not important anyway because the notebook has
internal ip 192.168.0.11 then...)

i went away and connected the notebook via isdn call by call provider to
the internet

i connect via sentinel, yippie ! connection works !

BUT: ping 192.168.0.5 gets into timeout, so do any others to the
192.168.0.0/24 subnet

:-(

i looked into freeswans log:

Apr 23 11:24:08 cobra ipsec_setup: Starting FreeS/WAN IPsec 1.96...
Apr 23 11:24:08 cobra ipsec_setup: KLIPS debug `none'
Apr 23 11:24:08 cobra ipsec_setup: KLIPS ipsec0 on eth0
192.168.0.5/255.255.255.0 broadcast 192.168.0.255
Apr 23 11:24:08 cobra ipsec__plutorun: Starting Pluto subsystem...
Apr 23 11:24:08 cobra Pluto[23487]: Starting Pluto (FreeS/WAN Version
1.96)
Apr 23 11:24:08 cobra Pluto[23487]: including X.509 patch (Version
0.9.8)
Apr 23 11:24:08 cobra ipsec_setup: ...FreeS/WAN IPsec started
Apr 23 11:24:08 cobra Pluto[23487]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 23 11:24:08 cobra Pluto[23487]: loaded cacert file 'cobraCA.pem'
(1708 bytes)
Apr 23 11:24:08 cobra Pluto[23487]: Changing to directory
'/etc/ipsec.d/crls'
Apr 23 11:24:08 cobra Pluto[23487]: loaded crl file 'crl.pem' (715
bytes)
Apr 23 11:24:08 cobra Pluto[23487]: loaded my X.509 cert file
'/etc/x509cert.der' (1265 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: loaded host cert file
'/etc/ipsec.d/cobraHost.pem' (5135 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: added connection description
"roadwarrior"
Apr 23 11:24:09 cobra Pluto[23487]: loaded host cert file
'/etc/ipsec.d/cobraHost.pem' (5135 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: added connection description
"roadwarrior-net"
Apr 23 11:24:09 cobra Pluto[23487]: listening for IKE messages
Apr 23 11:24:09 cobra Pluto[23487]: adding interface ipsec0/eth0
192.168.0.5
Apr 23 11:24:09 cobra Pluto[23487]: loading secrets from
"/etc/ipsec.secrets"
Apr 23 11:24:09 cobra Pluto[23487]: loaded private key file
'/etc/ipsec.d/private/cobraHost.key.pem' (3467 bytes)
Apr 23 11:24:17 cobra kernel: ipsec0: no IPv6 routers present
Apr 23 11:25:54 cobra Pluto[23487]: packet from 213.7.23.58:500:
ignoring Vendor ID payload
Apr 23 11:25:54 cobra Pluto[23487]: "roadwarrior" 213.7.23.58 #1:
responding to Main Mode from unknown peer 213.7.23.58
Apr 23 11:25:55 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #1:
sent MR3, ISAKMP SA established
Apr 23 11:25:56 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #2:
responding to Quick Mode
Apr 23 11:25:56 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #2:
IPsec SA established

i think the connections is established and ok?

i made a ipconfig /all on the WinXP Machine

Windows-IP-Konfiguration

        Hostname. . . . . . . . . . . . . : andy
        Primäres DNS-Suffix . . . . . . . :
        Knotentyp . . . . . . . . . . . . : Broadcast
        IP-Routing aktiviert. . . . . . . : Nein
        WINS-Proxy aktiviert. . . . . . . : Nein

Ethernetadapter {7897FF62-3E75-4ACE-9A53-77E5CE2FD952}:

        Medienstatus. . . . . . . . . . . : Es besteht keine Verbindung
        Beschreibung. . . . . . . . . . . : SSH Virtual Network Adapter
(sshvnic
)
        Physikalische Adresse . . . . . . : 02-00-00-00-01-00

PPP-Adapter FreeNet:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physikalische Adresse . . . . . . : 00-53-45-00-00-00
        DHCP aktiviert. . . . . . . . . . : Nein
        IP-Adresse. . . . . . . . . . . . : 213.7.209.38
        Subnetzmaske. . . . . . . . . . . : 255.255.255.255
        Standardgateway . . . . . . . . . : 213.7.209.38
        DNS-Server. . . . . . . . . . . . : 62.104.191.241
                                            62.104.196.134
        NetBIOS über TCP/IP . . . . . . . : Deaktiviert

i looked into the sentinels audit logfile after all what happened:

DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Start isakmp sa
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0001 SA
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Warning, junk after
packet len = 160, decoded = 157
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0052 KE CR NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Restart packet
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0052 KE CR NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Diffie-hellman
secret g^xy[128] = 0x1ae697b1 f1af1778 7d6fabe9 1f5e8fa9 dc3673f8
fb8c4fd4 f09dc0be f9146bf0 accf4579 5b86a37e ae22373a d3c63dd0 daf4db48
69468eea 8d8f4aa4...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Hash algorithm =
hmac-md5
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Prf key[32] =
0xdcbb2415 431af601 76fe323b ffaa3a0c 7306264c 21924672 525d4890
ff77d32e
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Calculating SKEYID
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID
hash[16] = 0xb286786e a71c865b e642db3c 97072d0f
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID_d
hash[16] = 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID_a
hash[16] = 0x49cf32b6 435586fc 98dc3eec 4489ff45
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output SKEYID_e
hash[16] = 0x022e5ee4 b064586b 2a7ae925 d420989d
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Final encryption
key[24] = 0xe51c958f 9e09e318 69c2e9d6 d54ede6e b3511a97 3ea23ccb
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of HASH_I
hash[16] = 0xb8951080 9e257f6f b7cd87bc 22555a52
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 008c ID CERT SIG
: SPD: Can not determine per-rule trusted CA root set for remote
identity der_asn1_dn(any:0,[0..164]=C=DE, ST=Area, L=City, O=AIZ,
OU=somehost.dyndns.org, CN=cobraHOST,
MAILTO=kreiselkicker_at_compuserve.de). Using only globally trusted roots.
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of HASH_R
hash[16] = 0x0e79bc79 caeae4b0 860d8341 ea6399ae
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; dec->enc iv[8] =
0x07bac9a6 bb3d9d48
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; MESSAGE: Phase 1
version = 1.0, auth_method = RSA signatures, cipher = 3des-cbc, hash =
md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 2
: Phase-1 [initiator] between der_asn1_dn(udp:500,[0..95]=C=DE, O=AIZ,
OU=somehost.dyndns.org, CN=another_at_email.com) and
der_asn1_dn(any:0,[0..164]=C=DE, ST=Area, L=City, O=AIZ,
OU=somehost.dyndns.org, CN=cobraHOST,
MAILTO=kreiselkicker_at_compuserve.de) done.
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Start ipsec sa
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of phase 2 IV
hash[8] = 0xbedebb4b 5eaed08b
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= rest of
packet[400] = 0x0a0000dc 00000001 00000001 02000034 01030401...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0x21f65820 cfc43470 d19bf2a1 c106d102
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 008c ID CERT SIG
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0037 SA KE ID HASH NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Ni[16]
= 0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= rest of
packet[244] = 0x0a000040 00000001 00000001 00000034 01030401...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0x27527904 87d8c197 dfc539c5 4362933e
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= 0[1] =
0x00
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Ni[16]
= 0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Nr[16]
= 0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0xd8dbf354 b226cb17 71ce9e2a 1d9c7596
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Diffie-hellman
secret g^(qm)xy[128] = 0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4
3b59188e 99aa2ac6 abda0749 69ff8c2f a98c8305 119ef6a2 a5e07a77 41884f2f
a464372f e32aad7b...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; MESSAGE: Phase 2
connection succeeded, Using PFS, group = 2
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; MESSAGE: SA[0][0] =
ESP 3des, life = 409600 kB/3600 sec, group = 2, tunnel, hmac-md5-96, key
len = 0, key rounds = 0
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Ipsec keys, mac =
hmac-md5, proto = 3
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; spi[4] = 0xcdff65fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.skeyid_d[16]
= 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.gqmxy[128] =
0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4 3b59188e 99aa2ac6
abda0749 69ff8c2f a98c8305...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.ni[16] =
0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.nr[16] =
0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; key.out[40] =
0x74bae488 2ce8ad92 725d62eb 9e86ba0c a5c4be78 eec2140a d7e0df0a
91892bea 290efa26 fa142452
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Ipsec keys, mac =
hmac-md5, proto = 3
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; spi[4] = 0xe1997fd0
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.skeyid_d[16]
= 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.gqmxy[128] =
0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4 3b59188e 99aa2ac6
abda0749 69ff8c2f a98c8305...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.ni[16] =
0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.nr[16] =
0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; key.out[40] =
0x7318dca2 89e32c6c e1d69072 4008b84e 20644fe9 27efe8df 70df834e
5c47c97e 84fb7ecd 308c88d7
: Phase-2 [initiator] done bundle 5 with 2 SA's by rule 181:`ipsec
ipv4(any:0,[0..3]=213.7.23.58)<->ipv4_subnet(any:0,[0..7]=192.168.0.0/24
)(gw:ipv4(any:0,[0..3]=217.224.31.251))'
: SA ESP[e1997fd0] alg [3des-cbc/24]+hmac[hmac-md5-96] bundle [5,0] pri
0 opts src=ipv4(any:0,[0..3]=213.7.23.58)
dst=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
: SA ESP[cdff65fc] alg [3des-cbc/24]+hmac[hmac-md5-96] bundle [5,0] pri
0 opts src=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
dst=ipv4(any:0,[0..3]=213.7.23.58)
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Restart packet
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0037 SA KE ID HASH NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Deleting negotiation

ok, thats a lot
i hope i didn´t forget anything ;-)

i think this must be wheter a "mission impossible" due to some
router/nat stuff or i´m blind on both eyes maybe...
please comment!
thank you again
andy

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 19.04.2002
 
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Previous message: DIDIER Laurent: "[Users] nat problem"
• Next in thread: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Reply: Andreas Dorn: "AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall ISDN/Modem Connection = Mission Impossible ?"
• Maybe reply: John Sullivan: "RE: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCa ll ISDN/Modem Connection = Mission Impossible ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST