-----Ursprüngliche Nachricht-----
Von: Andreas Dorn [mailto:kreiselkicker_at_compuserve.de]
Gesendet: Mittwoch, 24. April 2002 10:19
An: 'John Sullivan'
Betreff: AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on
CallByCall ISDN/Modem Connection = Mission Impossible ?
thank you again john,
ok, since formatting issues let us talk in confusion here is the
scenario again:
LAN (192.168.0.0/24)
|
|
FreeSwan (192.168.0.5/24)
|
|
Router (192.168.0.1/24)
|
|
ADSL
|
|
Internet
|
|
ISDN/MODEM…
|
|
WinXP(a.b.c.d)
i want to get access to the 192.168.0.0/24 network, but I think the
point here is that freeswan doesn´t support virtual addresses yet ?
so the routing from the 192.168.0.0/24 lan to the winxp-client is not
possible?
Do I have to wait for the virtual ip-adress implementation or do you see
any other way to get along with this?
sorry for the formatting failures that caused all the confusion ;-)
-----Ursprüngliche Nachricht-----
Von: John Sullivan [mailto:John.Sullivan_at_nexusmgmt.com]
Gesendet: Dienstag, 23. April 2002 21:48
An: 'Andreas Dorn'; users_at_lists.freeswan.org
Betreff: RE: [Users] FreeSwan <----> SSH Sentinel WinXP Client on
CallByCall ISDN/Modem Connection = Mission Impossible ?
A couple of points . . .
Unless the VPN gateway supports virtual addresses, you won't be able to
use those "advanced" features of Sentinel. Those features are very
handy and I understand someone is working on a Free S/WAN
implementation. You will need to use the straightforward, local
address. I think I'm a bit confused by your diagram. Between what two
points are you trying to establish the tunnel? Is the Free S/WAN gateway
between the Internet and the 192.168.0.0/24 network or behind the
WindowsXP station? I was assuming your configuration went something like
this (I'll diagram it vertically to eliminate formatting confusion):
WindowsXP w/local address of 192.168.0.x given by DHCP on ADSL router
|
|
Netgear ADSL router with 192.168.0.0/24 internal network and some ISP
assigned public IP address on the external interface
|
|
Internet
|
|
Free S/WAN gateway with an internal address of 192.168.0.5 and some ISP
assigned public IP address on the external interface
|
|
Some device you are trying to ping on the 192.168.0.0/24 network
The problem in this scenario is that the device you are trying to ping
doesn't realize it has to send the reply packet to the gateway. Since
the packet from the windowsXP station, once decrypted by the gateway has
a source IP of 192.168.0.x, the pinged station thinks the reply should
go to the local network. Therefore it ARP's for a local MAC address
rather than sending the packet to the gateway/router. In other words,
the packet from the WindowsXp station makes it perfectly fine to the
target but the target never sends the reply packet back to the Free
S/WAn gateway to be tunneled back to the WindowsXP station. Again, I may
have completely misunderstood your setup - John
> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880
-----Original Message-----
From: Andreas Dorn [mailto:kreiselkicker_at_compuserve.de]
Sent: Tuesday, April 23, 2002 3:10 PM
To: John Sullivan; users_at_lists.freeswan.org
Subject: AW: [Users] FreeSwan <----> SSH Sentinel WinXP Client on
CallByCall ISDN/Modem Connection = Mission Impossible ?
thank you john,
but i´m not sure about all this.
what is the difference in changing the home network to e.g.
192.168.1.0/24 or whatever ?
in case of connecting with the WinXP Station from somewhere out in the
fields the ip-adress istn´t anything like 192.168.0.x.
it changes each dial-in.
so the destination address for response after succesfull connect should
be the ip-adress of the dial-in and not 192.168.0.x,
please correct me if I am wrong.
next problem is to set the ip-adress in sentinels vpn-connection setup
either to dhcp or specified ? doesn´t work at all. Freeswan says
something like
"i don´t support this feature...". any comments about this?
again in short:
LAN(192.168.0.0/24)-------------
|---ROUTER(192.168.0.1)---ADSL---INTERNET---ISDN/MODEM---WINXP(a.b.c.d)
FREESWAN(192.168.0.5/24)--------
if i change lan,freeswan and router to another network, what is the
difference then?
or did I get you wrong? i´m not a pro, so please apologize any mistakes.
andy
-----Ursprüngliche Nachricht-----
Von: John Sullivan [mailto:John.Sullivan_at_nexusmgmt.com]
Gesendet: Dienstag, 23. April 2002 19:57
An: 'Andreas Dorn'; users_at_lists.freeswan.org
Betreff: RE: [Users] FreeSwan <----> SSH Sentinel WinXP Client on
CallByCall ISDN/Modem Connection = Mission Impossible ?
If I'm reading your diagram correctly, you have a routing
problem. I'm assuming your ADSL router is at home in front of the
WindowsXP station and providing a DHCP administered address to the
windows XP station from the 192.168.0.0/24 network. I have always found
one of the best network troubleshooting methodologies is to "think like
a packet." Your station establishes a tunnel successfully. It then
generates the ping packet and successfully sends it across the tunnel to
the internal network which I assume is 192.168.0.0/24. The target
station receives the ping and fashions the response. The destination
address will be the WindowsXP station at 192.168.0.x. It checks the
address against the subnet mask, sees that it is on the same network and
then ARPs for the MAC address. Since the WindowsXP station is not on
the same local segment, a reply is never received to the ARP so the ping
reply is never put on the wire. If I have interpreted your diagram
correctly, change your home network to something different from
192.168.0.0/24. Hope this helps - John
> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880
-----Original Message-----
From: Andreas Dorn [mailto:kreiselkicker_at_compuserve.de]
Sent: Tuesday, April 23, 2002 5:48 AM
To: users_at_lists.freeswan.org
Subject: [Users] FreeSwan <----> SSH Sentinel WinXP Client on CallByCall
ISDN/Modem Connection = Mission Impossible ?
hello !
maybe some kind person could help me out of this. there must be
something about it.
i hope i´m not on "mission impossible". i spent quite some time on tis
but i cannot find the trick.
i appreciate any comment.
thank you
andy
scenario:
______________________________
|Linux/FreeSwan1.96/x.509patch|
|192.168.0.5/24 |
|ip-forwarding enabled |
|"cobraHost" |
______________________________----LAN------
_|______________________________________________________
|Netgear RT314(ADSL-Router)
|
|Local-IP:192.168.0.1/24
|
|DHCP Server / DNS
Server/Forwarder for 192.168.0.0/24 |
|NAT/Firewall
|
|PORT 500 forwarded to
192.168.0.5 |
|Protocol 50/51 forwarding
enabled |
|dns registered as
"somehost.dyndns.org" |
_|______________________________________________________
________________ | |
|LAN |------------------LAN----- A
|192.168.0.0/24| D
________________ S
L
|
________________ |
|Notebook |---ISDN/MODEM-----INTERNET------
|WinXP |
|SSH Sentinel |
|(1.3 b47) |
|some public ip|
|callbycall |
|provider |
________________
i configured freeswan and the ssh sentinel as described in
http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf
the freeswan ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftcert=cobraHost.pem
auto=add
pfs=yes
conn roadwarrior
right=%any
conn roadwarrior-net
leftsubnet=192.168.0.0/24
right=%any
i added a VPN Connection to SSH Sentinel with security
gateway="somehost.dyndns.org" and remote network 192.168.0.0/24 and no
dhcp
i managed all the certificate stuff and tested the connection with the
notebook locally plugged into LAN, works fine !
(but i think thats not important anyway because the notebook has
internal ip 192.168.0.11 then...)
i went away and connected the notebook via isdn call by call provider to
the internet
i connect via sentinel, yippie ! connection works !
BUT: ping 192.168.0.5 gets into timeout, so do any others to the
192.168.0.0/24 subnet
:-(
i looked into freeswans log:
Apr 23 11:24:08 cobra ipsec_setup: Starting FreeS/WAN IPsec 1.96...
Apr 23 11:24:08 cobra ipsec_setup: KLIPS debug `none'
Apr 23 11:24:08 cobra ipsec_setup: KLIPS ipsec0 on eth0
192.168.0.5/255.255.255.0 broadcast 192.168.0.255
Apr 23 11:24:08 cobra ipsec__plutorun: Starting Pluto subsystem...
Apr 23 11:24:08 cobra Pluto[23487]: Starting Pluto (FreeS/WAN Version
1.96)
Apr 23 11:24:08 cobra Pluto[23487]: including X.509 patch (Version
0.9.8)
Apr 23 11:24:08 cobra ipsec_setup: ...FreeS/WAN IPsec started
Apr 23 11:24:08 cobra Pluto[23487]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 23 11:24:08 cobra Pluto[23487]: loaded cacert file 'cobraCA.pem'
(1708 bytes)
Apr 23 11:24:08 cobra Pluto[23487]: Changing to directory
'/etc/ipsec.d/crls'
Apr 23 11:24:08 cobra Pluto[23487]: loaded crl file 'crl.pem' (715
bytes)
Apr 23 11:24:08 cobra Pluto[23487]: loaded my X.509 cert file
'/etc/x509cert.der' (1265 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: loaded host cert file
'/etc/ipsec.d/cobraHost.pem' (5135 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: added connection description
"roadwarrior"
Apr 23 11:24:09 cobra Pluto[23487]: loaded host cert file
'/etc/ipsec.d/cobraHost.pem' (5135 bytes)
Apr 23 11:24:09 cobra Pluto[23487]: added connection description
"roadwarrior-net"
Apr 23 11:24:09 cobra Pluto[23487]: listening for IKE messages
Apr 23 11:24:09 cobra Pluto[23487]: adding interface ipsec0/eth0
192.168.0.5
Apr 23 11:24:09 cobra Pluto[23487]: loading secrets from
"/etc/ipsec.secrets"
Apr 23 11:24:09 cobra Pluto[23487]: loaded private key file
'/etc/ipsec.d/private/cobraHost.key.pem' (3467 bytes)
Apr 23 11:24:17 cobra kernel: ipsec0: no IPv6 routers present
Apr 23 11:25:54 cobra Pluto[23487]: packet from 213.7.23.58:500:
ignoring Vendor ID payload
Apr 23 11:25:54 cobra Pluto[23487]: "roadwarrior" 213.7.23.58 #1:
responding to Main Mode from unknown peer 213.7.23.58
Apr 23 11:25:55 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #1:
sent MR3, ISAKMP SA established
Apr 23 11:25:56 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #2:
responding to Quick Mode
Apr 23 11:25:56 cobra Pluto[23487]: "roadwarrior-net" 213.7.23.58 #2:
IPsec SA established
i think the connections is established and ok?
i made a ipconfig /all on the WinXP Machine
Windows-IP-Konfiguration
Hostname. . . . . . . . . . . . . : andy
Primäres DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Broadcast
IP-Routing aktiviert. . . . . . . : Nein
WINS-Proxy aktiviert. . . . . . . : Nein
Ethernetadapter {7897FF62-3E75-4ACE-9A53-77E5CE2FD952}:
Medienstatus. . . . . . . . . . . : Es besteht keine Verbindung
Beschreibung. . . . . . . . . . . : SSH Virtual Network Adapter
(sshvnic
)
Physikalische Adresse . . . . . . : 02-00-00-00-01-00
PPP-Adapter FreeNet:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physikalische Adresse . . . . . . : 00-53-45-00-00-00
DHCP aktiviert. . . . . . . . . . : Nein
IP-Adresse. . . . . . . . . . . . : 213.7.209.38
Subnetzmaske. . . . . . . . . . . : 255.255.255.255
Standardgateway . . . . . . . . . : 213.7.209.38
DNS-Server. . . . . . . . . . . . : 62.104.191.241
62.104.196.134
NetBIOS über TCP/IP . . . . . . . : Deaktiviert
i looked into the sentinels audit logfile after all what happened:
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Start isakmp sa
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 00000000 00000000 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0001 SA
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Warning, junk after
packet len = 160, decoded = 157
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0052 KE CR NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Restart packet
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 0052 KE CR NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Diffie-hellman
secret g^xy[128] = 0x1ae697b1 f1af1778 7d6fabe9 1f5e8fa9 dc3673f8
fb8c4fd4 f09dc0be f9146bf0 accf4579 5b86a37e ae22373a d3c63dd0 daf4db48
69468eea 8d8f4aa4...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Hash algorithm =
hmac-md5
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Prf key[32] =
0xdcbb2415 431af601 76fe323b ffaa3a0c 7306264c 21924672 525d4890
ff77d32e
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Calculating SKEYID
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID
hash[16] = 0xb286786e a71c865b e642db3c 97072d0f
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID_d
hash[16] = 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of SKEYID_a
hash[16] = 0x49cf32b6 435586fc 98dc3eec 4489ff45
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output SKEYID_e
hash[16] = 0x022e5ee4 b064586b 2a7ae925 d420989d
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Final encryption
key[24] = 0xe51c958f 9e09e318 69c2e9d6 d54ede6e b3511a97 3ea23ccb
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of HASH_I
hash[16] = 0xb8951080 9e257f6f b7cd87bc 22555a52
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 008c ID CERT SIG
: SPD: Can not determine per-rule trusted CA root set for remote
identity der_asn1_dn(any:0,[0..164]=C=DE, ST=Area, L=City, O=AIZ,
OU=somehost.dyndns.org, CN=cobraHOST,
MAILTO=kreiselkicker_at_compuserve.de). Using only globally trusted roots.
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Output of HASH_R
hash[16] = 0x0e79bc79 caeae4b0 860d8341 ea6399ae
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; dec->enc iv[8] =
0x07bac9a6 bb3d9d48
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; MESSAGE: Phase 1
version = 1.0, auth_method = RSA signatures, cipher = 3des-cbc, hash =
md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 2
: Phase-1 [initiator] between der_asn1_dn(udp:500,[0..95]=C=DE, O=AIZ,
OU=somehost.dyndns.org, CN=another_at_email.com) and
der_asn1_dn(any:0,[0..164]=C=DE, ST=Area, L=City, O=AIZ,
OU=somehost.dyndns.org, CN=cobraHOST,
MAILTO=kreiselkicker_at_compuserve.de) done.
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Start ipsec sa
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0000
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of phase 2 IV
hash[8] = 0xbedebb4b 5eaed08b
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= rest of
packet[400] = 0x0a0000dc 00000001 00000001 02000034 01030401...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0x21f65820 cfc43470 d19bf2a1 c106d102
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Version = 1.0,
Input packet fields = 008c ID CERT SIG
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Packet to old
negotiation
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0037 SA KE ID HASH NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Ni[16]
= 0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= rest of
packet[244] = 0x0a000040 00000001 00000001 00000034 01030401...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0x27527904 87d8c197 dfc539c5 4362933e
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= 0[1] =
0x00
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= M-ID[4]
= 0x122e900a
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Ni[16]
= 0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; HASH hash .= Nr[16]
= 0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Output of HASH
hash[16] = 0xd8dbf354 b226cb17 71ce9e2a 1d9c7596
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Diffie-hellman
secret g^(qm)xy[128] = 0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4
3b59188e 99aa2ac6 abda0749 69ff8c2f a98c8305 119ef6a2 a5e07a77 41884f2f
a464372f e32aad7b...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; MESSAGE: Phase 2
connection succeeded, Using PFS, group = 2
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; MESSAGE: SA[0][0] =
ESP 3des, life = 409600 kB/3600 sec, group = 2, tunnel, hmac-md5-96, key
len = 0, key rounds = 0
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Ipsec keys, mac =
hmac-md5, proto = 3
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; spi[4] = 0xcdff65fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.skeyid_d[16]
= 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.gqmxy[128] =
0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4 3b59188e 99aa2ac6
abda0749 69ff8c2f a98c8305...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.ni[16] =
0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.nr[16] =
0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; key.out[40] =
0x74bae488 2ce8ad92 725d62eb 9e86ba0c a5c4be78 eec2140a d7e0df0a
91892bea 290efa26 fa142452
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Ipsec keys, mac =
hmac-md5, proto = 3
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; spi[4] = 0xe1997fd0
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.skeyid_d[16]
= 0xb0468f87 00e04e77 ef698195 bb8da121
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.gqmxy[128] =
0x938ffb13 b6ebfb35 32b00033 a6b0c241 9ffd4aa4 3b59188e 99aa2ac6
abda0749 69ff8c2f a98c8305...
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.ni[16] =
0xe83aa9b3 f19bdb04 0216bb51 3863958c
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; keymat.nr[16] =
0x1e5c2c2d c4a98a9f 685e2397 7e9489fc
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; key.out[40] =
0x7318dca2 89e32c6c e1d69072 4008b84e 20644fe9 27efe8df 70df834e
5c47c97e 84fb7ecd 308c88d7
: Phase-2 [initiator] done bundle 5 with 2 SA's by rule 181:`ipsec
ipv4(any:0,[0..3]=213.7.23.58)<->ipv4_subnet(any:0,[0..7]=192.168.0.0/24
)(gw:ipv4(any:0,[0..3]=217.224.31.251))'
: SA ESP[e1997fd0] alg [3des-cbc/24]+hmac[hmac-md5-96] bundle [5,0] pri
0 opts src=ipv4(any:0,[0..3]=213.7.23.58)
dst=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
: SA ESP[cdff65fc] alg [3des-cbc/24]+hmac[hmac-md5-96] bundle [5,0] pri
0 opts src=ipv4_subnet(any:0,[0..7]=192.168.0.0/24)
dst=ipv4(any:0,[0..3]=213.7.23.58)
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Encode packet,
version = 1.0, flags = 0x00000001
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Restart packet
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Version = 1.0, Input
packet fields = 0037 SA KE ID HASH NONCE
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Connected
DEBUG: 0.0.0.0:500 (Initiator) <-> 217.224.31.251:500 { 3885aa38
9d000004 - 5446f95b 5e4538f9 [0] / 0x122e900a } QM; Deleting negotiation
ok, thats a lot
i hope i didn´t forget anything ;-)
i think this must be wheter a "mission impossible" due to some
router/nat stuff or i´m blind on both eyes maybe...
please comment!
thank you again
andy
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 19.04.2002
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 19.04.2002
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 19.04.2002--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 19.04.2002
_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST