Re: [Users] WinXP and x509

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Oct 04 2002 - 07:47:32 CEST

The peer side, i.e. FreeS/WAN does not seem to get message MI3 containing
W2k's ID, certificate and signature. The reason might be IP fragmentation
problems on the Linux side. Large certificates cause the UDP datagram
to be fragmented. Ipchains and iptables firewall rules discard IP
fragments by default. Could you check the pluto log if the message
ever gets received?

Regards

Andreas

Segree, Gareth wrote:
> I am getting the following error in the oakley.log
>
> 10-03: 18:47:51:472:89c Initialization OK
> 10-03: 18:48:48:494:d70 Acquire from driver: op=81512210 src=208.52.71.38.0
> dst=89.0.121.1.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.0.0.0,
> Tunnel 1, TunnelEndpt=208.138.31.25 Inbound TunnelEndpt=208.52.71.38
> 10-03: 18:48:48:494:a84 Filter to match: Src 208.138.31.25 Dst 208.52.71.38
> 10-03: 18:48:48:494:a84 MM PolicyName: 1
> 10-03: 18:48:48:494:a84 MMPolicy dwFlags 2 SoftSAExpireTime 28800
> 10-03: 18:48:48:494:a84 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
> 10-03: 18:48:48:494:a84 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
> 10-03: 18:48:48:494:a84 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
> 10-03: 18:48:48:494:a84 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
> 10-03: 18:48:48:494:a84 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 1
> 10-03: 18:48:48:494:a84 MMOffer[2] Encrypt: DES CBC Hash: SHA
> 10-03: 18:48:48:494:a84 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
> 10-03: 18:48:48:494:a84 MMOffer[3] Encrypt: DES CBC Hash: MD5
> 10-03: 18:48:48:494:a84 Auth[0]:RSA Sig C=JM, S=KGN, L=Kingston, O=The
> Gleaner Company Ltd., OU=Technology, CN=Gleaner, E=dgleaner_at_gleanerjm.com
> 10-03: 18:48:48:494:a84 QM PolicyName: Host-roadwarrior-net filter action
> dwFlags 1
> 10-03: 18:48:48:494:a84 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
> 10-03: 18:48:48:494:a84 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
> 10-03: 18:48:48:494:a84 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC:
> MD5
> 10-03: 18:48:48:494:a84 Starting Negotiation: src = 208.52.71.38.0000, dst =
> 208.138.31.25.0500, proto = 00, context = 81512210, ProxySrc =
> 208.52.71.38.0000, ProxyDst = 89.0.0.0.0000 SrcMask = 255.255.255.255
> DstMask = 255.0.0.0
> 10-03: 18:48:48:494:a84 constructing ISAKMP Header
> 10-03: 18:48:48:494:a84 constructing SA (ISAKMP)
> 10-03: 18:48:48:494:a84 Constructing Vendor
> 10-03: 18:48:48:494:a84
> 10-03: 18:48:48:494:a84 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:48:494:a84 ISAKMP Header: (V1.0), len = 216
> 10-03: 18:48:48:494:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:48:494:a84 R-COOKIE 0000000000000000
> 10-03: 18:48:48:494:a84 exchange: Oakley Main Mode
> 10-03: 18:48:48:494:a84 flags: 0
> 10-03: 18:48:48:494:a84 next payload: SA
> 10-03: 18:48:48:494:a84 message ID: 00000000
> 10-03: 18:48:49:65:a84
> 10-03: 18:48:49:65:a84 Receive: (get) SA = 0x000f0550 from 208.138.31.25
> 10-03: 18:48:49:65:a84 ISAKMP Header: (V1.0), len = 84
> 10-03: 18:48:49:65:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:49:65:a84 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:49:65:a84 exchange: Oakley Main Mode
> 10-03: 18:48:49:65:a84 flags: 0
> 10-03: 18:48:49:65:a84 next payload: SA
> 10-03: 18:48:49:65:a84 message ID: 00000000
> 10-03: 18:48:49:65:a84 processing payload SA
> 10-03: 18:48:49:65:a84 Received Phase 1 Transform 1
> 10-03: 18:48:49:65:a84 Encryption Alg Triple DES CBC(5)
> 10-03: 18:48:49:65:a84 Hash Alg SHA(2)
> 10-03: 18:48:49:65:a84 Oakley Group 2
> 10-03: 18:48:49:65:a84 Auth Method RSA Signature with Certificates(3)
> 10-03: 18:48:49:65:a84 Life type in Seconds
> 10-03: 18:48:49:65:a84 Life duration of 28800
> 10-03: 18:48:49:65:a84 Phase 1 SA accepted: transform=1
> 10-03: 18:48:49:65:a84 SA - Oakley proposal accepted
> 10-03: 18:48:49:65:a84 constructing ISAKMP Header
> 10-03: 18:48:49:135:a84 constructing KE
> 10-03: 18:48:49:135:a84 constructing NONCE (ISAKMP)
> 10-03: 18:48:49:135:a84
> 10-03: 18:48:49:135:a84 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:49:135:a84 ISAKMP Header: (V1.0), len = 184
> 10-03: 18:48:49:135:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:49:135:a84 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:49:135:a84 exchange: Oakley Main Mode
> 10-03: 18:48:49:135:a84 flags: 0
> 10-03: 18:48:49:135:a84 next payload: KE
> 10-03: 18:48:49:135:a84 message ID: 00000000
> 10-03: 18:48:49:736:a84
> 10-03: 18:48:49:736:a84 Receive: (get) SA = 0x000f0550 from 208.138.31.25
> 10-03: 18:48:49:736:a84 ISAKMP Header: (V1.0), len = 188
> 10-03: 18:48:49:736:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:49:736:a84 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:49:736:a84 exchange: Oakley Main Mode
> 10-03: 18:48:49:736:a84 flags: 0
> 10-03: 18:48:49:736:a84 next payload: KE
> 10-03: 18:48:49:736:a84 message ID: 00000000
> 10-03: 18:48:49:736:a84 processing payload KE
> 10-03: 18:48:49:766:a84 processing payload NONCE
> 10-03: 18:48:49:766:a84 processing payload CRP
> 10-03: 18:48:49:766:a84 constructing ISAKMP Header
> 10-03: 18:48:49:766:a84 constructing ID
> 10-03: 18:48:49:766:a84 Received no valid CRPs. Using all configured
> 10-03: 18:48:49:766:a84 Looking for IPSec only cert
> 10-03: 18:48:49:766:a84 Cert Trustes. 0 100
> 10-03: 18:48:49:766:a84 CertFindExtenstion failed with 0
>
> 10-03: 18:48:49:766:a84 Entered CRL check
> 10-03: 18:48:49:766:a84 Left CRL check
> 10-03: 18:48:49:766:a84 Cert SHA Thumbprint 700d2992f0e37bc8902e392469b6a10d
> 10-03: 18:48:49:766:a84 8abda40c
> 10-03: 18:48:49:766:a84 SubjectName: C=JM, S=KGN, L=Kingston, O=The Gleaner
> Company Ltd., OU=Advertising, CN=advreplap1.gleanerjm.com,
> E=Advertising_at_gleanerjm.com
> 10-03: 18:48:49:766:a84 Cert Serialnumber 07
> 10-03: 18:48:49:766:a84 Cert SHA Thumbprint 700d2992f0e37bc8902e392469b6a10d
> 10-03: 18:48:49:766:a84 8abda40c
> 10-03: 18:48:49:766:a84 SubjectName: C=JM, S=KGN, L=Kingston, O=The Gleaner
> Company Ltd., OU=Technology, CN=Gleaner, E=dgleaner_at_gleanerjm.com
> 10-03: 18:48:49:766:a84 Cert Serialnumber 00
> 10-03: 18:48:49:766:a84 Cert SHA Thumbprint 70bf84d746344d411e2f5868c8106e87
> 10-03: 18:48:49:766:a84 740316fa
> 10-03: 18:48:49:766:a84 constructing CERT
> 10-03: 18:48:49:766:a84 Construct SIG
> 10-03: 18:48:49:776:a84 Constructing Cert Request
> 10-03: 18:48:49:776:a84 C=JM, S=KGN, L=Kingston, O=The Gleaner Company Ltd.,
> OU=Technology, CN=Gleaner, E=dgleaner_at_gleanerjm.com
> 10-03: 18:48:49:786:a84
> 10-03: 18:48:49:786:a84 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:49:786:a84 ISAKMP Header: (V1.0), len = 1548
> 10-03: 18:48:49:786:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:49:786:a84 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:49:786:a84 exchange: Oakley Main Mode
> 10-03: 18:48:49:786:a84 flags: 1 ( encrypted )
> 10-03: 18:48:49:786:a84 next payload: ID
> 10-03: 18:48:49:786:a84 message ID: 00000000
> 10-03: 18:48:50:787:9f4 retransmit: sa = 000F0550 centry 00000000 , count =
> 1
> 10-03: 18:48:50:787:9f4
> 10-03: 18:48:50:787:9f4 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:50:787:9f4 ISAKMP Header: (V1.0), len = 1548
> 10-03: 18:48:50:787:9f4 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:50:787:9f4 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:50:787:9f4 exchange: Oakley Main Mode
> 10-03: 18:48:50:787:9f4 flags: 1 ( encrypted )
> 10-03: 18:48:50:787:9f4 next payload: ID
> 10-03: 18:48:50:787:9f4 message ID: 00000000
> 10-03: 18:48:52:800:9f4 retransmit: sa = 000F0550 centry 00000000 , count =
> 2
> 10-03: 18:48:52:800:9f4
> 10-03: 18:48:52:800:9f4 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:52:800:9f4 ISAKMP Header: (V1.0), len = 1548
> 10-03: 18:48:52:800:9f4 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:52:800:9f4 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:52:800:9f4 exchange: Oakley Main Mode
> 10-03: 18:48:52:800:9f4 flags: 1 ( encrypted )
> 10-03: 18:48:52:800:9f4 next payload: ID
> 10-03: 18:48:52:800:9f4 message ID: 00000000
> 10-03: 18:48:56:816:9f4 retransmit: sa = 000F0550 centry 00000000 , count =
> 3
> 10-03: 18:48:56:816:9f4
> 10-03: 18:48:56:816:9f4 Sending: SA = 0x000F0550 to 208.138.31.25:Type 2
> 10-03: 18:48:56:816:9f4 ISAKMP Header: (V1.0), len = 1548
> 10-03: 18:48:56:816:9f4 I-COOKIE 1a96f8461d341407
> 10-03: 18:48:56:816:9f4 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:48:56:816:9f4 exchange: Oakley Main Mode
> 10-03: 18:48:56:816:9f4 flags: 1 ( encrypted )
> 10-03: 18:48:56:816:9f4 next payload: ID
> 10-03: 18:48:56:816:9f4 message ID: 00000000
> 10-03: 18:49:00:201:a84
> 10-03: 18:49:00:201:a84 Receive: (get) SA = 0x000f0550 from 208.138.31.25
> 10-03: 18:49:00:201:a84 ISAKMP Header: (V1.0), len = 188
> 10-03: 18:49:00:201:a84 I-COOKIE 1a96f8461d341407
> 10-03: 18:49:00:201:a84 R-COOKIE e80cc3b208d2d8ce
> 10-03: 18:49:00:201:a84 exchange: Oakley Main Mode
> 10-03: 18:49:00:201:a84 flags: 0
> 10-03: 18:49:00:201:a84 next payload: KE
> 10-03: 18:49:00:201:a84 message ID: 00000000
> 10-03: 18:49:00:201:a84 received an unencrypted packet when crypto active
> 10-03: 18:49:00:201:a84 GetPacket failed 35ec
>
>
> Whay am I getting the error above.
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Sat Oct 05 2002 - 05:20:20 CEST