From: Glenn Remstedt (glenn.remstedt_at_teklogix.se)
Date: Tue Oct 15 2002 - 13:10:46 CEST
hi list, what's going on here ?
linux:~ # ipsec auto --up vpn
104 "vpn" #8: STATE_MAIN_I1: initiate
003 "vpn" #8: ignoring Vendor ID payload
003 "vpn" #8: ignoring Vendor ID payload
003 "vpn" #8: ignoring Vendor ID payload
003 "vpn" #8: ignoring Vendor ID payload
106 "vpn" #8: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #8: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #8: next payload type of ISAKMP Signature Payload has an
unknown value: 211
003 "vpn" #8: malformed payload in packet
010 "vpn" #8: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn" #8: next payload type of ISAKMP Signature Payload has an
unknown value: 211
003 "vpn" #8: malformed payload in packet
010 "vpn" #8: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "vpn" #8: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first
encrypted message
000 "vpn" #8: starting keying attempt 2 of an unlimited number, but
releasing whack
linux:~ #
here are my ipsec.conf;
conn %default
type=tunnel
#
left=%defaultroute
leftsubnet=194.14.14.0/255.255.255.0
leftcert=freeswan_cert.pem
#
right=194.14.14.184
rightsubnet=194.14.14.0/24
rightcert=sentinel_cert.pem
#
keyexchange=ike
ikelifetime=240m
keylife=5h
auth=esp
pfs=yes
compress=no
authby=rsasig
keyingtries=0
auto=add
# sample VPN - connection
conn vpn
# Right Security Gateway
right=194.14.14.184
auto=add
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; New SA
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0001 SA
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0012 KE NONCE
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Diffie-hellman secret g^xy[192] = 0x255af530 c2e26f68 b5cadc8f e5a3fe2c 6cb08cdd 20268fc5 04b58e0b 2422e787 d23b535e e227db67 79e5eb0c a827681f 859226ac dfc17489 f67b4b29...
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Hash algorithm = hmac-md5
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Prf key[32] = 0x3c3a00b0 7fda4d2f dd7399c5 80fd0779 b34b6d5b 09e039b0 c5f99598 886ee5f9
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Calculating SKEYID
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output of SKEYID hash[16] = 0x38694105 92e36131 042668fb 14cb26d7
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output of SKEYID_d hash[16] = 0x91e64f1c f153e66d f7afc151 177c6f60
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output of SKEYID_a hash[16] = 0x572bbaa4 d63b700c 680c510b aeebf8fe
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output SKEYID_e hash[16] = 0xde64062a cff7df5f ef0e041b ef720326
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Final encryption key[24] = 0x3ba935b2 7710f02a 4c63de2a c6f08567 be8ab4ca 8088804e
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 00cc ID CERT CR SIG
: SPD: Can not determine per-rule trusted CA root set for remote identity der_asn1_dn(any:0,[0..144]=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=bart.kuo.fi.ssh.com, MAILTO=glenn.remstedt_at_teklogix.se). Using only globally trusted roots.
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output of HASH_I hash[16] = 0xd595b652 d9724446 b232b60a 37838dba
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Restart packet
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 00cc ID CERT CR SIG
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Output of HASH_R hash[16] = 0x2e67d89e 338a0043 da094558 1f2db567
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = RSA signatures, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 5
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000001
: Phase-1 [responder] between fqdn(udp:500,[0..6]=win2000) and der_asn1_dn(any:0,[0..144]=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=bart.kuo.fi.ssh.com, MAILTO=glenn.remstedt_at_teklogix.se) done.
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Restart packet
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 00cc ID CERT CR SIG
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b70b6b26 8c92de7e - db3a7f50 2b000003 [-1] / 0x00000000 } IP; Connected
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; New SA
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0001 SA
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0012 KE NONCE
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Diffie-hellman secret g^xy[192] = 0x3a028039 1c14602d d7a1c11c 939236fc 54468a7f 6176a3e3 0d8b0c65 9eb133d8 b9470c3e b155b273 87d4f839 f7e2b180 2bf763d8 8e6281cf 2cb6b010...
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Hash algorithm = hmac-md5
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Prf key[32] = 0x74ad3cbd 2d41cf3d 1d79b22d 718f52dc 004f10ea e91fdf2a b9da3c5f 9e516cb9
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Calculating SKEYID
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output of SKEYID hash[16] = 0xa7461838 73142593 b7ebde0b ac30962a
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output of SKEYID_d hash[16] = 0xd5bf53d9 e2f8a36c bda97845 ea8df8ab
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output of SKEYID_a hash[16] = 0x724d5ae7 26d42032 334d5edd 558180a5
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output SKEYID_e hash[16] = 0x92f16829 3b7e317b aa00cdbf 63b88b9c
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Final encryption key[24] = 0x68b0b35d c016bc19 46533ebc 98d23c54 139a062e 0b45c01b
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000000
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Packet to old negotiation
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 00cc ID CERT CR SIG
: SPD: Can not determine per-rule trusted CA root set for remote identity der_asn1_dn(any:0,[0..144]=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=bart.kuo.fi.ssh.com, MAILTO=glenn.remstedt_at_teklogix.se). Using only globally trusted roots.
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output of HASH_I hash[16] = 0xcfa8526d 587776b1 4268d4eb b8ed1aec
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Restart packet
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 00cc ID CERT CR SIG
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Output of HASH_R hash[16] = 0x0c954ce3 02b58da1 17d56385 28e7e22d
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = RSA signatures, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 5
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags = 0x00000001
: Phase-1 [responder] between fqdn(udp:500,[0..6]=win2000) and der_asn1_dn(any:0,[0..144]=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=bart.kuo.fi.ssh.com, MAILTO=glenn.remstedt_at_teklogix.se) done.
DEBUG: 0.0.0.0:500 (Responder) <-> 194.14.14.8:500 { b679cedf 087069fc - 1d8d4c61 fe000004 [-1] / 0x00000000 } IP; Connected
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Oct 16 2002 - 05:20:23 CEST