*****SPAM***** [Users] (no subject)

From: earl_at_maskina.com
Date: Thu Sep 12 2002 - 16:42:00 CEST

• Next message: earl_at_maskina.com: "*****SPAM***** [Users] (no subject)"
• Previous message: Stephen J. Bevan: "[Users] From subnet to subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (8.90 hits, 5 required)
SPAM: X_AUTH_WARNING (-0.9 points) Found a X-Authentication-Warning header
SPAM: NO_REAL_NAME (-0.3 points) From: does not include a real name
SPAM: HOT_NASTY (1.9 points) BODY: Possible porn - Hot, Nasty, Wild, Young
SPAM: SPAM_PHRASE_00_01 (0.6 points) BODY: Spam phrases score is 00 to 01 (low)
SPAM: [score: 0]
SPAM: KNOWN_MAILING_LIST (-2.1 points) Email came from some known mailing list software
SPAM: DATE_IN_PAST_12_24 (2.0 points) Date: is 12 to 24 hours before Received: date
SPAM: MISSING_HEADERS (1.4 points) Missing To: header
SPAM: RCVD_IN_DSBL (3.2 points) RBL: Received via a relay in list.dsbl.org
SPAM: [RBL check: found 33.42.240.216.list.dsbl.org]
SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 33.42.240.216.relays.osirusoft.com.]
SPAM: X_OSIRU_OPEN_RELAY (2.7 points) RBL: DNSBL: sender is Confirmed Open Relay
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

Hi,

If anyone has any clues I could really use some help on this.

I am unable to establish a VPN from either Windows 2000 or Windows XP roadwarrior clients.

 I don't seem to get any errors on the gateway side.

The only error I have to go on is "IKE authentication credentials are unacceptable" on the Windows side (oakley.log).

This error is known when trying to use Windows 2000 pre SP2 (see MS Knowledgebase), but I am using Win2K SP2/SP3 and WinXP

I already have a running FreeSwan/Checkpoint VPN based on shared secrets.

I stripped all legal IP addresses and replaced with xxx.xxx.xxx.xxx , also replaced the FQDN with XX XX XX XX XX

My setup is:

Redhat 7.3 (kernel 2.4.18.5)
        
IPtables 1.2.5

FreeSwan 1.98b

x509 patch 0.9.14

OpenSSL 0.9.6b

Here is my ipsec.conf on the FreeSwan side

conn intranet-roadwarrior
        leftsubnet=172.18.18.0/24
        also=kerberos-roadwarrior

conn MYFIREWALL-roadwarrior
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        right=%any
        rightsubnet=0/0
        left=xxx.xxx.xxx.xxx EDITED
        leftcert=kerberos.pem
        auto=add
        pfs=yes

Here is an example from the FreeSwan log

Sep 10 14:36:16 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2745: starting keying attempt 992 of an unlimited number
Sep 10 14:36:16 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2751: initiating Main Mode to replace #2745
Sep 10 14:36:24 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2746: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
Sep 10 14:36:24 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2746: starting keying attempt 653 of an unlimited number
Sep 10 14:36:24 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2752: initiating Main Mode to replace #2746
Sep 10 14:36:43 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2748: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
Sep 10 14:36:43 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2748: starting keying attempt 971 of an unlimited number
Sep 10 14:36:43 kerberos pluto[28693]: "intranet-roadwarrior"[1] xxx.xxx.xxx.xxx #2753: initiating Main Mode to replace #2748

Here is an example from the Windows oakley log

 9-09: 02:16:51:875:380 0x0 0x0
 9-09: 02:16:51:875:380 ProcessFailure: sa:000D3218 centry:00000000 status:35e9
 9-09: 02:16:51:875:380 Not creating notify.
 9-09: 02:17:15:749:380
 9-09: 02:17:15:749:380 Receive: (get) SA = 0x00000000 from xxx.xxx.xxx.xxx EDITED
 9-09: 02:17:15:749:380 ISAKMP Header: (V1.0), len = 176
 9-09: 02:17:15:749:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:15:749:380 R-COOKIE 0000000000000000
 9-09: 02:17:15:749:380 exchange: Oakley Main Mode
 9-09: 02:17:15:749:380 flags: 0
 9-09: 02:17:15:749:380 next payload: SA
 9-09: 02:17:15:749:380 message ID: 00000000
 9-09: 02:17:15:749:380 Filter to match: Src xxx.xxx.xxx.xxx Dst 192.168.1.34 EDITED
 9-09: 02:17:15:749:380 MM PolicyName: 9
 9-09: 02:17:15:749:380 MMPolicy dwFlags 2 SoftSAExpireTime 28800
 9-09: 02:17:15:749:380 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
 9-09: 02:17:15:749:380 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
 9-09: 02:17:15:749:380 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
 9-09: 02:17:15:749:380 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
 9-09: 02:17:15:749:380 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
 9-09: 02:17:15:749:380 MMOffer[2] Encrypt: DES CBC Hash: SHA
 9-09: 02:17:15:749:380 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
 9-09: 02:17:15:749:380 MMOffer[3] Encrypt: DES CBC Hash: MD5
 9-09: 02:17:15:749:380 Auth[0]:RSA Sig C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED
 9-09: 02:17:15:749:380 Responding with new SA 109328
 9-09: 02:17:15:749:380 processing payload SA
 9-09: 02:17:15:749:380 Received Phase 1 Transform 0
 9-09: 02:17:15:749:380 Life type in Seconds
 9-09: 02:17:15:749:380 Life duration of 3600
 9-09: 02:17:15:749:380 Encryption Alg Triple DES CBC(5)
 9-09: 02:17:15:749:380 Hash Alg MD5(1)
 9-09: 02:17:15:749:380 Auth Method RSA Signature with Certificates(3)
 9-09: 02:17:15:749:380 Oakley Group 5
 9-09: 02:17:15:749:380 Received Phase 1 Transform 1
 9-09: 02:17:15:749:380 Life type in Seconds
 9-09: 02:17:15:749:380 Life duration of 3600
 9-09: 02:17:15:749:380 Encryption Alg Triple DES CBC(5)
 9-09: 02:17:15:749:380 Hash Alg SHA(2)
 9-09: 02:17:15:749:380 Auth Method RSA Signature with Certificates(3)
 9-09: 02:17:15:749:380 Oakley Group 5
 9-09: 02:17:15:749:380 Received Phase 1 Transform 2
 9-09: 02:17:15:749:380 Life type in Seconds
 9-09: 02:17:15:749:380 Life duration of 3600
 9-09: 02:17:15:749:380 Encryption Alg Triple DES CBC(5)
 9-09: 02:17:15:749:380 Hash Alg SHA(2)
 9-09: 02:17:15:749:380 Auth Method RSA Signature with Certificates(3)
 9-09: 02:17:15:749:380 Oakley Group 2
 9-09: 02:17:15:749:380 Received Phase 1 Transform 3
 9-09: 02:17:15:749:380 Life type in Seconds
 9-09: 02:17:15:749:380 Life duration of 3600
 9-09: 02:17:15:749:380 Encryption Alg Triple DES CBC(5)
 9-09: 02:17:15:749:380 Hash Alg MD5(1)
 9-09: 02:17:15:749:380 Auth Method RSA Signature with Certificates(3)
 9-09: 02:17:15:749:380 Oakley Group 2
 9-09: 02:17:15:749:380 Phase 1 SA accepted: transform=3
 9-09: 02:17:15:749:380 SA - Oakley proposal accepted
 9-09: 02:17:15:749:380 constructing ISAKMP Header
 9-09: 02:17:15:749:380 constructing SA (ISAKMP)
 9-09: 02:17:15:749:380 Constructing Vendor
 9-09: 02:17:15:749:380
 9-09: 02:17:15:749:380 Sending: SA = 0x00109328 to xxx.xxx.xxx.xxx:Type 2 EDITED
 9-09: 02:17:15:749:380 ISAKMP Header: (V1.0), len = 108
 9-09: 02:17:15:749:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:15:749:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:15:749:380 exchange: Oakley Main Mode
 9-09: 02:17:15:749:380 flags: 0
 9-09: 02:17:15:749:380 next payload: SA
 9-09: 02:17:15:749:380 message ID: 00000000
 9-09: 02:17:15:839:380
 9-09: 02:17:15:839:380 Receive: (get) SA = 0x00109328 from xxx.xxx.xxx.xxx EDITED
 9-09: 02:17:15:839:380 ISAKMP Header: (V1.0), len = 180
 9-09: 02:17:15:839:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:15:839:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:15:839:380 exchange: Oakley Main Mode
 9-09: 02:17:15:839:380 flags: 0
 9-09: 02:17:15:839:380 next payload: KE
 9-09: 02:17:15:839:380 message ID: 00000000
 9-09: 02:17:15:839:380 processing payload KE
 9-09: 02:17:15:920:380 processing payload NONCE
 9-09: 02:17:15:920:380 constructing ISAKMP Header
 9-09: 02:17:15:920:380 constructing KE
 9-09: 02:17:15:920:380 constructing NONCE (ISAKMP)
 9-09: 02:17:15:920:380 Constructing Cert Request
 9-09: 02:17:15:920:380 C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED
 9-09: 02:17:15:920:380
 9-09: 02:17:15:920:380 Sending: SA = 0x00109328 to xxx.xxx.xxx.xxx:Type 2 EDITED
 9-09: 02:17:15:920:380 ISAKMP Header: (V1.0), len = 333
 9-09: 02:17:15:920:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:15:920:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:15:920:380 exchange: Oakley Main Mode
 9-09: 02:17:15:920:380 flags: 0
 9-09: 02:17:15:920:380 next payload: KE
 9-09: 02:17:15:920:380 message ID: 00000000
 9-09: 02:17:16:170:380
 9-09: 02:17:16:170:380 Receive: (get) SA = 0x00109328 from xxx.xxx.xxx.xxx EDITED
 9-09: 02:17:16:170:380 ISAKMP Header: (V1.0), len = 1660
 9-09: 02:17:16:170:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:16:170:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:16:170:380 exchange: Oakley Main Mode
 9-09: 02:17:16:170:380 flags: 1 ( encrypted )
 9-09: 02:17:16:170:380 next payload: ID
 9-09: 02:17:16:170:380 message ID: 00000000
 9-09: 02:17:16:170:380 processing payload ID
 9-09: 02:17:16:170:380 processing payload CERT
 9-09: 02:17:16:170:380 processing payload CRP
 9-09: 02:17:16:170:380 processing payload SIG
 9-09: 02:17:16:170:380 Verifying CertStore
 9-09: 02:17:16:170:380 SubjectName: C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED
 9-09: 02:17:16:170:380 Cert Serialnumber 01
 9-09: 02:17:16:170:380 Cert SHA Thumbprint 1c138f3eb56a6f7142db2a91e2ec004e
 9-09: 02:17:16:170:380 35b82b5c
 9-09: 02:17:16:170:380 Trust failed. 28 0
 9-09: 02:17:16:170:380 Cert Trustes. 28 0
 9-09: 02:17:16:170:380 SubjectName: =XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED
 9-09: 02:17:16:170:380 Cert Serialnumber 01
 9-09: 02:17:16:170:380 Cert SHA Thumbprint 1c138f3eb56a6f7142db2a91e2ec004e
 9-09: 02:17:16:170:380 35b82b5c
 9-09: 02:17:16:170:380 Cert SHA Thumbprint 1c138f3eb56a6f7142db2a91e2ec004e
 9-09: 02:17:16:170:380 35b82b5c
 9-09: 02:17:16:180:380 Certificate based Identity.

Peer Subject C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

Peer SHA Thumbprint 1c138f3eb56a6f7142db2a91e2ec004e35b82b5c

Peer Issuing Certificate Authority C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

Root Certificate Authority

My Subject C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

My SHA Thumbprint 0000000000000000000000000000000000000000

Peer IP Address: xxx.xxx.xxx.xxx EDITED

 9-09: 02:17:16:180:380 Source IP Address 192.168.1.34

Source IP Address Mask 255.255.255.255

Destination IP Address xxx.xxx.xxx.xxx EDITED

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr

 9-09: 02:17:16:180:380 isadb_set_status sa:00109328 centry:00000000 status 35e9
 9-09: 02:17:16:180:380 Key Exchange Mode (Main Mode)

 9-09: 02:17:16:180:380 Source IP Address 192.168.1.34

Source IP Address Mask 255.255.255.255

Destination IP Address xxx.xxx.xxx.xxx EDITED

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr

 9-09: 02:17:16:180:380 Certificate based Identity.

Peer Subject C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

Peer SHA Thumbprint 1c138f3eb56a6f7142db2a91e2ec004e35b82b5c

Peer Issuing Certificate Authority C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

Root Certificate Authority

My Subject C=XX, S=XX, L=XX, O=XX, OU=XX, CN=XX, E=XX EDITED

My SHA Thumbprint 0000000000000000000000000000000000000000

Peer IP Address: xxx.xxx.xxx.xxx EDITED

 9-09: 02:17:16:180:380 Me

 9-09: 02:17:16:180:380 IKE authentication credentials are unacceptable

 9-09: 02:17:16:180:380 0x0 0x0
 9-09: 02:17:16:180:380 ProcessFailure: sa:00109328 centry:00000000 status:35e9
 9-09: 02:17:16:180:380 Not creating notify.
 9-09: 02:17:26:174:380
 9-09: 02:17:26:174:380 Receive: (get) SA = 0x00109328 from xxx.xxx.xxx.xxx EDITED
 9-09: 02:17:26:174:380 ISAKMP Header: (V1.0), len = 1660
 9-09: 02:17:26:174:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:26:174:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:26:174:380 exchange: Oakley Main Mode
 9-09: 02:17:26:174:380 flags: 1 ( encrypted )
 9-09: 02:17:26:174:380 next payload: ID
 9-09: 02:17:26:174:380 message ID: 00000000
 9-09: 02:17:26:174:380 Dropping SA processing because SA status set. SA 00109328 Centry 00000000 Status 35e9
 9-09: 02:17:46:173:380
 9-09: 02:17:46:173:380 Receive: (get) SA = 0x00109328 from xxx.xxx.xxx.xxx EDITED
 9-09: 02:17:46:173:380 ISAKMP Header: (V1.0), len = 1660
 9-09: 02:17:46:173:380 I-COOKIE ba7ba795aa904e21
 9-09: 02:17:46:173:380 R-COOKIE e0d6937880f24c52
 9-09: 02:17:46:173:380 exchange: Oakley Main Mode
 9-09: 02:17:46:173:380 flags: 1 ( encrypted )
 9-09: 02:17:46:173:380 next payload: ID
 9-09: 02:17:46:173:380 message ID: 00000000
 9-09: 02:17:46:173:380 Dropping SA processing because SA status set. SA 00109328 Centry 00000000 Status 35e9

Jarl Stefansson
MASKINA
earl_at_maskina.com
GSM: +354-869-4949

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: earl_at_maskina.com: "*****SPAM***** [Users] (no subject)"
• Previous message: Stephen J. Bevan: "[Users] From subnet to subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Oct 17 2002 - 05:20:27 CEST