Re: [Users] [Fwd: FreeSWAN and Windows XP]

From: Patrick Topping (ptopping_at_pobox.com)
Date: Thu Dec 26 2002 - 23:12:33 CET

Andreas,

I made the correction to S=California and I am still getting the same
error. I have attached the oakley log from the Windows machine. The
error that I am seeing in the FreeSWAN secure log is as follows:

Dec 26 22:00:14 sapphire pluto[14666]: "aeronet" #13: encrypted
Informational Exchange message is invalid because it is for incomplete
ISAKMP SA

The error that I am getting in the oakley log is below. I know the
problem is on the XP side but I am unsure on how to fix it. I have gone
through the steps on Nate's web site a couple of times but I seem to be
getting the same error.

12-26: 14:00:21:41:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188
12-26: 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
12-26: 14:00:21:41:bf8 flags: 0
12-26: 14:00:21:41:bf8 next payload: KE
12-26: 14:00:21:41:bf8 message ID: 00000000
12-26: 14:00:21:41:bf8 processing payload KE
12-26: 14:00:21:62:bf8 processing payload NONCE
12-26: 14:00:21:62:bf8 processing payload CRP
12-26: 14:00:21:62:bf8 constructing ISAKMP Header
12-26: 14:00:21:62:bf8 constructing ID
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 failed to get chain 80092004
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for any cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for any cert
12-26: 14:00:21:72:bf8 Trust failed. 1 100
12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:72:bf8 Looking for any cert
12-26: 14:00:21:72:bf8 failed to get chain 80092004
12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000
status:35ee
12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000
status 35ee

Andreas Steffen wrote:

> Now Windows XP has a problem. You defined
>
> >>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
> >>> Email=ptopping_at_pobox.com"
>
> in the Windows ipsec.conf but Microsoft wants
>
> S=California
>
> Regards
>
> Andreas
>
> Patrick Topping wrote:
>
>> Thanks Andreas. I have added the authby=rsasig and now I am getting
>> the following error:
>>
>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: responding to
>>> Main Mode
>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: encrypted
>>> Informational Exchange message is invalid because it is for
>>> incomplete ISAKMP SA
>>> Dec 26 19:47:44 sapphire pluto[14065]: | handling event
>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>> Dec 26 19:48:04 sapphire pluto[14065]: | handling event
>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>
>>
>>
>>
>> At least it is some new...:-)
>>
>> -Patrick
>>
>>
>>
>> Andreas Steffen wrote:
>>
>>> The entry
>>>
>>> authby=rsasig
>>>
>>> is missing in your FreeS/WAN ipsec.conf. Therefore authby=secret is
>>> assumed by default, leading to the error below.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> Patrick Topping wrote:
>>>
>>>> With attachments this time......:-)
>>>>
>>>> I have read through and done step by step what is on nate carlosn's
>>>> web page and I still cannot get the tunnel up. I have attached the
>>>> ipsec.conf files for both the FreeSWAN gateway and for my windows
>>>> XP client. The error that I am seeing on the gateway is as follows:
>>>>
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: responding to
>>>> Main Mode
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>> OAKLEY_AUTHENTICATION_METHOD
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>> OAKLEY_AUTHENTICATION_METHOD
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: no acceptable
>>>> Oakley Transform
>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: responding to
>>>> Main Mode
>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: policy does
>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>
>>>> Thanks in advance for any help I can get.
>>>>
>>>> -Patrick
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>>>>
>>>> # More elaborate and more varied sample configurations can be found
>>>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>>>>
>>>>
>>>>
>>>> # basic configuration
>>>> config setup
>>>> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>>>> # %defaultroute is okay for most simple cases.
>>>> # interfaces=%defaultroute
>>>> interfaces="ipsec0=eth0 ipsec1=eth1"
>>>> # Debug-logging controls: "none" for (almost) none, "all" for
>>>> lots.
>>>> klipsdebug=all
>>>> plutodebug=all
>>>> # Use auto= parameters in conn descriptions to control startup
>>>> actions.
>>>> plutoload=%search
>>>> plutostart=%search
>>>> plutowait=no
>>>> # Close down old connection when new one using same ID shows up.
>>>> uniqueids=yes
>>>>
>>>> conn aerocast
>>>> left=68.99.179.107
>>>> leftnexthop=68.99.176.1
>>>> leftsubnet=192.168.255.0/24
>>>> right=64.157.41.125
>>>> rightnexthop=64.157.40.6
>>>> rightsubnet=10.10.0.0/16
>>>> auto=start
>>>> pfs=yes
>>>> esp=3des-sha1-96
>>>> keyexchange=ike
>>>> auth=esp
>>>> disablearrivalcheck=no
>>>> keyingtries=0
>>>> keylife=24h
>>>>
>>>> conn level3
>>>> left=68.99.179.107
>>>> leftnexthop=68.99.176.1
>>>> leftsubnet=192.168.255.0/24
>>>> right=64.157.41.177
>>>> rightnexthop=64.157.40.6
>>>> rightsubnet=172.16.0.0/24
>>>> auto=start
>>>> pfs=yes
>>>> esp=3des-sha1-96
>>>> keyexchange=ike
>>>> auth=esp
>>>> disablearrivalcheck=no
>>>> keyingtries=0
>>>> keylife=24h
>>>>
>>>> #conn roadwarrior-net
>>>> # leftsubnet=192.168.255.0/24
>>>> # also=roadwarrior
>>>>
>>>> #conn roadwarrior
>>>> # left=68.99.179.107
>>>> # leftcert=sapphire.pem
>>>> # right=%defaultroute
>>>> # rightcert=clk430.pem
>>>> # auto=add
>>>> # pfs=yes
>>>>
>>>> conn aeronet
>>>> left=192.168.255.254
>>>> leftsubnet=192.168.255.0/24
>>>> leftcert=sapphire.pem
>>>> right=192.168.255.250
>>>> rightcert=clk430.pem
>>>> auto=add
>>>> pfs=yes
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> #conn roadwarrior
>>>> # left=%any
>>>> # right=68.99.179.107
>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>> Email=ptopping_at_pobox.com"
>>>> # network=auto
>>>> # auto=start
>>>> # pfs=yes
>>>>
>>>> #conn roadwarrior-net
>>>> # left=%any
>>>> # right=68.99.179.107
>>>> # rightsubnet=192.168.255.0/24
>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>> Email=ptopping_at_pobox.com"
>>>> # network=auto # auto=start
>>>> # pfs=yes
>>>>
>>>> conn roadwarrior-allnet
>>>> left=%any
>>>> right=192.168.255.254
>>>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>> Email=ptopping_at_pobox.com"
>>>> rightsubnet=*
>>>> network=auto
>>>> auto=start
>>>> pfs=yes
>>>
>>>
>>>
>>>
>>> ======================================================================
>>> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>> strongSec GmbH phone: +41 76 340 25 56
>>> Alter Zürichweg 20 home: http://www.strongsec.com
>>> CH-8952 Schlieren (Switzerland)
>>> ==========================================[strong internet security]==
>>>
>>>
>>> .
>>>
>>
>>
>>
>
>

conn roadwarrior-allnet
        left=%any
        right=192.168.255.254
        rightca="C=US, S=California, L=Irvine, O=Home, CN=sapphire, Email=ptopping_at_pobox.com"
        rightsubnet=*
        network=auto
        auto=start
        pfs=yes
        authby=rsasig

12-26: 13:57:59:208:810 Initialization OK
12-26: 13:58:15:381:be0 Acquire from driver: op=81B4F940 src=192.168.255.250.0 dst=64.156.44.184.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
12-26: 13:58:15:381:460 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
12-26: 13:58:15:381:460 MM PolicyName: 1
12-26: 13:58:15:381:460 MMPolicy dwFlags 2 SoftSAExpireTime 28800
12-26: 13:58:15:381:460 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
12-26: 13:58:15:381:460 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
12-26: 13:58:15:381:460 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
12-26: 13:58:15:381:460 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
12-26: 13:58:15:381:460 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
12-26: 13:58:15:381:460 MMOffer[2] Encrypt: DES CBC Hash: SHA
12-26: 13:58:15:381:460 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
12-26: 13:58:15:381:460 MMOffer[3] Encrypt: DES CBC Hash: MD5
12-26: 13:58:15:381:460 Auth[0]:RSA Sig C=US, S=California, L=Irvine, O=Home, CN=sapphire, E=ptopping_at_pobox.com
12-26: 13:58:15:381:460 QM PolicyName: Host-roadwarrior-allnet filter action dwFlags 1
12-26: 13:58:15:381:460 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
12-26: 13:58:15:381:460 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
12-26: 13:58:15:381:460 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
12-26: 13:58:15:381:460 Starting Negotiation: src = 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context = 81B4F940, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 0.0.0.0
12-26: 13:58:15:381:460 constructing ISAKMP Header
12-26: 13:58:15:381:460 constructing SA (ISAKMP)
12-26: 13:58:15:381:460 Constructing Vendor
12-26: 13:58:15:381:460
12-26: 13:58:15:381:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
12-26: 13:58:15:381:460 ISAKMP Header: (V1.0), len = 216
12-26: 13:58:15:381:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:15:381:460 R-COOKIE 0000000000000000
12-26: 13:58:15:381:460 exchange: Oakley Main Mode
12-26: 13:58:15:381:460 flags: 0
12-26: 13:58:15:381:460 next payload: SA
12-26: 13:58:15:381:460 message ID: 00000000
12-26: 13:58:16:382:e34 retransmit: sa = 000E3830 centry 00000000 , count = 1
12-26: 13:58:16:382:e34
12-26: 13:58:16:382:e34 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
12-26: 13:58:16:382:e34 ISAKMP Header: (V1.0), len = 216
12-26: 13:58:16:382:e34 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:16:382:e34 R-COOKIE 0000000000000000
12-26: 13:58:16:382:e34 exchange: Oakley Main Mode
12-26: 13:58:16:382:e34 flags: 0
12-26: 13:58:16:382:e34 next payload: SA
12-26: 13:58:16:382:e34 message ID: 00000000
12-26: 13:58:16:442:460
12-26: 13:58:16:442:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 13:58:16:442:460 ISAKMP Header: (V1.0), len = 84
12-26: 13:58:16:442:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:16:442:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:16:442:460 exchange: Oakley Main Mode
12-26: 13:58:16:442:460 flags: 0
12-26: 13:58:16:442:460 next payload: SA
12-26: 13:58:16:442:460 message ID: 00000000
12-26: 13:58:16:442:460 processing payload SA
12-26: 13:58:16:442:460 Received Phase 1 Transform 1
12-26: 13:58:16:442:460 Encryption Alg Triple DES CBC(5)
12-26: 13:58:16:442:460 Hash Alg SHA(2)
12-26: 13:58:16:442:460 Oakley Group 2
12-26: 13:58:16:442:460 Auth Method RSA Signature with Certificates(3)
12-26: 13:58:16:442:460 Life type in Seconds
12-26: 13:58:16:442:460 Life duration of 28800
12-26: 13:58:16:442:460 Phase 1 SA accepted: transform=1
12-26: 13:58:16:442:460 SA - Oakley proposal accepted
12-26: 13:58:16:442:460 constructing ISAKMP Header
12-26: 13:58:16:512:460 constructing KE
12-26: 13:58:16:512:460 constructing NONCE (ISAKMP)
12-26: 13:58:16:512:460
12-26: 13:58:16:512:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
12-26: 13:58:16:512:460 ISAKMP Header: (V1.0), len = 184
12-26: 13:58:16:512:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:16:512:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:16:512:460 exchange: Oakley Main Mode
12-26: 13:58:16:512:460 flags: 0
12-26: 13:58:16:512:460 next payload: KE
12-26: 13:58:16:512:460 message ID: 00000000
12-26: 13:58:16:613:460
12-26: 13:58:16:613:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 13:58:16:613:460 ISAKMP Header: (V1.0), len = 188
12-26: 13:58:16:613:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:16:613:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:16:613:460 exchange: Oakley Main Mode
12-26: 13:58:16:613:460 flags: 0
12-26: 13:58:16:613:460 next payload: KE
12-26: 13:58:16:613:460 message ID: 00000000
12-26: 13:58:16:613:460 processing payload KE
12-26: 13:58:16:633:460 processing payload NONCE
12-26: 13:58:16:633:460 processing payload CRP
12-26: 13:58:16:633:460 constructing ISAKMP Header
12-26: 13:58:16:633:460 constructing ID
12-26: 13:58:16:633:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:633:460 Looking for IPSec only cert
12-26: 13:58:16:643:460 Trust failed. 1 100
12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:643:460 Looking for IPSec only cert
12-26: 13:58:16:643:460 Trust failed. 1 100
12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:643:460 Looking for IPSec only cert
12-26: 13:58:16:643:460 failed to get chain 80092004
12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:643:460 Looking for any cert
12-26: 13:58:16:643:460 Trust failed. 1 100
12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:643:460 Looking for any cert
12-26: 13:58:16:643:460 Trust failed. 1 100
12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
12-26: 13:58:16:643:460 Looking for any cert
12-26: 13:58:16:643:460 failed to get chain 80092004
12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
12-26: 13:58:16:643:460 isadb_set_status sa:000E3830 centry:00000000 status 35ee
12-26: 13:58:16:643:460 Key Exchange Mode (Main Mode)

12-26: 13:58:16:643:460 Source IP Address 192.168.255.250

Source IP Address Mask 255.255.255.255

Destination IP Address 192.168.255.254

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr

12-26: 13:58:16:643:460 Certificate based Identity.

Peer IP Address: 192.168.255.254

12-26: 13:58:16:643:460 Me

12-26: 13:58:16:643:460 IKE failed to find valid machine certificate

12-26: 13:58:16:643:460 0x80092004 0x100
12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
12-26: 13:58:16:643:460 constructing ISAKMP Header
12-26: 13:58:16:643:460 constructing HASH (null)
12-26: 13:58:16:643:460 constructing NOTIFY 28
12-26: 13:58:16:643:460 constructing HASH (Notify/Delete)
12-26: 13:58:16:643:460
12-26: 13:58:16:643:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
12-26: 13:58:16:643:460 ISAKMP Header: (V1.0), len = 84
12-26: 13:58:16:643:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:16:643:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:16:643:460 exchange: ISAKMP Informational Exchange
12-26: 13:58:16:643:460 flags: 1 ( encrypted )
12-26: 13:58:16:643:460 next payload: HASH
12-26: 13:58:16:643:460 message ID: bacd472d
12-26: 13:58:26:657:460
12-26: 13:58:26:657:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 13:58:26:657:460 ISAKMP Header: (V1.0), len = 188
12-26: 13:58:26:657:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:26:657:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:26:657:460 exchange: Oakley Main Mode
12-26: 13:58:26:657:460 flags: 0
12-26: 13:58:26:657:460 next payload: KE
12-26: 13:58:26:657:460 message ID: 00000000
12-26: 13:58:26:657:460 received an unencrypted packet when crypto active
12-26: 13:58:26:657:460 GetPacket failed 35ec
12-26: 13:58:46:656:460
12-26: 13:58:46:656:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 13:58:46:656:460 ISAKMP Header: (V1.0), len = 188
12-26: 13:58:46:656:460 I-COOKIE 5059b9d1065a3fa6
12-26: 13:58:46:656:460 R-COOKIE 3f16260379d19d91
12-26: 13:58:46:656:460 exchange: Oakley Main Mode
12-26: 13:58:46:656:460 flags: 0
12-26: 13:58:46:656:460 next payload: KE
12-26: 13:58:46:656:460 message ID: 00000000
12-26: 13:58:46:656:460 received an unencrypted packet when crypto active
12-26: 13:58:46:656:460 GetPacket failed 35ec
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 7ded5b6d-488d-4471-829ca689a02acc95 4
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 41d9b683-5a06-4965-abf52b4da2d99aa4 4
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: b8ac66fe-928c-44dd-9c01aa594bf7d53d 3
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 89c3929a-f918-4439-a970da4d4125e848 3
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: c002f544-7832-489a-b26bdfe01d4a5c2e 1
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 79de7a7a-302c-4f77-9a0d6d829ff7cd25 2
12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 5bbfdf85-3a17-4626-8b758fab02d7b64c 2
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 SA Dead. sa:000E3830 status:3619
12-26: 14:00:00:612:460 constructing ISAKMP Header
12-26: 14:00:00:612:460 constructing HASH (null)
12-26: 14:00:00:612:460 constructing DELETE. MM 000E3830
12-26: 14:00:00:612:460 constructing HASH (Notify/Delete)
12-26: 14:00:00:612:460
12-26: 14:00:00:612:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
12-26: 14:00:00:612:460 ISAKMP Header: (V1.0), len = 84
12-26: 14:00:00:612:460 I-COOKIE 5059b9d1065a3fa6
12-26: 14:00:00:612:460 R-COOKIE 3f16260379d19d91
12-26: 14:00:00:612:460 exchange: ISAKMP Informational Exchange
12-26: 14:00:00:612:460 flags: 1 ( encrypted )
12-26: 14:00:00:612:460 next payload: HASH
12-26: 14:00:00:612:460 message ID: 1e90325c
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:00:612:460 entered kill_old_policy_sas
12-26: 14:00:20:811:be0 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=192.168.255.254.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
12-26: 14:00:20:811:bf8 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
12-26: 14:00:20:811:bf8 MM PolicyName: 2
12-26: 14:00:20:811:bf8 MMPolicy dwFlags 2 SoftSAExpireTime 28800
12-26: 14:00:20:811:bf8 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
12-26: 14:00:20:811:bf8 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
12-26: 14:00:20:811:bf8 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
12-26: 14:00:20:811:bf8 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
12-26: 14:00:20:811:bf8 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
12-26: 14:00:20:811:bf8 MMOffer[2] Encrypt: DES CBC Hash: SHA
12-26: 14:00:20:811:bf8 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
12-26: 14:00:20:811:bf8 MMOffer[3] Encrypt: DES CBC Hash: MD5
12-26: 14:00:20:811:bf8 Auth[0]:RSA Sig C=US, S=California, L=Irvine, O=Home, CN=sapphire, E=ptopping_at_pobox.com
12-26: 14:00:20:811:bf8 QM PolicyName: Host-roadwarrior-allnet filter action dwFlags 1
12-26: 14:00:20:811:bf8 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
12-26: 14:00:20:811:bf8 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
12-26: 14:00:20:811:bf8 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
12-26: 14:00:20:811:bf8 Starting Negotiation: src = 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context = 81B50130, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 0.0.0.0
12-26: 14:00:20:811:bf8 constructing ISAKMP Header
12-26: 14:00:20:811:bf8 constructing SA (ISAKMP)
12-26: 14:00:20:811:bf8 Constructing Vendor
12-26: 14:00:20:811:bf8
12-26: 14:00:20:811:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
12-26: 14:00:20:811:bf8 ISAKMP Header: (V1.0), len = 216
12-26: 14:00:20:811:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:20:811:bf8 R-COOKIE 0000000000000000
12-26: 14:00:20:811:bf8 exchange: Oakley Main Mode
12-26: 14:00:20:811:bf8 flags: 0
12-26: 14:00:20:811:bf8 next payload: SA
12-26: 14:00:20:811:bf8 message ID: 00000000
12-26: 14:00:20:881:bf8
12-26: 14:00:20:891:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 14:00:20:891:bf8 ISAKMP Header: (V1.0), len = 84
12-26: 14:00:20:891:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:20:891:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:20:891:bf8 exchange: Oakley Main Mode
12-26: 14:00:20:891:bf8 flags: 0
12-26: 14:00:20:891:bf8 next payload: SA
12-26: 14:00:20:891:bf8 message ID: 00000000
12-26: 14:00:20:891:bf8 processing payload SA
12-26: 14:00:20:891:bf8 Received Phase 1 Transform 1
12-26: 14:00:20:891:bf8 Encryption Alg Triple DES CBC(5)
12-26: 14:00:20:891:bf8 Hash Alg SHA(2)
12-26: 14:00:20:891:bf8 Oakley Group 2
12-26: 14:00:20:891:bf8 Auth Method RSA Signature with Certificates(3)
12-26: 14:00:20:891:bf8 Life type in Seconds
12-26: 14:00:20:891:bf8 Life duration of 28800
12-26: 14:00:20:891:bf8 Phase 1 SA accepted: transform=1
12-26: 14:00:20:891:bf8 SA - Oakley proposal accepted
12-26: 14:00:20:891:bf8 constructing ISAKMP Header
12-26: 14:00:20:961:bf8 constructing KE
12-26: 14:00:20:961:bf8 constructing NONCE (ISAKMP)
12-26: 14:00:20:961:bf8
12-26: 14:00:20:961:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
12-26: 14:00:20:961:bf8 ISAKMP Header: (V1.0), len = 184
12-26: 14:00:20:961:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:20:961:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:20:961:bf8 exchange: Oakley Main Mode
12-26: 14:00:20:961:bf8 flags: 0
12-26: 14:00:20:961:bf8 next payload: KE
12-26: 14:00:20:961:bf8 message ID: 00000000
12-26: 14:00:21:41:bf8
12-26: 14:00:21:41:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188
12-26: 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
12-26: 14:00:21:41:bf8 flags: 0
12-26: 14:00:21:41:bf8 next payload: KE
12-26: 14:00:21:41:bf8 message ID: 00000000
12-26: 14:00:21:41:bf8 processing payload KE
12-26: 14:00:21:62:bf8 processing payload NONCE
12-26: 14:00:21:62:bf8 processing payload CRP
12-26: 14:00:21:62:bf8 constructing ISAKMP Header
12-26: 14:00:21:62:bf8 constructing ID
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for IPSec only cert
12-26: 14:00:21:62:bf8 failed to get chain 80092004
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for any cert
12-26: 14:00:21:62:bf8 Trust failed. 1 100
12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:62:bf8 Looking for any cert
12-26: 14:00:21:72:bf8 Trust failed. 1 100
12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
12-26: 14:00:21:72:bf8 Looking for any cert
12-26: 14:00:21:72:bf8 failed to get chain 80092004
12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000 status 35ee
12-26: 14:00:21:72:bf8 Key Exchange Mode (Main Mode)

12-26: 14:00:21:72:bf8 Source IP Address 192.168.255.250

Source IP Address Mask 255.255.255.255

Destination IP Address 192.168.255.254

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr

12-26: 14:00:21:72:bf8 Certificate based Identity.

Peer IP Address: 192.168.255.254

12-26: 14:00:21:72:bf8 Me

12-26: 14:00:21:72:bf8 IKE failed to find valid machine certificate

12-26: 14:00:21:72:bf8 0x80092004 0x100
12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
12-26: 14:00:21:72:bf8 constructing ISAKMP Header
12-26: 14:00:21:72:bf8 constructing HASH (null)
12-26: 14:00:21:72:bf8 constructing NOTIFY 28
12-26: 14:00:21:72:bf8 constructing HASH (Notify/Delete)
12-26: 14:00:21:72:bf8
12-26: 14:00:21:72:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
12-26: 14:00:21:72:bf8 ISAKMP Header: (V1.0), len = 84
12-26: 14:00:21:72:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:21:72:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:21:72:bf8 exchange: ISAKMP Informational Exchange
12-26: 14:00:21:72:bf8 flags: 1 ( encrypted )
12-26: 14:00:21:72:bf8 next payload: HASH
12-26: 14:00:21:72:bf8 message ID: 33bae727
12-26: 14:00:31:86:bf8
12-26: 14:00:31:86:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 14:00:31:86:bf8 ISAKMP Header: (V1.0), len = 188
12-26: 14:00:31:86:bf8 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:31:86:bf8 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:31:86:bf8 exchange: Oakley Main Mode
12-26: 14:00:31:86:bf8 flags: 0
12-26: 14:00:31:86:bf8 next payload: KE
12-26: 14:00:31:86:bf8 message ID: 00000000
12-26: 14:00:31:86:bf8 received an unencrypted packet when crypto active
12-26: 14:00:31:86:bf8 GetPacket failed 35ec
12-26: 14:00:51:85:460
12-26: 14:00:51:85:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
12-26: 14:00:51:85:460 ISAKMP Header: (V1.0), len = 188
12-26: 14:00:51:85:460 I-COOKIE 8423ddf04e204ed5
12-26: 14:00:51:85:460 R-COOKIE 68d5a3aa523f4f24
12-26: 14:00:51:85:460 exchange: Oakley Main Mode
12-26: 14:00:51:85:460 flags: 0
12-26: 14:00:51:85:460 next payload: KE
12-26: 14:00:51:85:460 message ID: 00000000
12-26: 14:00:51:85:460 received an unencrypted packet when crypto active
12-26: 14:00:51:85:460 GetPacket failed 35ec
12-26: 14:01:34:217:be0 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
12-26: 14:01:34:217:460 Main mode in progress. Acquire queued
12-26: 14:01:34:217:460 Queued Acquire Context 81b50130 on SA e3830
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 8f837fed-2334-431f-a48d645725249e5f 4
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: a6864f31-88be-40b8-930ffa2a6b0c71fc 4
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 4cdba9dd-1416-4c70-802c553836bdc93a 3
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 2e981c69-4065-4e00-84571ba48720206c 3
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 6e86f6ea-18ab-4338-9651e860e4186703 1
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: dd1ebebd-54c7-4787-adb99b4fab60ec3e 2
12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 5aae510a-c38b-404d-beff08285a65257b 2
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 SA Dead. sa:000E3830 status:3619
12-26: 14:01:36:270:460 Posting new acquire context 81b50130
12-26: 14:01:36:270:460 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250, InitiateEvent=00000000
12-26: 14:01:36:270:460 constructing ISAKMP Header
12-26: 14:01:36:270:460 constructing HASH (null)
12-26: 14:01:36:270:460 constructing DELETE. MM 000E3830
12-26: 14:01:36:270:460 constructing HASH (Notify/Delete)
12-26: 14:01:36:270:460
12-26: 14:01:36:270:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
12-26: 14:01:36:270:460 ISAKMP Header: (V1.0), len = 84
12-26: 14:01:36:270:460 I-COOKIE 8423ddf04e204ed5
12-26: 14:01:36:270:460 R-COOKIE 68d5a3aa523f4f24
12-26: 14:01:36:270:460 exchange: ISAKMP Informational Exchange
12-26: 14:01:36:270:460 flags: 1 ( encrypted )
12-26: 14:01:36:270:460 next payload: HASH
12-26: 14:01:36:270:460 message ID: f7c22255
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 entered kill_old_policy_sas
12-26: 14:01:36:270:460 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
12-26: 14:01:36:270:460 MatchMMFilter failed 13013
12-26: 14:01:36:270:460 isadb_set_status sa:00115B78 centry:00000000 status 32d5
12-26: 14:01:36:270:460 Key Exchange Mode (Main Mode)

12-26: 14:01:36:270:460 Source IP Address 192.168.255.250

Source IP Address Mask 255.255.255.255

Destination IP Address 192.168.255.254

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr

12-26: 14:01:36:270:460
12-26: 14:01:36:270:460 Me

12-26: 14:01:36:270:460 The specified main mode policy was not found.

12-26: 14:01:36:270:460 0x0 0x0
12-26: 14:01:36:270:460 initiator: failed cbad02a5
12-26: 14:02:29:308:460 SA Dead. sa:00115B78 status:35f0

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET