Re: [Users] [Fwd: FreeSWAN and Windows XP]

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Dec 26 2002 - 23:38:50 CET

Hi Patrick,

I found the following error message in your oakley.log:

12-26: 13:58:16:643:460 IKE failed to find valid machine certificate

- Did you put XP's certificate in the correct place by using
   Marcus Müller's preconfigured mmc configuration file.

- Is the validity of the CA certificate an outer bound to the
   validity of XP's certificate?

Regards

Andreas

Patrick Topping wrote:
> Andreas,
>
> I made the correction to S=California and I am still getting the same
> error. I have attached the oakley log from the Windows machine. The
> error that I am seeing in the FreeSWAN secure log is as follows:
>
> Dec 26 22:00:14 sapphire pluto[14666]: "aeronet" #13: encrypted
> Informational Exchange message is invalid because it is for incomplete
> ISAKMP SA
>
> The error that I am getting in the oakley log is below. I know the
> problem is on the XP side but I am unsure on how to fix it. I have gone
> through the steps on Nate's web site a couple of times but I seem to be
> getting the same error.
>
> 12-26: 14:00:21:41:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188
> 12-26: 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:21:41:bf8 flags: 0
> 12-26: 14:00:21:41:bf8 next payload: KE
> 12-26: 14:00:21:41:bf8 message ID: 00000000
> 12-26: 14:00:21:41:bf8 processing payload KE 12-26: 14:00:21:62:bf8
> processing payload NONCE
> 12-26: 14:00:21:62:bf8 processing payload CRP
> 12-26: 14:00:21:62:bf8 constructing ISAKMP Header
> 12-26: 14:00:21:62:bf8 constructing ID
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 failed to get chain 80092004
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for any cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for any cert
> 12-26: 14:00:21:72:bf8 Trust failed. 1 100
> 12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:72:bf8 Looking for any cert
> 12-26: 14:00:21:72:bf8 failed to get chain 80092004
> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000
> status:35ee
> 12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000
> status 35ee
>
>
> Andreas Steffen wrote:
>
>> Now Windows XP has a problem. You defined
>>
>> >>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>> >>> Email=ptopping_at_pobox.com"
>>
>> in the Windows ipsec.conf but Microsoft wants
>>
>> S=California
>>
>> Regards
>>
>> Andreas
>>
>> Patrick Topping wrote:
>>
>>> Thanks Andreas. I have added the authby=rsasig and now I am getting
>>> the following error:
>>>
>>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: responding to
>>>> Main Mode
>>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: encrypted
>>>> Informational Exchange message is invalid because it is for
>>>> incomplete ISAKMP SA
>>>> Dec 26 19:47:44 sapphire pluto[14065]: | handling event
>>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>>> Dec 26 19:48:04 sapphire pluto[14065]: | handling event
>>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>>
>>>
>>>
>>>
>>>
>>> At least it is some new...:-)
>>>
>>> -Patrick
>>>
>>>
>>>
>>> Andreas Steffen wrote:
>>>
>>>> The entry
>>>>
>>>> authby=rsasig
>>>>
>>>> is missing in your FreeS/WAN ipsec.conf. Therefore authby=secret is
>>>> assumed by default, leading to the error below.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> Patrick Topping wrote:
>>>>
>>>>> With attachments this time......:-)
>>>>>
>>>>> I have read through and done step by step what is on nate carlosn's
>>>>> web page and I still cannot get the tunnel up. I have attached the
>>>>> ipsec.conf files for both the FreeSWAN gateway and for my windows
>>>>> XP client. The error that I am seeing on the gateway is as follows:
>>>>>
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: responding to
>>>>> Main Mode
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: no acceptable
>>>>> Oakley Transform
>>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: responding to
>>>>> Main Mode
>>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: policy does
>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>>
>>>>> Thanks in advance for any help I can get.
>>>>>
>>>>> -Patrick
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>>>>>
>>>>> # More elaborate and more varied sample configurations can be found
>>>>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>>>>>
>>>>>
>>>>>
>>>>> # basic configuration
>>>>> config setup
>>>>> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>>>>> # %defaultroute is okay for most simple cases.
>>>>> # interfaces=%defaultroute
>>>>> interfaces="ipsec0=eth0 ipsec1=eth1"
>>>>> # Debug-logging controls: "none" for (almost) none, "all" for
>>>>> lots.
>>>>> klipsdebug=all
>>>>> plutodebug=all
>>>>> # Use auto= parameters in conn descriptions to control startup
>>>>> actions.
>>>>> plutoload=%search
>>>>> plutostart=%search
>>>>> plutowait=no
>>>>> # Close down old connection when new one using same ID shows up.
>>>>> uniqueids=yes
>>>>>
>>>>> conn aerocast
>>>>> left=68.99.179.107
>>>>> leftnexthop=68.99.176.1
>>>>> leftsubnet=192.168.255.0/24
>>>>> right=64.157.41.125
>>>>> rightnexthop=64.157.40.6
>>>>> rightsubnet=10.10.0.0/16
>>>>> auto=start
>>>>> pfs=yes
>>>>> esp=3des-sha1-96
>>>>> keyexchange=ike
>>>>> auth=esp
>>>>> disablearrivalcheck=no
>>>>> keyingtries=0
>>>>> keylife=24h
>>>>>
>>>>> conn level3
>>>>> left=68.99.179.107
>>>>> leftnexthop=68.99.176.1
>>>>> leftsubnet=192.168.255.0/24
>>>>> right=64.157.41.177
>>>>> rightnexthop=64.157.40.6
>>>>> rightsubnet=172.16.0.0/24
>>>>> auto=start
>>>>> pfs=yes
>>>>> esp=3des-sha1-96
>>>>> keyexchange=ike
>>>>> auth=esp
>>>>> disablearrivalcheck=no
>>>>> keyingtries=0
>>>>> keylife=24h
>>>>>
>>>>> #conn roadwarrior-net
>>>>> # leftsubnet=192.168.255.0/24
>>>>> # also=roadwarrior
>>>>>
>>>>> #conn roadwarrior
>>>>> # left=68.99.179.107
>>>>> # leftcert=sapphire.pem
>>>>> # right=%defaultroute
>>>>> # rightcert=clk430.pem
>>>>> # auto=add
>>>>> # pfs=yes
>>>>>
>>>>> conn aeronet
>>>>> left=192.168.255.254
>>>>> leftsubnet=192.168.255.0/24
>>>>> leftcert=sapphire.pem
>>>>> right=192.168.255.250
>>>>> rightcert=clk430.pem
>>>>> auto=add
>>>>> pfs=yes
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> #conn roadwarrior
>>>>> # left=%any
>>>>> # right=68.99.179.107
>>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>> Email=ptopping_at_pobox.com"
>>>>> # network=auto
>>>>> # auto=start
>>>>> # pfs=yes
>>>>>
>>>>> #conn roadwarrior-net
>>>>> # left=%any
>>>>> # right=68.99.179.107
>>>>> # rightsubnet=192.168.255.0/24
>>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>> Email=ptopping_at_pobox.com"
>>>>> # network=auto # auto=start
>>>>> # pfs=yes
>>>>>
>>>>> conn roadwarrior-allnet
>>>>> left=%any
>>>>> right=192.168.255.254
>>>>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>> Email=ptopping_at_pobox.com"
>>>>> rightsubnet=*
>>>>> network=auto
>>>>> auto=start
>>>>> pfs=yes
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ======================================================================
>>>> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>>> strongSec GmbH phone: +41 76 340 25 56
>>>> Alter Zürichweg 20 home: http://www.strongsec.com
>>>> CH-8952 Schlieren (Switzerland)
>>>> ==========================================[strong internet security]==
>>>>
>>>>
>>>> .
>>>>
>>>
>>>
>>>
>>
>>
>
>
> ------------------------------------------------------------------------
>
> conn roadwarrior-allnet
> left=%any
> right=192.168.255.254
> rightca="C=US, S=California, L=Irvine, O=Home, CN=sapphire, Email=ptopping_at_pobox.com"
> rightsubnet=*
> network=auto
> auto=start
> pfs=yes
> authby=rsasig
>
>
> ------------------------------------------------------------------------
>
> 12-26: 13:57:59:208:810 Initialization OK
> 12-26: 13:58:15:381:be0 Acquire from driver: op=81B4F940 src=192.168.255.250.0 dst=64.156.44.184.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
> 12-26: 13:58:15:381:460 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
> 12-26: 13:58:15:381:460 MM PolicyName: 1
> 12-26: 13:58:15:381:460 MMPolicy dwFlags 2 SoftSAExpireTime 28800
> 12-26: 13:58:15:381:460 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
> 12-26: 13:58:15:381:460 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
> 12-26: 13:58:15:381:460 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
> 12-26: 13:58:15:381:460 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
> 12-26: 13:58:15:381:460 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
> 12-26: 13:58:15:381:460 MMOffer[2] Encrypt: DES CBC Hash: SHA
> 12-26: 13:58:15:381:460 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
> 12-26: 13:58:15:381:460 MMOffer[3] Encrypt: DES CBC Hash: MD5
> 12-26: 13:58:15:381:460 Auth[0]:RSA Sig C=US, S=California, L=Irvine, O=Home, CN=sapphire, E=ptopping_at_pobox.com
> 12-26: 13:58:15:381:460 QM PolicyName: Host-roadwarrior-allnet filter action dwFlags 1
> 12-26: 13:58:15:381:460 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
> 12-26: 13:58:15:381:460 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
> 12-26: 13:58:15:381:460 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
> 12-26: 13:58:15:381:460 Starting Negotiation: src = 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context = 81B4F940, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 0.0.0.0
> 12-26: 13:58:15:381:460 constructing ISAKMP Header
> 12-26: 13:58:15:381:460 constructing SA (ISAKMP)
> 12-26: 13:58:15:381:460 Constructing Vendor
> 12-26: 13:58:15:381:460
> 12-26: 13:58:15:381:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
> 12-26: 13:58:15:381:460 ISAKMP Header: (V1.0), len = 216
> 12-26: 13:58:15:381:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:15:381:460 R-COOKIE 0000000000000000
> 12-26: 13:58:15:381:460 exchange: Oakley Main Mode
> 12-26: 13:58:15:381:460 flags: 0
> 12-26: 13:58:15:381:460 next payload: SA
> 12-26: 13:58:15:381:460 message ID: 00000000
> 12-26: 13:58:16:382:e34 retransmit: sa = 000E3830 centry 00000000 , count = 1
> 12-26: 13:58:16:382:e34
> 12-26: 13:58:16:382:e34 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
> 12-26: 13:58:16:382:e34 ISAKMP Header: (V1.0), len = 216
> 12-26: 13:58:16:382:e34 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:16:382:e34 R-COOKIE 0000000000000000
> 12-26: 13:58:16:382:e34 exchange: Oakley Main Mode
> 12-26: 13:58:16:382:e34 flags: 0
> 12-26: 13:58:16:382:e34 next payload: SA
> 12-26: 13:58:16:382:e34 message ID: 00000000
> 12-26: 13:58:16:442:460
> 12-26: 13:58:16:442:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 13:58:16:442:460 ISAKMP Header: (V1.0), len = 84
> 12-26: 13:58:16:442:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:16:442:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:16:442:460 exchange: Oakley Main Mode
> 12-26: 13:58:16:442:460 flags: 0
> 12-26: 13:58:16:442:460 next payload: SA
> 12-26: 13:58:16:442:460 message ID: 00000000
> 12-26: 13:58:16:442:460 processing payload SA
> 12-26: 13:58:16:442:460 Received Phase 1 Transform 1
> 12-26: 13:58:16:442:460 Encryption Alg Triple DES CBC(5)
> 12-26: 13:58:16:442:460 Hash Alg SHA(2)
> 12-26: 13:58:16:442:460 Oakley Group 2
> 12-26: 13:58:16:442:460 Auth Method RSA Signature with Certificates(3)
> 12-26: 13:58:16:442:460 Life type in Seconds
> 12-26: 13:58:16:442:460 Life duration of 28800
> 12-26: 13:58:16:442:460 Phase 1 SA accepted: transform=1
> 12-26: 13:58:16:442:460 SA - Oakley proposal accepted
> 12-26: 13:58:16:442:460 constructing ISAKMP Header
> 12-26: 13:58:16:512:460 constructing KE
> 12-26: 13:58:16:512:460 constructing NONCE (ISAKMP)
> 12-26: 13:58:16:512:460
> 12-26: 13:58:16:512:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
> 12-26: 13:58:16:512:460 ISAKMP Header: (V1.0), len = 184
> 12-26: 13:58:16:512:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:16:512:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:16:512:460 exchange: Oakley Main Mode
> 12-26: 13:58:16:512:460 flags: 0
> 12-26: 13:58:16:512:460 next payload: KE
> 12-26: 13:58:16:512:460 message ID: 00000000
> 12-26: 13:58:16:613:460
> 12-26: 13:58:16:613:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 13:58:16:613:460 ISAKMP Header: (V1.0), len = 188
> 12-26: 13:58:16:613:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:16:613:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:16:613:460 exchange: Oakley Main Mode
> 12-26: 13:58:16:613:460 flags: 0
> 12-26: 13:58:16:613:460 next payload: KE
> 12-26: 13:58:16:613:460 message ID: 00000000
> 12-26: 13:58:16:613:460 processing payload KE
> 12-26: 13:58:16:633:460 processing payload NONCE
> 12-26: 13:58:16:633:460 processing payload CRP
> 12-26: 13:58:16:633:460 constructing ISAKMP Header
> 12-26: 13:58:16:633:460 constructing ID
> 12-26: 13:58:16:633:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:633:460 Looking for IPSec only cert
> 12-26: 13:58:16:643:460 Trust failed. 1 100
> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:643:460 Looking for IPSec only cert
> 12-26: 13:58:16:643:460 Trust failed. 1 100
> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:643:460 Looking for IPSec only cert
> 12-26: 13:58:16:643:460 failed to get chain 80092004
> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:643:460 Looking for any cert
> 12-26: 13:58:16:643:460 Trust failed. 1 100
> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:643:460 Looking for any cert
> 12-26: 13:58:16:643:460 Trust failed. 1 100
> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
> 12-26: 13:58:16:643:460 Looking for any cert
> 12-26: 13:58:16:643:460 failed to get chain 80092004
> 12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
> 12-26: 13:58:16:643:460 isadb_set_status sa:000E3830 centry:00000000 status 35ee
> 12-26: 13:58:16:643:460 Key Exchange Mode (Main Mode)
>
>
> 12-26: 13:58:16:643:460 Source IP Address 192.168.255.250
>
> Source IP Address Mask 255.255.255.255
>
> Destination IP Address 192.168.255.254
>
> Destination IP Address Mask 255.255.255.255
>
> Protocol 0
>
> Source Port 0
>
> Destination Port 0
>
> IKE Local Addr
>
> IKE Peer Addr
>
>
> 12-26: 13:58:16:643:460 Certificate based Identity.
>
> Peer IP Address: 192.168.255.254
>
>
> 12-26: 13:58:16:643:460 Me
>
>
> 12-26: 13:58:16:643:460 IKE failed to find valid machine certificate
>
>
> 12-26: 13:58:16:643:460 0x80092004 0x100
> 12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
> 12-26: 13:58:16:643:460 constructing ISAKMP Header
> 12-26: 13:58:16:643:460 constructing HASH (null)
> 12-26: 13:58:16:643:460 constructing NOTIFY 28
> 12-26: 13:58:16:643:460 constructing HASH (Notify/Delete)
> 12-26: 13:58:16:643:460
> 12-26: 13:58:16:643:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
> 12-26: 13:58:16:643:460 ISAKMP Header: (V1.0), len = 84
> 12-26: 13:58:16:643:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:16:643:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:16:643:460 exchange: ISAKMP Informational Exchange
> 12-26: 13:58:16:643:460 flags: 1 ( encrypted )
> 12-26: 13:58:16:643:460 next payload: HASH
> 12-26: 13:58:16:643:460 message ID: bacd472d
> 12-26: 13:58:26:657:460
> 12-26: 13:58:26:657:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 13:58:26:657:460 ISAKMP Header: (V1.0), len = 188
> 12-26: 13:58:26:657:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:26:657:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:26:657:460 exchange: Oakley Main Mode
> 12-26: 13:58:26:657:460 flags: 0
> 12-26: 13:58:26:657:460 next payload: KE
> 12-26: 13:58:26:657:460 message ID: 00000000
> 12-26: 13:58:26:657:460 received an unencrypted packet when crypto active
> 12-26: 13:58:26:657:460 GetPacket failed 35ec
> 12-26: 13:58:46:656:460
> 12-26: 13:58:46:656:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 13:58:46:656:460 ISAKMP Header: (V1.0), len = 188
> 12-26: 13:58:46:656:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 13:58:46:656:460 R-COOKIE 3f16260379d19d91
> 12-26: 13:58:46:656:460 exchange: Oakley Main Mode
> 12-26: 13:58:46:656:460 flags: 0
> 12-26: 13:58:46:656:460 next payload: KE
> 12-26: 13:58:46:656:460 message ID: 00000000
> 12-26: 13:58:46:656:460 received an unencrypted packet when crypto active
> 12-26: 13:58:46:656:460 GetPacket failed 35ec
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 7ded5b6d-488d-4471-829ca689a02acc95 4
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 41d9b683-5a06-4965-abf52b4da2d99aa4 4
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: b8ac66fe-928c-44dd-9c01aa594bf7d53d 3
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 89c3929a-f918-4439-a970da4d4125e848 3
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: c002f544-7832-489a-b26bdfe01d4a5c2e 1
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 79de7a7a-302c-4f77-9a0d6d829ff7cd25 2
> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas: 5bbfdf85-3a17-4626-8b758fab02d7b64c 2
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 SA Dead. sa:000E3830 status:3619
> 12-26: 14:00:00:612:460 constructing ISAKMP Header
> 12-26: 14:00:00:612:460 constructing HASH (null)
> 12-26: 14:00:00:612:460 constructing DELETE. MM 000E3830
> 12-26: 14:00:00:612:460 constructing HASH (Notify/Delete)
> 12-26: 14:00:00:612:460
> 12-26: 14:00:00:612:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
> 12-26: 14:00:00:612:460 ISAKMP Header: (V1.0), len = 84
> 12-26: 14:00:00:612:460 I-COOKIE 5059b9d1065a3fa6
> 12-26: 14:00:00:612:460 R-COOKIE 3f16260379d19d91
> 12-26: 14:00:00:612:460 exchange: ISAKMP Informational Exchange
> 12-26: 14:00:00:612:460 flags: 1 ( encrypted )
> 12-26: 14:00:00:612:460 next payload: HASH
> 12-26: 14:00:00:612:460 message ID: 1e90325c
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
> 12-26: 14:00:20:811:be0 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=192.168.255.254.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
> 12-26: 14:00:20:811:bf8 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
> 12-26: 14:00:20:811:bf8 MM PolicyName: 2
> 12-26: 14:00:20:811:bf8 MMPolicy dwFlags 2 SoftSAExpireTime 28800
> 12-26: 14:00:20:811:bf8 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
> 12-26: 14:00:20:811:bf8 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
> 12-26: 14:00:20:811:bf8 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
> 12-26: 14:00:20:811:bf8 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
> 12-26: 14:00:20:811:bf8 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
> 12-26: 14:00:20:811:bf8 MMOffer[2] Encrypt: DES CBC Hash: SHA
> 12-26: 14:00:20:811:bf8 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
> 12-26: 14:00:20:811:bf8 MMOffer[3] Encrypt: DES CBC Hash: MD5
> 12-26: 14:00:20:811:bf8 Auth[0]:RSA Sig C=US, S=California, L=Irvine, O=Home, CN=sapphire, E=ptopping_at_pobox.com
> 12-26: 14:00:20:811:bf8 QM PolicyName: Host-roadwarrior-allnet filter action dwFlags 1
> 12-26: 14:00:20:811:bf8 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
> 12-26: 14:00:20:811:bf8 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
> 12-26: 14:00:20:811:bf8 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
> 12-26: 14:00:20:811:bf8 Starting Negotiation: src = 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context = 81B50130, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 0.0.0.0
> 12-26: 14:00:20:811:bf8 constructing ISAKMP Header
> 12-26: 14:00:20:811:bf8 constructing SA (ISAKMP)
> 12-26: 14:00:20:811:bf8 Constructing Vendor
> 12-26: 14:00:20:811:bf8
> 12-26: 14:00:20:811:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
> 12-26: 14:00:20:811:bf8 ISAKMP Header: (V1.0), len = 216
> 12-26: 14:00:20:811:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:20:811:bf8 R-COOKIE 0000000000000000
> 12-26: 14:00:20:811:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:20:811:bf8 flags: 0
> 12-26: 14:00:20:811:bf8 next payload: SA
> 12-26: 14:00:20:811:bf8 message ID: 00000000
> 12-26: 14:00:20:881:bf8
> 12-26: 14:00:20:891:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 14:00:20:891:bf8 ISAKMP Header: (V1.0), len = 84
> 12-26: 14:00:20:891:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:20:891:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:20:891:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:20:891:bf8 flags: 0
> 12-26: 14:00:20:891:bf8 next payload: SA
> 12-26: 14:00:20:891:bf8 message ID: 00000000
> 12-26: 14:00:20:891:bf8 processing payload SA
> 12-26: 14:00:20:891:bf8 Received Phase 1 Transform 1
> 12-26: 14:00:20:891:bf8 Encryption Alg Triple DES CBC(5)
> 12-26: 14:00:20:891:bf8 Hash Alg SHA(2)
> 12-26: 14:00:20:891:bf8 Oakley Group 2
> 12-26: 14:00:20:891:bf8 Auth Method RSA Signature with Certificates(3)
> 12-26: 14:00:20:891:bf8 Life type in Seconds
> 12-26: 14:00:20:891:bf8 Life duration of 28800
> 12-26: 14:00:20:891:bf8 Phase 1 SA accepted: transform=1
> 12-26: 14:00:20:891:bf8 SA - Oakley proposal accepted
> 12-26: 14:00:20:891:bf8 constructing ISAKMP Header
> 12-26: 14:00:20:961:bf8 constructing KE
> 12-26: 14:00:20:961:bf8 constructing NONCE (ISAKMP)
> 12-26: 14:00:20:961:bf8
> 12-26: 14:00:20:961:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 2
> 12-26: 14:00:20:961:bf8 ISAKMP Header: (V1.0), len = 184
> 12-26: 14:00:20:961:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:20:961:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:20:961:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:20:961:bf8 flags: 0
> 12-26: 14:00:20:961:bf8 next payload: KE
> 12-26: 14:00:20:961:bf8 message ID: 00000000
> 12-26: 14:00:21:41:bf8
> 12-26: 14:00:21:41:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188
> 12-26: 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:21:41:bf8 flags: 0
> 12-26: 14:00:21:41:bf8 next payload: KE
> 12-26: 14:00:21:41:bf8 message ID: 00000000
> 12-26: 14:00:21:41:bf8 processing payload KE
> 12-26: 14:00:21:62:bf8 processing payload NONCE
> 12-26: 14:00:21:62:bf8 processing payload CRP
> 12-26: 14:00:21:62:bf8 constructing ISAKMP Header
> 12-26: 14:00:21:62:bf8 constructing ID
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
> 12-26: 14:00:21:62:bf8 failed to get chain 80092004
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for any cert
> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:62:bf8 Looking for any cert
> 12-26: 14:00:21:72:bf8 Trust failed. 1 100
> 12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
> 12-26: 14:00:21:72:bf8 Looking for any cert
> 12-26: 14:00:21:72:bf8 failed to get chain 80092004
> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
> 12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000 status 35ee
> 12-26: 14:00:21:72:bf8 Key Exchange Mode (Main Mode)
>
>
> 12-26: 14:00:21:72:bf8 Source IP Address 192.168.255.250
>
> Source IP Address Mask 255.255.255.255
>
> Destination IP Address 192.168.255.254
>
> Destination IP Address Mask 255.255.255.255
>
> Protocol 0
>
> Source Port 0
>
> Destination Port 0
>
> IKE Local Addr
>
> IKE Peer Addr
>
>
> 12-26: 14:00:21:72:bf8 Certificate based Identity.
>
> Peer IP Address: 192.168.255.254
>
>
> 12-26: 14:00:21:72:bf8 Me
>
>
> 12-26: 14:00:21:72:bf8 IKE failed to find valid machine certificate
>
>
> 12-26: 14:00:21:72:bf8 0x80092004 0x100
> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000 status:35ee
> 12-26: 14:00:21:72:bf8 constructing ISAKMP Header
> 12-26: 14:00:21:72:bf8 constructing HASH (null)
> 12-26: 14:00:21:72:bf8 constructing NOTIFY 28
> 12-26: 14:00:21:72:bf8 constructing HASH (Notify/Delete)
> 12-26: 14:00:21:72:bf8
> 12-26: 14:00:21:72:bf8 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
> 12-26: 14:00:21:72:bf8 ISAKMP Header: (V1.0), len = 84
> 12-26: 14:00:21:72:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:21:72:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:21:72:bf8 exchange: ISAKMP Informational Exchange
> 12-26: 14:00:21:72:bf8 flags: 1 ( encrypted )
> 12-26: 14:00:21:72:bf8 next payload: HASH
> 12-26: 14:00:21:72:bf8 message ID: 33bae727
> 12-26: 14:00:31:86:bf8
> 12-26: 14:00:31:86:bf8 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 14:00:31:86:bf8 ISAKMP Header: (V1.0), len = 188
> 12-26: 14:00:31:86:bf8 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:31:86:bf8 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:31:86:bf8 exchange: Oakley Main Mode
> 12-26: 14:00:31:86:bf8 flags: 0
> 12-26: 14:00:31:86:bf8 next payload: KE
> 12-26: 14:00:31:86:bf8 message ID: 00000000
> 12-26: 14:00:31:86:bf8 received an unencrypted packet when crypto active
> 12-26: 14:00:31:86:bf8 GetPacket failed 35ec
> 12-26: 14:00:51:85:460
> 12-26: 14:00:51:85:460 Receive: (get) SA = 0x000e3830 from 192.168.255.254
> 12-26: 14:00:51:85:460 ISAKMP Header: (V1.0), len = 188
> 12-26: 14:00:51:85:460 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:00:51:85:460 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:00:51:85:460 exchange: Oakley Main Mode
> 12-26: 14:00:51:85:460 flags: 0
> 12-26: 14:00:51:85:460 next payload: KE
> 12-26: 14:00:51:85:460 message ID: 00000000
> 12-26: 14:00:51:85:460 received an unencrypted packet when crypto active
> 12-26: 14:00:51:85:460 GetPacket failed 35ec
> 12-26: 14:01:34:217:be0 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
> 12-26: 14:01:34:217:460 Main mode in progress. Acquire queued
> 12-26: 14:01:34:217:460 Queued Acquire Context 81b50130 on SA e3830
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 8f837fed-2334-431f-a48d645725249e5f 4
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: a6864f31-88be-40b8-930ffa2a6b0c71fc 4
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 4cdba9dd-1416-4c70-802c553836bdc93a 3
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 2e981c69-4065-4e00-84571ba48720206c 3
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 6e86f6ea-18ab-4338-9651e860e4186703 1
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: dd1ebebd-54c7-4787-adb99b4fab60ec3e 2
> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas: 5aae510a-c38b-404d-beff08285a65257b 2
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 SA Dead. sa:000E3830 status:3619
> 12-26: 14:01:36:270:460 Posting new acquire context 81b50130
> 12-26: 14:01:36:270:460 Acquire from driver: op=81B50130 src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250, InitiateEvent=00000000
> 12-26: 14:01:36:270:460 constructing ISAKMP Header
> 12-26: 14:01:36:270:460 constructing HASH (null)
> 12-26: 14:01:36:270:460 constructing DELETE. MM 000E3830
> 12-26: 14:01:36:270:460 constructing HASH (Notify/Delete)
> 12-26: 14:01:36:270:460
> 12-26: 14:01:36:270:460 Sending: SA = 0x000E3830 to 192.168.255.254:Type 1
> 12-26: 14:01:36:270:460 ISAKMP Header: (V1.0), len = 84
> 12-26: 14:01:36:270:460 I-COOKIE 8423ddf04e204ed5
> 12-26: 14:01:36:270:460 R-COOKIE 68d5a3aa523f4f24
> 12-26: 14:01:36:270:460 exchange: ISAKMP Informational Exchange
> 12-26: 14:01:36:270:460 flags: 1 ( encrypted )
> 12-26: 14:01:36:270:460 next payload: HASH
> 12-26: 14:01:36:270:460 message ID: f7c22255
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
> 12-26: 14:01:36:270:460 Filter to match: Src 192.168.255.254 Dst 192.168.255.250
> 12-26: 14:01:36:270:460 MatchMMFilter failed 13013
> 12-26: 14:01:36:270:460 isadb_set_status sa:00115B78 centry:00000000 status 32d5
> 12-26: 14:01:36:270:460 Key Exchange Mode (Main Mode)
>
>
> 12-26: 14:01:36:270:460 Source IP Address 192.168.255.250
>
> Source IP Address Mask 255.255.255.255
>
> Destination IP Address 192.168.255.254
>
> Destination IP Address Mask 255.255.255.255
>
> Protocol 0
>
> Source Port 0
>
> Destination Port 0
>
> IKE Local Addr
>
> IKE Peer Addr
>
>
> 12-26: 14:01:36:270:460
> 12-26: 14:01:36:270:460 Me
>
>
> 12-26: 14:01:36:270:460 The specified main mode policy was not found.
>
>
> 12-26: 14:01:36:270:460 0x0 0x0
> 12-26: 14:01:36:270:460 initiator: failed cbad02a5
> 12-26: 14:02:29:308:460 SA Dead. sa:00115B78 status:35f0 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET