Re: [Users] [Fwd: FreeSWAN and Windows XP]

From: Patrick Topping (ptopping_at_pobox.com)
Date: Fri Dec 27 2002 - 01:05:06 CET

• Next message: mlpi_uy_rff3d1w_at_amazon.com: "*****SPAM***** [Users] ±Ð±z¦p¦ó¦¨¬°ºô¸ô¤uµ{®v"
• Previous message: Doug Leece: "RE: [VF][Users] Checkpoint FW1 and FreeSwan 1.99"
• In reply to: Andreas Steffen: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I unzipped Marcus' file into c:\ipsec. I scp'ed my *.p12 file into that
directory and ran marcu's MMC, importing my file. I edited the
ipsec.conf file to fit my network requirements. When I created the CA's
certificate I made days = 3650 and when I created the XP certificate I
made days = 365.

At this point, I am getting the same error. I am sure it is on the XP
side but not sure how to correct it. Thanks for all your help so far.

-Patrick

Andreas Steffen wrote:

> Hi Patrick,
>
> I found the following error message in your oakley.log:
>
> 12-26: 13:58:16:643:460 IKE failed to find valid machine certificate
>
> - Did you put XP's certificate in the correct place by using
> Marcus Müller's preconfigured mmc configuration file.
>
> - Is the validity of the CA certificate an outer bound to the
> validity of XP's certificate?
>
> Regards
>
> Andreas
>
> Patrick Topping wrote:
>
>> Andreas,
>>
>> I made the correction to S=California and I am still getting the same
>> error. I have attached the oakley log from the Windows machine. The
>> error that I am seeing in the FreeSWAN secure log is as follows:
>>
>> Dec 26 22:00:14 sapphire pluto[14666]: "aeronet" #13: encrypted
>> Informational Exchange message is invalid because it is for
>> incomplete ISAKMP SA
>>
>> The error that I am getting in the oakley log is below. I know the
>> problem is on the XP side but I am unsure on how to fix it. I have
>> gone through the steps on Nate's web site a couple of times but I
>> seem to be getting the same error.
>>
>> 12-26: 14:00:21:41:bf8 Receive: (get) SA = 0x000e3830 from
>> 192.168.255.254
>> 12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188
>> 12-26: 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:21:41:bf8 flags: 0
>> 12-26: 14:00:21:41:bf8 next payload: KE
>> 12-26: 14:00:21:41:bf8 message ID: 00000000
>> 12-26: 14:00:21:41:bf8 processing payload KE 12-26: 14:00:21:62:bf8
>> processing payload NONCE
>> 12-26: 14:00:21:62:bf8 processing payload CRP
>> 12-26: 14:00:21:62:bf8 constructing ISAKMP Header
>> 12-26: 14:00:21:62:bf8 constructing ID
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 failed to get chain 80092004
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for any cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for any cert
>> 12-26: 14:00:21:72:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:72:bf8 Looking for any cert
>> 12-26: 14:00:21:72:bf8 failed to get chain 80092004
>> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000
>> status:35ee
>> 12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000
>> status 35ee
>>
>>
>> Andreas Steffen wrote:
>>
>>> Now Windows XP has a problem. You defined
>>>
>>> >>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>> >>> Email=ptopping_at_pobox.com"
>>>
>>> in the Windows ipsec.conf but Microsoft wants
>>>
>>> S=California
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> Patrick Topping wrote:
>>>
>>>> Thanks Andreas. I have added the authby=rsasig and now I am
>>>> getting the following error:
>>>>
>>>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: responding to
>>>>> Main Mode
>>>>> Dec 26 19:47:34 sapphire pluto[14065]: "aeronet" #5: encrypted
>>>>> Informational Exchange message is invalid because it is for
>>>>> incomplete ISAKMP SA
>>>>> Dec 26 19:47:44 sapphire pluto[14065]: | handling event
>>>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>>>> Dec 26 19:48:04 sapphire pluto[14065]: | handling event
>>>>> EVENT_RETRANSMIT for 192.168.255.250 "aeronet" #5
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> At least it is some new...:-)
>>>>
>>>> -Patrick
>>>>
>>>>
>>>>
>>>> Andreas Steffen wrote:
>>>>
>>>>> The entry
>>>>>
>>>>> authby=rsasig
>>>>>
>>>>> is missing in your FreeS/WAN ipsec.conf. Therefore authby=secret is
>>>>> assumed by default, leading to the error below.
>>>>>
>>>>> Regards
>>>>>
>>>>> Andreas
>>>>>
>>>>> Patrick Topping wrote:
>>>>>
>>>>>> With attachments this time......:-)
>>>>>>
>>>>>> I have read through and done step by step what is on nate
>>>>>> carlosn's web page and I still cannot get the tunnel up. I have
>>>>>> attached the ipsec.conf files for both the FreeSWAN gateway and
>>>>>> for my windows XP client. The error that I am seeing on the
>>>>>> gateway is as follows:
>>>>>>
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: responding
>>>>>> to Main Mode
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: policy does
>>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49:
>>>>>> OAKLEY_DES_CBC is not supported. Attribute
>>>>>> OAKLEY_ENCRYPTION_ALGORITHM
>>>>>> Dec 26 17:14:27 sapphire pluto[12474]: "aeronet" #49: no
>>>>>> acceptable Oakley Transform
>>>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: responding
>>>>>> to Main Mode
>>>>>> Dec 26 17:14:28 sapphire pluto[12474]: "aeronet" #50: policy does
>>>>>> not allow OAKLEY_RSA_SIG authentication. Attribute
>>>>>> OAKLEY_AUTHENTICATION_METHOD
>>>>>>
>>>>>> Thanks in advance for any help I can get.
>>>>>>
>>>>>> -Patrick
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>>>>>>
>>>>>> # More elaborate and more varied sample configurations can be found
>>>>>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>>>>>>
>>>>>>
>>>>>>
>>>>>> # basic configuration
>>>>>> config setup
>>>>>> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>>>>>> # %defaultroute is okay for most simple cases.
>>>>>> # interfaces=%defaultroute
>>>>>> interfaces="ipsec0=eth0 ipsec1=eth1"
>>>>>> # Debug-logging controls: "none" for (almost) none, "all"
>>>>>> for lots.
>>>>>> klipsdebug=all
>>>>>> plutodebug=all
>>>>>> # Use auto= parameters in conn descriptions to control
>>>>>> startup actions.
>>>>>> plutoload=%search
>>>>>> plutostart=%search
>>>>>> plutowait=no
>>>>>> # Close down old connection when new one using same ID shows up.
>>>>>> uniqueids=yes
>>>>>>
>>>>>> conn aerocast
>>>>>> left=68.99.179.107
>>>>>> leftnexthop=68.99.176.1
>>>>>> leftsubnet=192.168.255.0/24
>>>>>> right=64.157.41.125
>>>>>> rightnexthop=64.157.40.6
>>>>>> rightsubnet=10.10.0.0/16
>>>>>> auto=start
>>>>>> pfs=yes
>>>>>> esp=3des-sha1-96
>>>>>> keyexchange=ike
>>>>>> auth=esp
>>>>>> disablearrivalcheck=no
>>>>>> keyingtries=0
>>>>>> keylife=24h
>>>>>>
>>>>>> conn level3
>>>>>> left=68.99.179.107
>>>>>> leftnexthop=68.99.176.1
>>>>>> leftsubnet=192.168.255.0/24
>>>>>> right=64.157.41.177
>>>>>> rightnexthop=64.157.40.6
>>>>>> rightsubnet=172.16.0.0/24
>>>>>> auto=start
>>>>>> pfs=yes
>>>>>> esp=3des-sha1-96
>>>>>> keyexchange=ike
>>>>>> auth=esp
>>>>>> disablearrivalcheck=no
>>>>>> keyingtries=0
>>>>>> keylife=24h
>>>>>>
>>>>>> #conn roadwarrior-net
>>>>>> # leftsubnet=192.168.255.0/24
>>>>>> # also=roadwarrior
>>>>>>
>>>>>> #conn roadwarrior
>>>>>> # left=68.99.179.107
>>>>>> # leftcert=sapphire.pem
>>>>>> # right=%defaultroute
>>>>>> # rightcert=clk430.pem
>>>>>> # auto=add
>>>>>> # pfs=yes
>>>>>>
>>>>>> conn aeronet
>>>>>> left=192.168.255.254
>>>>>> leftsubnet=192.168.255.0/24
>>>>>> leftcert=sapphire.pem
>>>>>> right=192.168.255.250
>>>>>> rightcert=clk430.pem
>>>>>> auto=add
>>>>>> pfs=yes
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> #conn roadwarrior
>>>>>> # left=%any
>>>>>> # right=68.99.179.107
>>>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>>> Email=ptopping_at_pobox.com"
>>>>>> # network=auto
>>>>>> # auto=start
>>>>>> # pfs=yes
>>>>>>
>>>>>> #conn roadwarrior-net
>>>>>> # left=%any
>>>>>> # right=68.99.179.107
>>>>>> # rightsubnet=192.168.255.0/24
>>>>>> # rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>>> Email=ptopping_at_pobox.com"
>>>>>> # network=auto # auto=start
>>>>>> # pfs=yes
>>>>>>
>>>>>> conn roadwarrior-allnet
>>>>>> left=%any
>>>>>> right=192.168.255.254
>>>>>> rightca="C=US, ST=California, L=Irvine, O=Home, CN=sapphire,
>>>>>> Email=ptopping_at_pobox.com"
>>>>>> rightsubnet=*
>>>>>> network=auto
>>>>>> auto=start
>>>>>> pfs=yes
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ======================================================================
>>>>>
>>>>> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>>>> strongSec GmbH phone: +41 76 340 25 56
>>>>> Alter Zürichweg 20 home: http://www.strongsec.com
>>>>> CH-8952 Schlieren (Switzerland)
>>>>> ==========================================[strong internet
>>>>> security]==
>>>>>
>>>>>
>>>>> .
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> conn roadwarrior-allnet
>> left=%any
>> right=192.168.255.254
>> rightca="C=US, S=California, L=Irvine, O=Home, CN=sapphire,
>> Email=ptopping_at_pobox.com"
>> rightsubnet=*
>> network=auto
>> auto=start
>> pfs=yes
>> authby=rsasig
>>
>>
>> ------------------------------------------------------------------------
>>
>> 12-26: 13:57:59:208:810 Initialization OK
>> 12-26: 13:58:15:381:be0 Acquire from driver: op=81B4F940
>> src=192.168.255.250.0 dst=64.156.44.184.0 proto = 0,
>> SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1,
>> TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
>> 12-26: 13:58:15:381:460 Filter to match: Src 192.168.255.254 Dst
>> 192.168.255.250
>> 12-26: 13:58:15:381:460 MM PolicyName: 1
>> 12-26: 13:58:15:381:460 MMPolicy dwFlags 2 SoftSAExpireTime 28800
>> 12-26: 13:58:15:381:460 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
>> 12-26: 13:58:15:381:460 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
>> 12-26: 13:58:15:381:460 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
>> 12-26: 13:58:15:381:460 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
>> 12-26: 13:58:15:381:460 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
>> 12-26: 13:58:15:381:460 MMOffer[2] Encrypt: DES CBC Hash: SHA
>> 12-26: 13:58:15:381:460 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
>> 12-26: 13:58:15:381:460 MMOffer[3] Encrypt: DES CBC Hash: MD5
>> 12-26: 13:58:15:381:460 Auth[0]:RSA Sig C=US, S=California, L=Irvine,
>> O=Home, CN=sapphire, E=ptopping_at_pobox.com
>> 12-26: 13:58:15:381:460 QM PolicyName: Host-roadwarrior-allnet filter
>> action dwFlags 1
>> 12-26: 13:58:15:381:460 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
>> 12-26: 13:58:15:381:460 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
>> 12-26: 13:58:15:381:460 Algo[0] Operation: ESP Algo: Triple DES CBC
>> HMAC: MD5
>> 12-26: 13:58:15:381:460 Starting Negotiation: src =
>> 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context
>> = 81B4F940, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000
>> SrcMask = 255.255.255.255 DstMask = 0.0.0.0
>> 12-26: 13:58:15:381:460 constructing ISAKMP Header
>> 12-26: 13:58:15:381:460 constructing SA (ISAKMP)
>> 12-26: 13:58:15:381:460 Constructing Vendor
>> 12-26: 13:58:15:381:460 12-26: 13:58:15:381:460 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 2
>> 12-26: 13:58:15:381:460 ISAKMP Header: (V1.0), len = 216 12-26:
>> 13:58:15:381:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:15:381:460 R-COOKIE 0000000000000000
>> 12-26: 13:58:15:381:460 exchange: Oakley Main Mode
>> 12-26: 13:58:15:381:460 flags: 0 12-26: 13:58:15:381:460 next
>> payload: SA
>> 12-26: 13:58:15:381:460 message ID: 00000000
>> 12-26: 13:58:16:382:e34 retransmit: sa = 000E3830 centry 00000000 ,
>> count = 1
>> 12-26: 13:58:16:382:e34 12-26: 13:58:16:382:e34 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 2
>> 12-26: 13:58:16:382:e34 ISAKMP Header: (V1.0), len = 216 12-26:
>> 13:58:16:382:e34 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:16:382:e34 R-COOKIE 0000000000000000
>> 12-26: 13:58:16:382:e34 exchange: Oakley Main Mode
>> 12-26: 13:58:16:382:e34 flags: 0 12-26: 13:58:16:382:e34 next
>> payload: SA
>> 12-26: 13:58:16:382:e34 message ID: 00000000
>> 12-26: 13:58:16:442:460 12-26: 13:58:16:442:460 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 13:58:16:442:460 ISAKMP Header: (V1.0), len = 84 12-26:
>> 13:58:16:442:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:16:442:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:16:442:460 exchange: Oakley Main Mode
>> 12-26: 13:58:16:442:460 flags: 0 12-26: 13:58:16:442:460 next
>> payload: SA
>> 12-26: 13:58:16:442:460 message ID: 00000000
>> 12-26: 13:58:16:442:460 processing payload SA 12-26:
>> 13:58:16:442:460 Received Phase 1 Transform 1
>> 12-26: 13:58:16:442:460 Encryption Alg Triple DES CBC(5)
>> 12-26: 13:58:16:442:460 Hash Alg SHA(2)
>> 12-26: 13:58:16:442:460 Oakley Group 2
>> 12-26: 13:58:16:442:460 Auth Method RSA Signature with
>> Certificates(3)
>> 12-26: 13:58:16:442:460 Life type in Seconds
>> 12-26: 13:58:16:442:460 Life duration of 28800
>> 12-26: 13:58:16:442:460 Phase 1 SA accepted: transform=1
>> 12-26: 13:58:16:442:460 SA - Oakley proposal accepted
>> 12-26: 13:58:16:442:460 constructing ISAKMP Header
>> 12-26: 13:58:16:512:460 constructing KE
>> 12-26: 13:58:16:512:460 constructing NONCE (ISAKMP)
>> 12-26: 13:58:16:512:460 12-26: 13:58:16:512:460 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 2
>> 12-26: 13:58:16:512:460 ISAKMP Header: (V1.0), len = 184 12-26:
>> 13:58:16:512:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:16:512:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:16:512:460 exchange: Oakley Main Mode
>> 12-26: 13:58:16:512:460 flags: 0 12-26: 13:58:16:512:460 next
>> payload: KE
>> 12-26: 13:58:16:512:460 message ID: 00000000
>> 12-26: 13:58:16:613:460 12-26: 13:58:16:613:460 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 13:58:16:613:460 ISAKMP Header: (V1.0), len = 188 12-26:
>> 13:58:16:613:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:16:613:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:16:613:460 exchange: Oakley Main Mode
>> 12-26: 13:58:16:613:460 flags: 0 12-26: 13:58:16:613:460 next
>> payload: KE
>> 12-26: 13:58:16:613:460 message ID: 00000000
>> 12-26: 13:58:16:613:460 processing payload KE 12-26:
>> 13:58:16:633:460 processing payload NONCE
>> 12-26: 13:58:16:633:460 processing payload CRP
>> 12-26: 13:58:16:633:460 constructing ISAKMP Header
>> 12-26: 13:58:16:633:460 constructing ID
>> 12-26: 13:58:16:633:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:633:460 Looking for IPSec only cert
>> 12-26: 13:58:16:643:460 Trust failed. 1 100
>> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:643:460 Looking for IPSec only cert
>> 12-26: 13:58:16:643:460 Trust failed. 1 100
>> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:643:460 Looking for IPSec only cert
>> 12-26: 13:58:16:643:460 failed to get chain 80092004
>> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:643:460 Looking for any cert
>> 12-26: 13:58:16:643:460 Trust failed. 1 100
>> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:643:460 Looking for any cert
>> 12-26: 13:58:16:643:460 Trust failed. 1 100
>> 12-26: 13:58:16:643:460 Received no valid CRPs. Using all configured
>> 12-26: 13:58:16:643:460 Looking for any cert
>> 12-26: 13:58:16:643:460 failed to get chain 80092004
>> 12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000
>> status:35ee
>> 12-26: 13:58:16:643:460 isadb_set_status sa:000E3830 centry:00000000
>> status 35ee
>> 12-26: 13:58:16:643:460 Key Exchange Mode (Main Mode)
>>
>>
>> 12-26: 13:58:16:643:460 Source IP Address 192.168.255.250
>>
>> Source IP Address Mask 255.255.255.255
>>
>> Destination IP Address 192.168.255.254
>>
>> Destination IP Address Mask 255.255.255.255
>>
>> Protocol 0
>>
>> Source Port 0
>>
>> Destination Port 0
>>
>> IKE Local Addr
>> IKE Peer Addr
>>
>> 12-26: 13:58:16:643:460 Certificate based Identity.
>> Peer IP Address: 192.168.255.254
>>
>>
>> 12-26: 13:58:16:643:460 Me
>>
>>
>> 12-26: 13:58:16:643:460 IKE failed to find valid machine certificate
>>
>>
>> 12-26: 13:58:16:643:460 0x80092004 0x100
>> 12-26: 13:58:16:643:460 ProcessFailure: sa:000E3830 centry:00000000
>> status:35ee
>> 12-26: 13:58:16:643:460 constructing ISAKMP Header
>> 12-26: 13:58:16:643:460 constructing HASH (null)
>> 12-26: 13:58:16:643:460 constructing NOTIFY 28
>> 12-26: 13:58:16:643:460 constructing HASH (Notify/Delete)
>> 12-26: 13:58:16:643:460 12-26: 13:58:16:643:460 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 1
>> 12-26: 13:58:16:643:460 ISAKMP Header: (V1.0), len = 84 12-26:
>> 13:58:16:643:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:16:643:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:16:643:460 exchange: ISAKMP Informational Exchange
>> 12-26: 13:58:16:643:460 flags: 1 ( encrypted )
>> 12-26: 13:58:16:643:460 next payload: HASH
>> 12-26: 13:58:16:643:460 message ID: bacd472d
>> 12-26: 13:58:26:657:460 12-26: 13:58:26:657:460 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 13:58:26:657:460 ISAKMP Header: (V1.0), len = 188 12-26:
>> 13:58:26:657:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:26:657:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:26:657:460 exchange: Oakley Main Mode
>> 12-26: 13:58:26:657:460 flags: 0 12-26: 13:58:26:657:460 next
>> payload: KE
>> 12-26: 13:58:26:657:460 message ID: 00000000
>> 12-26: 13:58:26:657:460 received an unencrypted packet when crypto
>> active
>> 12-26: 13:58:26:657:460 GetPacket failed 35ec
>> 12-26: 13:58:46:656:460 12-26: 13:58:46:656:460 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 13:58:46:656:460 ISAKMP Header: (V1.0), len = 188 12-26:
>> 13:58:46:656:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 13:58:46:656:460 R-COOKIE 3f16260379d19d91
>> 12-26: 13:58:46:656:460 exchange: Oakley Main Mode
>> 12-26: 13:58:46:656:460 flags: 0 12-26: 13:58:46:656:460 next
>> payload: KE
>> 12-26: 13:58:46:656:460 message ID: 00000000
>> 12-26: 13:58:46:656:460 received an unencrypted packet when crypto
>> active
>> 12-26: 13:58:46:656:460 GetPacket failed 35ec
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> 7ded5b6d-488d-4471-829ca689a02acc95 4
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> 41d9b683-5a06-4965-abf52b4da2d99aa4 4
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> b8ac66fe-928c-44dd-9c01aa594bf7d53d 3
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> 89c3929a-f918-4439-a970da4d4125e848 3
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> c002f544-7832-489a-b26bdfe01d4a5c2e 1
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> 79de7a7a-302c-4f77-9a0d6d829ff7cd25 2
>> 12-26: 14:00:00:572:810 isadb_schedule_kill_oldPolicy_sas:
>> 5bbfdf85-3a17-4626-8b758fab02d7b64c 2
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 SA Dead. sa:000E3830 status:3619
>> 12-26: 14:00:00:612:460 constructing ISAKMP Header
>> 12-26: 14:00:00:612:460 constructing HASH (null)
>> 12-26: 14:00:00:612:460 constructing DELETE. MM 000E3830
>> 12-26: 14:00:00:612:460 constructing HASH (Notify/Delete)
>> 12-26: 14:00:00:612:460 12-26: 14:00:00:612:460 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 1
>> 12-26: 14:00:00:612:460 ISAKMP Header: (V1.0), len = 84 12-26:
>> 14:00:00:612:460 I-COOKIE 5059b9d1065a3fa6
>> 12-26: 14:00:00:612:460 R-COOKIE 3f16260379d19d91
>> 12-26: 14:00:00:612:460 exchange: ISAKMP Informational Exchange
>> 12-26: 14:00:00:612:460 flags: 1 ( encrypted )
>> 12-26: 14:00:00:612:460 next payload: HASH
>> 12-26: 14:00:00:612:460 message ID: 1e90325c
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:00:612:460 entered kill_old_policy_sas
>> 12-26: 14:00:20:811:be0 Acquire from driver: op=81B50130
>> src=192.168.255.250.0 dst=192.168.255.254.0 proto = 0,
>> SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1,
>> TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
>> 12-26: 14:00:20:811:bf8 Filter to match: Src 192.168.255.254 Dst
>> 192.168.255.250
>> 12-26: 14:00:20:811:bf8 MM PolicyName: 2
>> 12-26: 14:00:20:811:bf8 MMPolicy dwFlags 2 SoftSAExpireTime 28800
>> 12-26: 14:00:20:811:bf8 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
>> 12-26: 14:00:20:811:bf8 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
>> 12-26: 14:00:20:811:bf8 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
>> 12-26: 14:00:20:811:bf8 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
>> 12-26: 14:00:20:811:bf8 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
>> 12-26: 14:00:20:811:bf8 MMOffer[2] Encrypt: DES CBC Hash: SHA
>> 12-26: 14:00:20:811:bf8 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
>> 12-26: 14:00:20:811:bf8 MMOffer[3] Encrypt: DES CBC Hash: MD5
>> 12-26: 14:00:20:811:bf8 Auth[0]:RSA Sig C=US, S=California, L=Irvine,
>> O=Home, CN=sapphire, E=ptopping_at_pobox.com
>> 12-26: 14:00:20:811:bf8 QM PolicyName: Host-roadwarrior-allnet filter
>> action dwFlags 1
>> 12-26: 14:00:20:811:bf8 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
>> 12-26: 14:00:20:811:bf8 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
>> 12-26: 14:00:20:811:bf8 Algo[0] Operation: ESP Algo: Triple DES CBC
>> HMAC: MD5
>> 12-26: 14:00:20:811:bf8 Starting Negotiation: src =
>> 192.168.255.250.0000, dst = 192.168.255.254.0500, proto = 00, context
>> = 81B50130, ProxySrc = 192.168.255.250.0000, ProxyDst = 0.0.0.0.0000
>> SrcMask = 255.255.255.255 DstMask = 0.0.0.0
>> 12-26: 14:00:20:811:bf8 constructing ISAKMP Header
>> 12-26: 14:00:20:811:bf8 constructing SA (ISAKMP)
>> 12-26: 14:00:20:811:bf8 Constructing Vendor
>> 12-26: 14:00:20:811:bf8 12-26: 14:00:20:811:bf8 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 2
>> 12-26: 14:00:20:811:bf8 ISAKMP Header: (V1.0), len = 216 12-26:
>> 14:00:20:811:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:20:811:bf8 R-COOKIE 0000000000000000
>> 12-26: 14:00:20:811:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:20:811:bf8 flags: 0 12-26: 14:00:20:811:bf8 next
>> payload: SA
>> 12-26: 14:00:20:811:bf8 message ID: 00000000
>> 12-26: 14:00:20:881:bf8 12-26: 14:00:20:891:bf8 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 14:00:20:891:bf8 ISAKMP Header: (V1.0), len = 84 12-26:
>> 14:00:20:891:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:20:891:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:20:891:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:20:891:bf8 flags: 0 12-26: 14:00:20:891:bf8 next
>> payload: SA
>> 12-26: 14:00:20:891:bf8 message ID: 00000000
>> 12-26: 14:00:20:891:bf8 processing payload SA 12-26:
>> 14:00:20:891:bf8 Received Phase 1 Transform 1
>> 12-26: 14:00:20:891:bf8 Encryption Alg Triple DES CBC(5)
>> 12-26: 14:00:20:891:bf8 Hash Alg SHA(2)
>> 12-26: 14:00:20:891:bf8 Oakley Group 2
>> 12-26: 14:00:20:891:bf8 Auth Method RSA Signature with
>> Certificates(3)
>> 12-26: 14:00:20:891:bf8 Life type in Seconds
>> 12-26: 14:00:20:891:bf8 Life duration of 28800
>> 12-26: 14:00:20:891:bf8 Phase 1 SA accepted: transform=1
>> 12-26: 14:00:20:891:bf8 SA - Oakley proposal accepted
>> 12-26: 14:00:20:891:bf8 constructing ISAKMP Header
>> 12-26: 14:00:20:961:bf8 constructing KE
>> 12-26: 14:00:20:961:bf8 constructing NONCE (ISAKMP)
>> 12-26: 14:00:20:961:bf8 12-26: 14:00:20:961:bf8 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 2
>> 12-26: 14:00:20:961:bf8 ISAKMP Header: (V1.0), len = 184 12-26:
>> 14:00:20:961:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:20:961:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:20:961:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:20:961:bf8 flags: 0 12-26: 14:00:20:961:bf8 next
>> payload: KE
>> 12-26: 14:00:20:961:bf8 message ID: 00000000
>> 12-26: 14:00:21:41:bf8 12-26: 14:00:21:41:bf8 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 14:00:21:41:bf8 ISAKMP Header: (V1.0), len = 188 12-26:
>> 14:00:21:41:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:21:41:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:21:41:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:21:41:bf8 flags: 0 12-26: 14:00:21:41:bf8 next
>> payload: KE
>> 12-26: 14:00:21:41:bf8 message ID: 00000000
>> 12-26: 14:00:21:41:bf8 processing payload KE 12-26: 14:00:21:62:bf8
>> processing payload NONCE
>> 12-26: 14:00:21:62:bf8 processing payload CRP
>> 12-26: 14:00:21:62:bf8 constructing ISAKMP Header
>> 12-26: 14:00:21:62:bf8 constructing ID
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for IPSec only cert
>> 12-26: 14:00:21:62:bf8 failed to get chain 80092004
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for any cert
>> 12-26: 14:00:21:62:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:62:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:62:bf8 Looking for any cert
>> 12-26: 14:00:21:72:bf8 Trust failed. 1 100
>> 12-26: 14:00:21:72:bf8 Received no valid CRPs. Using all configured
>> 12-26: 14:00:21:72:bf8 Looking for any cert
>> 12-26: 14:00:21:72:bf8 failed to get chain 80092004
>> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000
>> status:35ee
>> 12-26: 14:00:21:72:bf8 isadb_set_status sa:000E3830 centry:00000000
>> status 35ee
>> 12-26: 14:00:21:72:bf8 Key Exchange Mode (Main Mode)
>>
>>
>> 12-26: 14:00:21:72:bf8 Source IP Address 192.168.255.250
>>
>> Source IP Address Mask 255.255.255.255
>>
>> Destination IP Address 192.168.255.254
>>
>> Destination IP Address Mask 255.255.255.255
>>
>> Protocol 0
>>
>> Source Port 0
>>
>> Destination Port 0
>>
>> IKE Local Addr
>> IKE Peer Addr
>>
>> 12-26: 14:00:21:72:bf8 Certificate based Identity.
>> Peer IP Address: 192.168.255.254
>>
>>
>> 12-26: 14:00:21:72:bf8 Me
>>
>>
>> 12-26: 14:00:21:72:bf8 IKE failed to find valid machine certificate
>>
>>
>> 12-26: 14:00:21:72:bf8 0x80092004 0x100
>> 12-26: 14:00:21:72:bf8 ProcessFailure: sa:000E3830 centry:00000000
>> status:35ee
>> 12-26: 14:00:21:72:bf8 constructing ISAKMP Header
>> 12-26: 14:00:21:72:bf8 constructing HASH (null)
>> 12-26: 14:00:21:72:bf8 constructing NOTIFY 28
>> 12-26: 14:00:21:72:bf8 constructing HASH (Notify/Delete)
>> 12-26: 14:00:21:72:bf8 12-26: 14:00:21:72:bf8 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 1
>> 12-26: 14:00:21:72:bf8 ISAKMP Header: (V1.0), len = 84 12-26:
>> 14:00:21:72:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:21:72:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:21:72:bf8 exchange: ISAKMP Informational Exchange
>> 12-26: 14:00:21:72:bf8 flags: 1 ( encrypted )
>> 12-26: 14:00:21:72:bf8 next payload: HASH
>> 12-26: 14:00:21:72:bf8 message ID: 33bae727
>> 12-26: 14:00:31:86:bf8 12-26: 14:00:31:86:bf8 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 14:00:31:86:bf8 ISAKMP Header: (V1.0), len = 188 12-26:
>> 14:00:31:86:bf8 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:31:86:bf8 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:31:86:bf8 exchange: Oakley Main Mode
>> 12-26: 14:00:31:86:bf8 flags: 0 12-26: 14:00:31:86:bf8 next
>> payload: KE
>> 12-26: 14:00:31:86:bf8 message ID: 00000000
>> 12-26: 14:00:31:86:bf8 received an unencrypted packet when crypto active
>> 12-26: 14:00:31:86:bf8 GetPacket failed 35ec
>> 12-26: 14:00:51:85:460 12-26: 14:00:51:85:460 Receive: (get) SA =
>> 0x000e3830 from 192.168.255.254
>> 12-26: 14:00:51:85:460 ISAKMP Header: (V1.0), len = 188 12-26:
>> 14:00:51:85:460 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:00:51:85:460 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:00:51:85:460 exchange: Oakley Main Mode
>> 12-26: 14:00:51:85:460 flags: 0 12-26: 14:00:51:85:460 next
>> payload: KE
>> 12-26: 14:00:51:85:460 message ID: 00000000
>> 12-26: 14:00:51:85:460 received an unencrypted packet when crypto active
>> 12-26: 14:00:51:85:460 GetPacket failed 35ec
>> 12-26: 14:01:34:217:be0 Acquire from driver: op=81B50130
>> src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0,
>> SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1,
>> TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250
>> 12-26: 14:01:34:217:460 Main mode in progress. Acquire queued
>> 12-26: 14:01:34:217:460 Queued Acquire Context 81b50130 on SA e3830
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> 8f837fed-2334-431f-a48d645725249e5f 4
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> a6864f31-88be-40b8-930ffa2a6b0c71fc 4
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> 4cdba9dd-1416-4c70-802c553836bdc93a 3
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> 2e981c69-4065-4e00-84571ba48720206c 3
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> 6e86f6ea-18ab-4338-9651e860e4186703 1
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> dd1ebebd-54c7-4787-adb99b4fab60ec3e 2
>> 12-26: 14:01:36:240:810 isadb_schedule_kill_oldPolicy_sas:
>> 5aae510a-c38b-404d-beff08285a65257b 2
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 SA Dead. sa:000E3830 status:3619
>> 12-26: 14:01:36:270:460 Posting new acquire context 81b50130
>> 12-26: 14:01:36:270:460 Acquire from driver: op=81B50130
>> src=192.168.255.250.0 dst=64.156.44.240.0 proto = 0,
>> SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1,
>> TunnelEndpt=192.168.255.254 Inbound TunnelEndpt=192.168.255.250,
>> InitiateEvent=00000000
>> 12-26: 14:01:36:270:460 constructing ISAKMP Header
>> 12-26: 14:01:36:270:460 constructing HASH (null)
>> 12-26: 14:01:36:270:460 constructing DELETE. MM 000E3830
>> 12-26: 14:01:36:270:460 constructing HASH (Notify/Delete)
>> 12-26: 14:01:36:270:460 12-26: 14:01:36:270:460 Sending: SA =
>> 0x000E3830 to 192.168.255.254:Type 1
>> 12-26: 14:01:36:270:460 ISAKMP Header: (V1.0), len = 84 12-26:
>> 14:01:36:270:460 I-COOKIE 8423ddf04e204ed5
>> 12-26: 14:01:36:270:460 R-COOKIE 68d5a3aa523f4f24
>> 12-26: 14:01:36:270:460 exchange: ISAKMP Informational Exchange
>> 12-26: 14:01:36:270:460 flags: 1 ( encrypted )
>> 12-26: 14:01:36:270:460 next payload: HASH
>> 12-26: 14:01:36:270:460 message ID: f7c22255
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 entered kill_old_policy_sas
>> 12-26: 14:01:36:270:460 Filter to match: Src 192.168.255.254 Dst
>> 192.168.255.250
>> 12-26: 14:01:36:270:460 MatchMMFilter failed 13013
>> 12-26: 14:01:36:270:460 isadb_set_status sa:00115B78 centry:00000000
>> status 32d5
>> 12-26: 14:01:36:270:460 Key Exchange Mode (Main Mode)
>>
>>
>> 12-26: 14:01:36:270:460 Source IP Address 192.168.255.250
>>
>> Source IP Address Mask 255.255.255.255
>>
>> Destination IP Address 192.168.255.254
>>
>> Destination IP Address Mask 255.255.255.255
>>
>> Protocol 0
>>
>> Source Port 0
>>
>> Destination Port 0
>>
>> IKE Local Addr
>> IKE Peer Addr
>>
>> 12-26: 14:01:36:270:460 12-26: 14:01:36:270:460 Me
>>
>>
>> 12-26: 14:01:36:270:460 The specified main mode policy was not found.
>>
>>
>> 12-26: 14:01:36:270:460 0x0 0x0
>> 12-26: 14:01:36:270:460 initiator: failed cbad02a5
>> 12-26: 14:02:29:308:460 SA Dead. sa:00115B78 status:35f0
>
>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: mlpi_uy_rff3d1w_at_amazon.com: "*****SPAM***** [Users] ±Ð±z¦p¦ó¦¨¬°ºô¸ô¤uµ{®v"
• Previous message: Doug Leece: "RE: [VF][Users] Checkpoint FW1 and FreeSwan 1.99"
• In reply to: Andreas Steffen: "Re: [Users] [Fwd: FreeSWAN and Windows XP]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET