[SOLVED] Re: Strange VPN problem

2007-01-04 Thread Toni Mueller 
Hi,

On Wed, 03.01.2007 at 22:54:16 +0100, Toni Mueller [EMAIL PROTECTED] wrote:
 I have a very odd problem with a VPN machine. The situation:

nevermind, it was human error (expired certificates) after all. I have
to find out whether the error messages should have told me this earlier
on, or whether I was only too blind to see.


Best,
--Toni++

Strange VPN problem

2007-01-03 Thread Toni Mueller 
Hello,

I have a very odd problem with a VPN machine. The situation:

Net 1 --- Host 1 - Internet - Host 2 --- Net 2
  \
   +- Host 3 --- Net 3

The whole thing was working since the days of 3.5 or so with ISAKMPD
and X.509 certificates in tunnel mode. Last year, everything was on
3.8. Now I upgraded Host 2 to 4.0. Everything was still fine. Today I
upgraded Host 1 to 4.0, then to 4.0-stable (this was required anyway,
and prompted by disk failure), things stopped working completely. I see
such packets being sent between hosts 1 and 2 (real IPs replaced by
RFC1918 with s///):


22:37:11.106378 192.168.1.3.500  192.168.1.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: f06dc17173c6c1fa- msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 28972, len 212)
22:37:11.125678 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 35720, len 212)
22:37:11.274135 192.168.1.3.500  192.168.1.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid:  len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 63, id 4431, len 256)
22:37:11.349204 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid:  len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 64, id 32849, len 256)
22:37:11.558309 192.168.1.3.500  192.168.1.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid:  len: 972 
(ttl 63, id 3944, len 1000)
22:37:11.668529 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid:  len: 940 
(ttl 64, id 60717, len 968)
22:37:11.864217 192.168.1.3.500  192.168.1.2.500: [udp sum ok] isakmp v1.0 
exchange QUICK_MODE encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid: aaeca62d len: 300 
(ttl 63, id 14459, len 328)
22:37:11.914359 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange INFO encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid: 87fd8670 len: 76 (ttl 
64, id 59694, len 104)
22:37:11.915785 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange INFO encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid: a7a43d6f len: 76 (ttl 
64, id 45897, len 104)
22:37:18.878857 192.168.1.3.500  192.168.1.2.500: [udp sum ok] isakmp v1.0 
exchange QUICK_MODE encrypted
cookie: f06dc17173c6c1fa-3a8a72a4e10f97c3 msgid: aaeca62d len: 300 
(ttl 63, id 25088, len 328)
22:37:18.976186 192.168.1.2.500  192.168.1.3.500: [udp sum ok] isakmp v1.0 
exchange INFO encrypted