Alas Carmelo, I followed all your tips, but I couldn't find any hint to help me. I'm (sadly) stuck at my remote client... :-( Thanks again, Luca
On Thu, May 6, 2010 at 10:17 AM, Carmelo Iannello <[email protected]> wrote: > Luca Arzeni ha scritto: >> >> I didn't spotted your second mail until now, but I've realized the bug on >> ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r >> default. > > Well, the bug is not in saving the conf, but in loading it, so you can still > use ikea, just remember that anytime you save the configuration you have to > reset the client identity part to ASN.1 > >> I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2. >> If I' don't set 3des (using AES, for example), I receive a "peer unknown >> notification" > > This is probably due to the server specific configuration: I have everything > set to "auto", except for DH Exchange=group 2 in Phase1, PFS Exchange and > Compression Algorithm in Phase 2, both set to disabled. > Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite > obvious :) > >> Using 3des, it seems that phase1 was ok, but it cannot go with phase2. >> Am I missing something?I'have no "firewall certificate" but only the ca >> certificate. Aren't they the same thing? > > in this case, yes. > >> I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 )" >> it's something important? > > As a vpn-stuff user (as opposed to developer), I can't really tell. > I could guess that maybe not, 'cause it's just a dump operation (i.e. print) > You could investigate what errno = 2 is. > > In http://www.shrew.net/software/todo > "Long Term Goals: > Write a setkey replacement based on libpfk" > > So, "man setkey" should still be a good starting point, at least for knowing > what we are talking about (I actually don't. well, not a lot :) ). > >> The error is on the line "ii : received peer PAYLOAD-MALFORMED >> notification". >> Do you have any hint? > > I could make a guess that the client is sending something that the server > consider to be wrong. > I have to say that I tried to use srfw.exe to sniff traffic when using the > windows proprietary client and, looking at the log file with wireshark, > there were malformed packets *when the connection succeded*. > Either I'm missing something, or CP client and server are really sending > each other some weird proprietary stuff. > > If you haven't tried yet and you want to make a comparison between the logs > (ike/linux vs CP/windows) , take a look a that page I mentioned: > http://www.aelita.org/racoon/racoon-securemote-doc > > when it says: "2) The SecureClient has a powerfull debugging feature that > you can activate..." > > Use wireshark to display the log file, check for "ISAKMP: Informational" > messages, click on "Follow the UDP stream" and check the info in the lower > frame. > Bye > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Carmelo Iannello Codices s.r.l. > Via G. Malasoma 24 > 56121 Pisa, loc. Ospedaletto > Tel: +39 050-3163667 (diretto) > Tel: +39 050-3160136 > Fax: +39 050-9655150 > http://www.codices.com/ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
