[vpn-help] SHREW Dial Up Client and SSG 350 with certificates

Rainer Blaes Mon, 31 Jan 2011 06:05:27 -0800


*_Hi everybody,

we are trying to setup a SHREW Dial Up VPN Client 2.1.7 connection toour SSG 350 device and followed step by step

this guide:
       www.shrew.net/support/wiki/HowtoJuniperSsgCerts

Unfortunately we have no success bringing up the tunnel and the debugoutput (pls see attached .txt) is for me as anewbie not easy to interpret. I hope that I can get any hint/help to getthe VPN tunnel working.


Many thanks in advance!

Rainer_*
<mailto:[email protected]>

This email (including any attachments) may contain confidential and/or 
privileged information or information otherwise protected from disclosure. If 
you are not the intended recipient, please notify the sender immediately, do 
not copy this message or any attachments and do not use it for any purpose or 
disclose its content to any person, but delete this message and any attachments 
from your system. Astrium disclaims any and all liability if this email 
transmission was virus corrupted, altered or falsified.
---------------------------------------------------------
Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - 
Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Johannes von Thadden, Josef 
Stukenborg
Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB 
Nr. 107 647  Ust. Ident. Nr. / VAT reg. no. DE167015356

Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/

 Windows 7 Dial Up Client   <=========>           SSG 350
       192.168.11.3                             192.168.11.1

esc-igs-fw-> get db stream 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> ike packet, len 1245, action 1
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Catcher: received 1217 bytes from 
socket.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> ****** Recv packet if <ethernet0/1> 
of vsys <Root> ******
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Catcher: get 1217 bytes. src port 500
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ISAKMP msg: len 1217, nxp 
1[SA], exch 4[AG], flag 00 
## 2011-01-28 14:28:02 : IKE<192.168.11.3   > Recv : [SA] [KE] [NONCE] 
[CERT-REQ] [ID] [VID] [VID] [VID] [VID] 
## 2011-01-28 14:28:02 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] [VID] 
## 2011-01-28 14:28:02 : valid id checking, id type:ASN1_DN, len:72.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >     Validate (1189): SA/716 
KE/132 NONCE/24 CERT-REQ..5/5 ID/72 VID/12 VID/20 VID/20 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Receive Id (type=DN) in AG mode, 
retrieve [email protected],OU=ESA,CN=UHB
, idlen = 38
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   peer dn has 3 elements.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   compare user id<14>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
input<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <0><CN=UHB>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000001>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<0><8bfff5a4><CN=UHB>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <1><OU=ESA>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000002>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<1><8bfff5ab><OU=ESA>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <2><O=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<2><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <3><L=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<3><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <4><ST=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for 
<ST=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<ffffffff>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<4><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <5><C=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<5><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
<6><[email protected]>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000040>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<6><8bfff5bf><[email protected]>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <7><DC=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for 
<DC=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<ffffffff>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<7><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_one_elem: input<CN=UHB>
## 2011-01-28 14:28:02 : normalize_one_elem: content<UHB>
## 2011-01-28 14:28:02 : normalize_one: A temp<CN=UHB,> in_len<3>
## 2011-01-28 14:28:02 : normalize_one: temp<CN=UHB,> len<7>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<0> 
elem<CN=UHB,>len<7>
## 2011-01-28 14:28:02 : normalize_one_elem: input<OU=ESA>
## 2011-01-28 14:28:02 : normalize_one_elem: content<ESA>
## 2011-01-28 14:28:02 : normalize_one: A temp<OU=ESA,> in_len<3>
## 2011-01-28 14:28:02 : normalize_one: temp<OU=ESA,> len<7>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<1> 
elem<CN=UHB,OU=ESA,>len<14>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,>len<17>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,>len<20>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,>len<24>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,>len<27>
## 2011-01-28 14:28:02 : normalize_one_elem: input<[email protected]>
## 2011-01-28 14:28:02 : normalize_one_elem: content<[email protected]>
## 2011-01-28 14:28:02 : normalize_one: A temp<[email protected],> 
in_len<17>
## 2011-01-28 14:28:02 : normalize_one: temp<[email protected],> len<24>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<6> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],>len<51>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>len<55>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
result<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>len<55>ret<0>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:CN=UHB
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:OU=ESA
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:[email protected]
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   count_num_required_elems: ret 
num elem<3>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >     no container identity 
requirement.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   wild card identity 
matched<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        > ID match found.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   user id found<14>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   group id found<10>.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Found peer entry (VPN_P1_GW) from 
192.168.11.3.
## 2011-01-28 14:28:02 : responder create sa: 192.168.11.3->192.168.11.1
## 2011-01-28 14:28:02 : init p1sa, pidt = 0x0
## 2011-01-28 14:28:02 : change peer identity for p1 sa, pidt = 0x0
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   peer_identity_create_with_uid: 
uid<0>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   create peer identity 0x84ce450
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num 
entry before add <1>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num 
entry after add <2>
## 2011-01-28 14:28:02 : peer identity 84ce450 created.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   EDIPI disabled
## 2011-01-28 14:28:02 : IKE<192.168.11.3> getProfileFromP1Proposal->
## 2011-01-28 14:28:02 : IKE<192.168.11.3> find profile[0]=<00000005 00000002 
00000003 00000002> for p1 proposal (id 11), xauth(1)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder create sa: 
192.168.11.3->192.168.11.1
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1: Responder starts AGGRESSIVE 
mode negotiations.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> AG in state OAK_AG_NOSTATE.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 09 00 26 89 df d6 b7 12 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv XAUTH v6.0 vid
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv NAT-Traversal VID payload 
(draft-ietf-ipsec-nat-t-ike-00).
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 16 f6 ca 16 e4 a4 06 6d  83 82 1a 0f 0a ea a8 62
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv NAT-Traversal VID payload 
(draft-ietf-ipsec-nat-t-ike-02).
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 7d 94 19 a6 53 10 ca 6f  2c 17 9d 92 15 52 9d 56
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 4a 13 1c 81 07 03 58 45  5c 57 28 f2 0e 95 45 2f
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 40 48 b7 d5 6e bc e8 85  25 e7 de 7f 00 d6 c2 d3
## 2011-01-28 14:28:02 : 80 00 00 00 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> receive unknown vendor ID payload
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : af ca d7 13 68 a1 f1 c9  6b 86 96 fc 77 57 01 00
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : f1 4b 94 b7 bf f1 fe f0  27 73 b8 c4 9f ed ed 26
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 16 6f 93 2d 55 eb 64 d8  e4 df 4f d3 7e 23 13 f0
## 2011-01-28 14:28:02 : d0 fd 84 51 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> receive unknown vendor ID payload
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 84 04 ad f9 cd a0 57 60  b2 ca 29 2e 4b ff 53 7b
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [VID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   Vendor ID:
## 2011-01-28 14:28:02 : 12 f5 f2 8c 45 71 68 a9  70 2d 9f e2 74 cc 01 00
## 2011-01-28 14:28:02 : IKE<192.168.11.3> rcv non-NAT-Traversal VID payload.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [SA]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(1)<MD5>, group(2), keylen(256)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(2)<SHA>, group(2), keylen(256)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(1)<MD5>, group(2), keylen(192)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(2)<SHA>, group(2), keylen(192)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(1)<MD5>, group(2), keylen(128)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(7)<AES>, 
hash(2)<SHA>, group(2), keylen(128)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> P1 attributes not supported.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(1)<MD5>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> [0] expect: xauthflag 3 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: responder
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Proposal received: xauthflag 61 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: initiator
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1 proposal [0] selected.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> SA Life Type = seconds
## 2011-01-28 14:28:02 : IKE<192.168.11.3> SA lifetime (TLV) = 86400
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >     dh group 2
## 2011-01-28 14:28:02 : IKE<192.168.11.3> DH_BG_consume OK. p1 resp
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [KE]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing ISA_KE in phase 1.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [NONCE]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing NONCE in phase 1.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [ID]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID received: type=ID_DER_ASN1_DN, DN 
= [email protected],OU=ESA,CN=UHB, port = 0, protocol=0
## 2011-01-28 14:28:02 : IKE<192.168.11.3> process_id need to update peer 
entry, cur <VPN_P1_GW>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   peer dn has 3 elements.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   compare user id<14>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
input<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <0><CN=UHB>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000001>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<0><8bffee7c><CN=UHB>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <1><OU=ESA>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000002>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<1><8bffee83><OU=ESA>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <2><O=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<2><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <3><L=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<3><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <4><ST=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for 
<ST=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<ffffffff>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<4><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <5><C=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: string len<2>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<5><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
<6><[email protected]>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<00000040>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<6><8bffee97><[email protected]>.
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: <7><DC=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: remaining after = bad for 
<DC=>.
## 2011-01-28 14:28:02 : get_dn_element_type_mask: mask<ffffffff>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: got 
<7><00000000><empty>.
## 2011-01-28 14:28:02 : normalize_one_elem: input<CN=UHB>
## 2011-01-28 14:28:02 : normalize_one_elem: content<UHB>
## 2011-01-28 14:28:02 : normalize_one: A temp<CN=UHB,> in_len<3>
## 2011-01-28 14:28:02 : normalize_one: temp<CN=UHB,> len<7>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<0> 
elem<CN=UHB,>len<7>
## 2011-01-28 14:28:02 : normalize_one_elem: input<OU=ESA>
## 2011-01-28 14:28:02 : normalize_one_elem: content<ESA>
## 2011-01-28 14:28:02 : normalize_one: A temp<OU=ESA,> in_len<3>
## 2011-01-28 14:28:02 : normalize_one: temp<OU=ESA,> len<7>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<1> 
elem<CN=UHB,OU=ESA,>len<14>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,>len<17>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,>len<20>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,>len<24>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,>len<27>
## 2011-01-28 14:28:02 : normalize_one_elem: input<[email protected]>
## 2011-01-28 14:28:02 : normalize_one_elem: content<[email protected]>
## 2011-01-28 14:28:02 : normalize_one: A temp<[email protected],> 
in_len<17>
## 2011-01-28 14:28:02 : normalize_one: temp<[email protected],> len<24>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<6> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],>len<51>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: ind<-1> 
elem<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>len<55>
## 2011-01-28 14:28:02 : normalize_user_wildcard_dn_id: 
result<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>len<55>ret<0>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:CN=UHB
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:OU=ESA
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   ct:[email protected]
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   count_num_required_elems: ret 
num elem<3>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >     no container identity 
requirement.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   wild card identity 
matched<CN=UHB,OU=ESA,O=,L=,ST=,C=,[email protected],DC=,>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        > ID match found.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   user id found<14>.
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   group id found<10>.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Dynamic peer IP addr, search peer by 
identity.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> peer gateway entry has no peer id 
configured
## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID processed. return 0. sa->p1_state 
= 0.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Process [CERT-REQ..5]:
## 2011-01-28 14:28:02 : IKE<192.168.11.3> processing ISA_CERT_REQ starts, 
type=4.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> process_cert_req done.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> need to wait for offline p1 DH work 
done.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> IKE msg done: PKI state<0> IKE 
state<0/281290a>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   finished job pkaidx <0> 
dh_len<128> dmax<64>
## 2011-01-28 14:28:02 : IKE<0.0.0.0        >   finished job 
d<33045e5c><17a0bb5d><e71366fc><dfaceb2c>
## 2011-01-28 14:28:02 : IKE<192.168.11.3> AG in state OAK_AG_NOSTATE.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> re-enter AG after offline DH done
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Phase 1 AG Responder constructing 
2nd message.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct ISAKMP header.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Msg header built (next payload #1)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [SA] for ISAKMP
## 2011-01-28 14:28:02 : IKE<192.168.11.3> auth(3)<RSA>, encr(5)<3DES>, 
hash(2)<SHA>, group(2)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> xauth attribute: disabled
## 2011-01-28 14:28:02 : IKE<192.168.11.3> lifetime/lifesize (86400/0)
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct NetScreen [VID]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct custom [VID]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [KE] for ISAKMP
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NONCE]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> gen_skeyid()
## 2011-01-28 14:28:02 : IKE<192.168.11.3> gen_skeyid: returning 0
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [ID] for ISAKMP
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Use FQDN "ref2.esa.int" in local 
certificate subject alternative name as IKE p1 ID.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [CERT]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> construct_cert(), first cert.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> construct_cert(), cert type = 4, 
certlen = 1090
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Direct CA, peer wants X509, will 
send one X509 cert.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> one X509 cert
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder constructing cert req
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [CERT-REQ]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct NAT-T [VID]: draft 2
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder rsa sig ag mode: natt vid 
constructed.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder (pki) constructing remote 
NAT-D
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NATD]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> responder (pki) constructing local 
NAT-D
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [NATD]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Construct [SIG]
## 2011-01-28 14:28:02 : IKE<192.168.11.3> constructing RSA signature.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Use FQDN "ref2.esa.int" in local 
certificate subject alternative name as IKE p1 ID.
## 2011-01-28 14:28:02 : IKE<192.168.11.3> ID, len=16, type=2, pro=17, port=500,
## 2011-01-28 14:28:02 : IKE<192.168.11.3> 
## 2011-01-28 14:28:02 : IKE<192.168.11.3>  
## 2011-01-28 14:28:02 : IKE<192.168.11.3   >   digest when construct sig
## 2011-01-28 14:28:02 : 6d 46 eb 8f d7 43 d0 bb  c0 7b 95 87 e5 25 bd 9b
## 2011-01-28 14:28:02 : 8e cb fa f4 00 00 00 00  d1 7e 37 00 40 51 82 03
## 2011-01-28 14:28:02 : IKE<192.168.11.3> throw packet to the peer, 
paket_len=1776
## 2011-01-28 14:28:02 : IKE<192.168.11.3   > Xmit : [SA] [VID] [VID] [VID] 
[VID] [KE] [NONCE] [ID] [CERT] 
## 2011-01-28 14:28:02 : [CERT-REQ] [VID] [NATD] [NATD] [SIG] 
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Responder sending IPv4 IP 
192.168.11.3/port 500
## 2011-01-28 14:28:02 : IKE<192.168.11.3> Send Phase 1 packet (len=1776)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ike packet, len 1912, action 0
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: received 1884 bytes from 
socket.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ****** Recv packet if <ethernet0/1> 
of vsys <Root> ******
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: get 1884 bytes. src port 500
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   ISAKMP msg: len 1884, nxp 
6[CERT], exch 4[AG], flag 01  E 
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Decrypting payload (length 1856)
## 2011-01-28 14:28:03 : IKE<192.168.11.3   > Recv*: [CERT] [SIG] [NATD] [NATD] 
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   extract payload (1856): 
## 2011-01-28 14:28:03 : IKE<192.168.11.3> AG in state OAK_AG_INIT_EXCH.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [NATD]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [NATD]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [CERT]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Processing CERT payload. Cert Type = 
4, Cert Length = 1281.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> IKE msg done: PKI state<1> IKE 
state<5/1097191f>
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ike packet, len 112, action 0
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   I got hit by mail. 1
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >    message from PKI, msg id=f001
## 2011-01-28 14:28:03 : IKE<192.168.11.3> enter PKI_CID_VERIFY_CERT_RSP
## 2011-01-28 14:28:03 : IKE<192.168.11.3> AG in state OAK_AG_INIT_EXCH.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [CERT]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Processing CERT payload. Cert Type = 
4, Cert Length = 1281.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> in cert, name 
<[email protected],OU=ESA,CN=UHB>
## 2011-01-28 14:28:03 : IKE<192.168.11.3> recv cert with IPV4(0.0.0.0), 
FQDN(none), RFC822(none)
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   Cert NotAfter=Jan 25 09:44:09 
2021 GMT
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Cert_time(759491049) 
current(444148083)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [SIG]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> processing ISA_SIG.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ***** Got public key for 
192.168.11.3 *****
## 2011-01-28 14:28:03 : IKE<192.168.11.3> processing RSA sig
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ID, len=68, type=9, pro=0, port=0,
## 2011-01-28 14:28:03 : IKE<192.168.11.3>  
## 2011-01-28 14:28:03 : IKE<192.168.11.3   >   his_digest
## 2011-01-28 14:28:03 : 65 f4 54 97 b9 ba 40 fe  cb c8 68 2e 55 76 dd d6
## 2011-01-28 14:28:03 : 47 b1 a7 75 00 00 00 00  35 5a 39 00 40 51 82 03
## 2011-01-28 14:28:03 : IKE<192.168.11.3> pki_msg: pki state<0>ike 
state<6/1097193f>
## 2011-01-28 14:28:03 : IKE<192.168.11.3> completing Phase 1
## 2011-01-28 14:28:03 : IKE<192.168.11.3> sa_pidt = 84ce450
## 2011-01-28 14:28:03 : IKE<192.168.11.3> found existing peer identity 0
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Phase 1: Completed for ip 
<192.168.11.3>, user<[email protected],OU=ESA,CN=UHB>
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Phase 1: Completed Aggressive mode 
negotiation with a <28800>-second lifetime.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> xauth is started: server, 
p1responder, aggr mode.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> start_xauth()
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   ikecfg list add attr type 
16520, val 0 added, len 0.
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   ikecfg list add attr type 
16521, val empty string, type <16521> added, len 0.
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   ikecfg list add attr type 
16522, val empty string, type <16522> added, len 0.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Create conn entry...
## 2011-01-28 14:28:03 : IKE<192.168.11.3>   ...done(new bd9e572e)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Construct ISAKMP header.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Msg header built (next payload #8)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Construct [HASH]
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   print ikecfg attribute payload:
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   next: 0, payloadlength 20, type 
1, identifier 5934.
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   basic attr type 16520, valint 0
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   variable attr type 16521, 
vallen 0, valstr empty string, type <16521>
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   variable attr type 16522, 
vallen 0, valstr empty string, type <16522>
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   
## 2011-01-28 14:28:03 : IKE<192.168.11.3> construct QM HASH
## 2011-01-28 14:28:03 : IKE<192.168.11.3   > Xmit*: [HASH] [IKECFG] 
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Encrypt P2 payload (len 72)
--- more ---              ## 2011-01-28 14:28:03 : 
IKE<192.168.11.3> Responder sending IPv4 IP 192.168.11.3/port 500
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Send Phase 2 packet (len=76)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ikecfg packet sent. msgid bd9e572e, 
len: 72, peer<192.168.11.3>
## 2011-01-28 14:28:03 : IKE<192.168.11.3> xauth status updated by state 
machine: 20
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: received 84 bytes from 
socket.
## 2011-01-28 14:28:03 : IKE<192.168.11.3> ****** Recv packet if <ethernet0/1> 
of vsys <Root> ******
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Catcher: get 84 bytes. src port 500
## 2011-01-28 14:28:03 : IKE<0.0.0.0        >   ISAKMP msg: len 84, nxp 
8[HASH], exch 5[INFO], flag 01  E 
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Create conn entry...
## 2011-01-28 14:28:03 : IKE<192.168.11.3>   ...done(new a77ca448)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Decrypting payload (length 56)
## 2011-01-28 14:28:03 : IKE<192.168.11.3   > Recv*: [HASH] [DELETE] 
## 2011-01-28 14:28:03 : IKE<192.168.11.3> Process [DELETE]:
## 2011-01-28 14:28:03 : IKE<192.168.11.3> DELETE payload received, deleting 
Phase-1 SA
## 2011-01-28 14:28:03 : IKE<192.168.11.3>   Delete conn entry...
## 2011-01-28 14:28:03 : IKE<192.168.11.3>  ...found conn entry(48a47ca7)
## 2011-01-28 14:28:03 : IKE<192.168.11.3> IKE msg done: PKI state<0> IKE 
state<6/1097193f>
## 2011-01-28 14:28:04 : IKE<0.0.0.0        >     dh group 2
## 2011-01-28 14:28:04 : IKE<0.0.0.0        >   finished job pkaidx <0> 
dh_len<128> dmax<64>
## 2011-01-28 14:28:04 : IKE<0.0.0.0        >   finished job 
d<c6f4d4d0><f405dc32><4244e532><954798b2>
## 2011-01-28 14:28:04 : IKE<0.0.0.0        > BN, top32 dmax64 zero<no>
## 2011-01-28 14:28:09 : IKE<192.168.11.3> ikecfg transmit timer expired. 
re-trans
## 2011-01-28 14:28:09 : IKE<192.168.11.3> bad sa, can't send request
## 2011-01-28 14:28:15 : IKE<192.168.11.3> ikecfg transmit timer expired. 
re-trans
## 2011-01-28 14:28:15 : IKE<192.168.11.3> bad sa, can't send request
## 2011-01-28 14:28:21 : IKE<192.168.11.3> ikecfg transmit timer expired. 
re-trans
## 2011-01-28 14:28:21 : IKE<192.168.11.3> bad sa, can't send request
## 2011-01-28 14:28:27 : IKE<192.168.11.3> ikecfg transmit timer expired. 
re-trans
## 2011-01-28 14:28:27 : IKE<192.168.11.3> bad sa, can't send request
## 2011-01-28 14:28:32 : reap_db. deleting p1sa 2178e38
## 2011-01-28 14:28:32 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2011-01-28 14:28:32 : IKE<192.168.11.3>   Delete conn entry...
## 2011-01-28 14:28:32 : IKE<192.168.11.3>  ...found conn entry(2e579ebd)
## 2011-01-28 14:28:32 : IKE<192.168.11.3> xauth login ABORTED. gw <VPN_P1_GW>, 
username <>, retry: 0
## 2011-01-28 14:28:42 : IKE<192.168.11.3> xauth login EXPIRED and TERMINATED. 
username <>, ip<0.0.0.0/0.0.0.0>
## 2011-01-28 14:28:42 : IKE<192.168.11.3> IKE Xauth: release prefix route, 
ret=<-2>.
## 2011-01-28 14:29:02 : reap_db. deleting p1sa 2178e38
## 2011-01-28 14:29:02 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2011-01-28 14:29:02 : IKE<192.168.11.3> xauth_cleanup()
## 2011-01-28 14:29:02 : IKE<192.168.11.3> Done cleaning up IKE Phase 1 SA
## 2011-01-28 14:29:02 : peer_identity_unregister_p1_sa.
## 2011-01-28 14:29:02 : IKE<0.0.0.0        >   delete peer identity 0x84ce450
## 2011-01-28 14:29:02 : IKE<0.0.0.0        >   peer_identity_remove_from_peer: 
num entry before remove <2>
## 2011-01-28 14:29:02 : peer_idt.c peer_identity_unregister_p1_sa 668: pidt 
deleted.

_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

[vpn-help] SHREW Dial Up Client and SSG 350 with certificates

Reply via email to