I've kept plugging away at this and have gone so far as to download and work through some minor build issues with the head revision with no real delta. I'm getting through phase 1 and when I ping an internal host it initiates phase 2. The appliance reports in the log that phase 2 negotiation completes successfully but the ping does not return. Here is the iked.log debug output from when I initiate the ping forward.
11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message 11/05/14 12:46:53 DB : policy found 11/05/14 12:46:53 DB : policy found 11/05/14 12:46:53 DB : tunnel found 11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator ) 11/05/14 12:46:53 DB : phase2 added ( obj count = 1 ) 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message 11/05/14 12:46:53 DB : phase2 found 11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal 11/05/14 12:46:53 DB : phase1 found 11/05/14 12:46:53 >> : hash payload 11/05/14 12:46:53 >> : security association payload 11/05/14 12:46:53 >> : - proposal #1 payload 11/05/14 12:46:53 >> : -- transform #1 payload 11/05/14 12:46:53 >> : -- transform #2 payload 11/05/14 12:46:53 >> : -- transform #3 payload 11/05/14 12:46:53 >> : -- transform #4 payload 11/05/14 12:46:53 >> : -- transform #5 payload 11/05/14 12:46:53 >> : -- transform #6 payload 11/05/14 12:46:53 >> : -- transform #7 payload 11/05/14 12:46:53 >> : -- transform #8 payload 11/05/14 12:46:53 >> : -- transform #9 payload 11/05/14 12:46:53 >> : -- transform #10 payload 11/05/14 12:46:53 >> : -- transform #11 payload 11/05/14 12:46:53 >> : -- transform #12 payload 11/05/14 12:46:53 >> : -- transform #13 payload 11/05/14 12:46:53 >> : -- transform #14 payload 11/05/14 12:46:53 >> : -- transform #15 payload 11/05/14 12:46:53 >> : -- transform #16 payload 11/05/14 12:46:53 >> : -- transform #17 payload 11/05/14 12:46:53 >> : -- transform #18 payload 11/05/14 12:46:53 >> : -- transform #19 payload 11/05/14 12:46:53 >> : -- transform #20 payload 11/05/14 12:46:53 >> : -- transform #21 payload 11/05/14 12:46:53 >> : -- transform #22 payload 11/05/14 12:46:53 >> : -- transform #23 payload 11/05/14 12:46:53 >> : -- transform #24 payload 11/05/14 12:46:53 >> : -- transform #25 payload 11/05/14 12:46:53 >> : -- transform #26 payload 11/05/14 12:46:53 >> : -- transform #27 payload 11/05/14 12:46:53 >> : -- transform #28 payload 11/05/14 12:46:53 >> : -- transform #29 payload 11/05/14 12:46:53 >> : -- transform #30 payload 11/05/14 12:46:53 >> : -- transform #31 payload 11/05/14 12:46:53 >> : -- transform #32 payload 11/05/14 12:46:53 >> : -- transform #33 payload 11/05/14 12:46:53 >> : -- transform #34 payload 11/05/14 12:46:53 >> : -- transform #35 payload 11/05/14 12:46:53 >> : -- transform #36 payload 11/05/14 12:46:53 >> : -- transform #37 payload 11/05/14 12:46:53 >> : -- transform #38 payload 11/05/14 12:46:53 >> : -- transform #39 payload 11/05/14 12:46:53 >> : -- transform #40 payload 11/05/14 12:46:53 >> : -- transform #41 payload 11/05/14 12:46:53 >> : -- transform #42 payload 11/05/14 12:46:53 >> : -- transform #43 payload 11/05/14 12:46:53 >> : -- transform #44 payload 11/05/14 12:46:53 >> : -- transform #45 payload 11/05/14 12:46:53 >> : nonce payload 11/05/14 12:46:53 >> : identification payload 11/05/14 12:46:53 >> : identification payload 11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes ) 11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes ) 11/05/14 12:46:53 == : new phase2 iv ( 16 bytes ) 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 11/05/14 12:46:53 >= : message e75b342c 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) 11/05/14 12:46:53 == : encrypt packet ( 1504 bytes ) 11/05/14 12:46:53 == : stored iv ( 16 bytes ) 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> 173.164.101.125:500 ( 1544 bytes ) 11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count = 2 ) 11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 -> 192.168.0.161:500 ( 172 bytes ) 11/05/14 12:46:53 DB : phase1 found 11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes ) 11/05/14 12:46:53 DB : phase2 found 11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3 11/05/14 12:46:53 =< : message e75b342c 11/05/14 12:46:53 =< : decrypt iv ( 16 bytes ) 11/05/14 12:46:53 == : decrypt packet ( 172 bytes ) 11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes ) 11/05/14 12:46:53 <= : stored iv ( 16 bytes ) 11/05/14 12:46:53 << : hash payload 11/05/14 12:46:53 << : security association payload 11/05/14 12:46:53 << : - propsal #1 payload 11/05/14 12:46:53 << : -- transform #1 payload 11/05/14 12:46:53 << : nonce payload 11/05/14 12:46:53 << : identification payload 11/05/14 12:46:53 << : identification payload 11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes ) 11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes ) 11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes ) 11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1 11/05/14 12:46:53 ii : - transform = esp-aes 11/05/14 12:46:53 ii : - key length = 256 bits 11/05/14 12:46:53 ii : - encap mode = tunnel 11/05/14 12:46:53 ii : - msg auth = hmac-md5 11/05/14 12:46:53 ii : - pfs dh group = none 11/05/14 12:46:53 ii : - life seconds = 3600 11/05/14 12:46:53 ii : - life kbytes = 0 11/05/14 12:46:53 DB : policy found 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message 11/05/14 12:46:53 DB : phase2 found 11/05/14 12:46:53 ii : phase2 ids accepted 11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* -> ANY:192.168.200.0/24:* 11/05/14 12:46:53 ii : - rmt ANY:192.168.200.0/24:* -> ANY:192.168.254.162:* 11/05/14 12:46:53 ii : phase2 sa established 11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500 11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes ) 11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes ) 11/05/14 12:46:53 >> : hash payload 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 11/05/14 12:46:53 >= : message e75b342c 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) 11/05/14 12:46:53 == : encrypt packet ( 48 bytes ) 11/05/14 12:46:53 == : stored iv ( 16 bytes ) 11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count = 1 ) 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> 173.164.101.125:500 ( 88 bytes ) 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message It feels like it is soooo close. On Wed, May 11, 2011 at 5:33 PM, Matthew Austin <[email protected]> wrote: > Just a quick update that I downloaded and built 2.1.7 on ubuntu 11.04 > with no change. We've tested this with ubuntu 10.10 and 11.04 with > the 2.1.5 packages. Let me know if you'd like to see some iked.log > output. > > On Tue, May 10, 2011 at 10:52 PM, Matthew Austin <[email protected]> wrote: >> Greetings, >> >> I followed the instructions at >> http://www.shrew.net/support/wiki/HowtoCheckpoint >> >> shrew reports: >> bringing up tunnel ... >> network device configured >> tunnel enabled >> >> so it would appear that I can connect to the device, authenticate, and >> it pulls down an IP and all of that, but I can't ping any internal >> network or even the gateway. >> >> I also applied the setting recommeded here >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html >> just in case. >> >> Any help would be appreciated. >> >> Matthew >> > _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
