I have had the NAT-T disabled per the guide. When I enable it with the head revision build the client cannot successfully negotiate phase 1.
11/05/16 11:28:26 ii : ipc client process thread begin ... 11/05/16 11:28:26 <A : peer config add message 11/05/16 11:28:26 <A : proposal config message 11/05/16 11:28:26 <A : proposal config message 11/05/16 11:28:26 <A : client config message 11/05/16 11:28:26 <A : xauth username message 11/05/16 11:28:26 <A : xauth password message 11/05/16 11:28:26 <A : local id '' message 11/05/16 11:28:26 <A : remote certificate data message 11/05/16 11:28:26 ii : remote certificate read complete ( 544 bytes ) 11/05/16 11:28:26 <A : remote resource message 11/05/16 11:28:26 <A : remote resource message 11/05/16 11:28:26 <A : remote resource message 11/05/16 11:28:26 <A : peer tunnel enable message 11/05/16 11:28:26 DB : peer added ( obj count = 1 ) 11/05/16 11:28:26 ii : local address 173.164.101.120 selected for peer 11/05/16 11:28:26 DB : tunnel added ( obj count = 1 ) 11/05/16 11:28:26 DB : new phase1 ( ISAKMP initiator ) 11/05/16 11:28:26 DB : exchange type is identity protect 11/05/16 11:28:26 DB : 173.164.101.120:500 <-> 173.164.101.125:500 11/05/16 11:28:26 DB : 23081e9ecae41783:0000000000000000 11/05/16 11:28:26 DB : phase1 added ( obj count = 1 ) 11/05/16 11:28:26 >> : security association payload 11/05/16 11:28:26 >> : - proposal #1 payload 11/05/16 11:28:26 >> : -- transform #1 payload 11/05/16 11:28:26 >> : -- transform #2 payload 11/05/16 11:28:26 >> : -- transform #3 payload 11/05/16 11:28:26 >> : -- transform #4 payload 11/05/16 11:28:26 >> : -- transform #5 payload 11/05/16 11:28:26 >> : -- transform #6 payload 11/05/16 11:28:26 >> : -- transform #7 payload 11/05/16 11:28:26 >> : -- transform #8 payload 11/05/16 11:28:26 >> : -- transform #9 payload 11/05/16 11:28:26 >> : -- transform #10 payload 11/05/16 11:28:26 >> : -- transform #11 payload 11/05/16 11:28:26 >> : -- transform #12 payload 11/05/16 11:28:26 >> : -- transform #13 payload 11/05/16 11:28:26 >> : -- transform #14 payload 11/05/16 11:28:26 >> : -- transform #15 payload 11/05/16 11:28:26 >> : -- transform #16 payload 11/05/16 11:28:26 >> : -- transform #17 payload 11/05/16 11:28:26 >> : -- transform #18 payload 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports XAUTH 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports nat-t ( draft v00 ) 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports nat-t ( draft v01 ) 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports nat-t ( draft v02 ) 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports nat-t ( draft v03 ) 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports nat-t ( rfc ) 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports FRAGMENTATION 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local supports DPDv1 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local is SHREW SOFT compatible 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local is NETSCREEN compatible 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local is SIDEWINDER compatible 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local is CISCO UNITY compatible 11/05/16 11:28:26 >> : vendor id payload 11/05/16 11:28:26 ii : local is CHECKPOINT compatible 11/05/16 11:28:26 >= : cookies 23081e9ecae41783:0000000000000000 11/05/16 11:28:26 >= : message 00000000 11/05/16 11:28:26 -> : send IKE packet 173.164.101.120:500 -> 173.164.101.125:500 ( 1076 bytes ) 11/05/16 11:28:26 DB : phase1 resend event scheduled ( ref count = 2 ) 11/05/16 11:28:27 <- : recv IKE packet 173.164.101.125:500 -> 173.164.101.120:500 ( 152 bytes ) 11/05/16 11:28:27 DB : phase1 found 11/05/16 11:28:27 ii : processing phase1 packet ( 152 bytes ) 11/05/16 11:28:27 =< : cookies 23081e9ecae41783:ae36079b016b89ae 11/05/16 11:28:27 =< : message 00000000 11/05/16 11:28:27 << : security association payload 11/05/16 11:28:27 << : - propsal #1 payload 11/05/16 11:28:27 << : -- transform #1 payload 11/05/16 11:28:27 ii : matched isakmp proposal #1 transform #1 11/05/16 11:28:27 ii : - transform = ike 11/05/16 11:28:27 ii : - cipher type = aes 11/05/16 11:28:27 ii : - key length = 256 bits 11/05/16 11:28:27 ii : - hash type = md5 11/05/16 11:28:27 ii : - dh group = group1 ( modp-768 ) 11/05/16 11:28:27 ii : - auth type = hybrid-initiator-rsa 11/05/16 11:28:27 ii : - life seconds = 86400 11/05/16 11:28:27 ii : - life kbytes = 0 11/05/16 11:28:27 << : vendor id payload 11/05/16 11:28:27 ii : peer supports nat-t ( draft v02 ) 11/05/16 11:28:27 << : vendor id payload 11/05/16 11:28:27 ii : peer is CHECKPOINT compatible 11/05/16 11:28:27 >> : key exchange payload 11/05/16 11:28:27 >> : nonce payload 11/05/16 11:28:27 >> : cert request payload 11/05/16 11:28:27 >> : nat discovery payload 11/05/16 11:28:27 >> : nat discovery payload 11/05/16 11:28:27 >= : cookies 23081e9ecae41783:ae36079b016b89ae 11/05/16 11:28:27 >= : message 00000000 11/05/16 11:28:27 DB : phase1 resend event canceled ( ref count = 1 ) 11/05/16 11:28:27 -> : send IKE packet 173.164.101.120:500 -> 173.164.101.125:500 ( 225 bytes ) 11/05/16 11:28:27 DB : phase1 resend event scheduled ( ref count = 2 ) 11/05/16 11:28:27 <- : recv IKE packet 173.164.101.125:500 -> 173.164.101.120:500 ( 40 bytes ) 11/05/16 11:28:27 DB : phase1 found 11/05/16 11:28:27 ii : processing informational packet ( 40 bytes ) 11/05/16 11:28:27 == : new informational iv ( 16 bytes ) 11/05/16 11:28:27 =< : cookies 23081e9ecae41783:ae36079b016b89ae 11/05/16 11:28:27 =< : message 918915cb 11/05/16 11:28:27 << : notification payload 11/05/16 11:28:27 ii : received peer INVALID-PAYLOAD-TYPE notification 11/05/16 11:28:27 ii : - 173.164.101.125:500 -> 173.164.101.120:500 11/05/16 11:28:27 ii : - isakmp spi = none 11/05/16 11:28:27 ii : - data size 0 11/05/16 11:28:37 -> : resend 1 phase1 packet(s) [0/2] 173.164.101.120:500 -> 173.164.101.125:500 11/05/16 11:28:47 -> : resend 1 phase1 packet(s) [1/2] 173.164.101.120:500 -> 173.164.101.125:500 11/05/16 11:28:57 -> : resend 1 phase1 packet(s) [2/2] 173.164.101.120:500 -> 173.164.101.125:500 11/05/16 11:29:07 ii : resend limit exceeded for phase1 exchange 11/05/16 11:29:07 ii : phase1 removal before expire time 11/05/16 11:29:07 DB : phase1 deleted ( obj count = 0 ) 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : policy not found 11/05/16 11:29:07 DB : removing tunnel config references 11/05/16 11:29:07 DB : removing tunnel phase2 references 11/05/16 11:29:07 DB : removing tunnel phase1 references 11/05/16 11:29:07 DB : tunnel deleted ( obj count = 0 ) 11/05/16 11:29:07 DB : removing all peer tunnel refrences 11/05/16 11:29:07 DB : peer deleted ( obj count = 0 ) 11/05/16 11:29:07 ii : ipc client process thread exit ... On Mon, May 16, 2011 at 10:57 AM, Matthew Grooms <[email protected]> wrote: > On 5/11/2011 12:52 AM, Matthew Austin wrote: >> >> Greetings, >> >> I followed the instructions at >> http://www.shrew.net/support/wiki/HowtoCheckpoint >> >> shrew reports: >> bringing up tunnel ... >> network device configured >> tunnel enabled >> >> so it would appear that I can connect to the device, authenticate, and >> it pulls down an IP and all of that, but I can't ping any internal >> network or even the gateway. >> >> I also applied the setting recommeded here >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html >> just in case. >> >> Any help would be appreciated. >> > > Do you have NAT-Traversal enabled? If so, try disabling it. If not, try > enabling it. > > -Matthew > _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
