[vpn-help] Cannot get dhcp over ipsec working with 2.1.7

Nicola Bressan Tue, 14 Jun 2011 01:31:12 -0700

Hi all,

i'm trying to configure DHCP over IPSec with Shrew soft VPN Client and my
Firewall (Arkoon).


I've setup correctly the Arkoon FW, when I connect assigning a fixed IP, the
VPN connection goes fine, when I flash DHCP over IPsec in Shrew client I get
this LOG on fw:

 

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [RFC 3947] method set to=110

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [FRAGMENTATION 80000000]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
received Vendor ID payload [Dead Peer Detection]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd8451]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]

Jun 14 10:01:14 firewall pluto[25518]: packet from 94.XX.YY.84:1655:
ignoring Vendor ID payload [Cisco-Unity]

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
responding to Main Mode from unknown peer 94.XX.YY.84

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R1: sent MR1, expecting MI2

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
STATE_MAIN_R2: sent MR2, expecting MI3

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Main
mode peer ID is ID_DER_ASN1_DN:
'E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT'

Jun 14 10:01:14 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.8484 #21:
Issuer CA certificate is trusted: 'CN=Fast360
CA,OU=CED,O=******.,L=*******,C=IT'

Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21: Issuer
CA certificate is trusted: 'CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT'

Jun 14 10:01:15 firewall pluto[25518]: "conn_13"[1] 94.XX.YY.84 #21:
switched from "conn_13" to "conn_11"

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: I am
sending my cert

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: NAT-T:
new port 1655/1705

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Dead
Peer Detection (RFC 3706): enabled

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
ignoring informational payload, type IPSEC_INITIAL_CONTACT

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received and ignored informational message

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: cannot
respond to IPsec SA request because no connection is known for
82.XX.YY.143[CN= Fast360 CA,OU=CED,O=******.,L=*******,C=IT]:17/67...
94.XX.YY.84
[E=********@****.it,CN=******,OU=***,O=********,L=*************,C=IT]:17/67=
==10.X.Y.15/32

Jun 14 10:01:15 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_ID_INFORMATION to 94.XX.YY.84:1705

Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x698f4631 (perhaps this is a duplicated packet)

Jun 14 10:01:20 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21: sending
encrypted notification INVALID_MESSAGE_ID to 94.XX.YY.84:1705

Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84 #21:
received Delete SA payload: deleting ISAKMP State #21

Jun 14 10:01:23 firewall pluto[25518]: "conn_11"[1] 94.XX.YY.84: deleting
connection "conn_11" instance with peer 94.XX.YY.84 {isakmp=#0/ipsec=#0}

 

The same config with fixed IP goes ok. 

VPN is defined as per two ends, one is remote lan, the other is the
user/object with defined cert and virtual ip addressing.

 

Any hint on how to debug better?

Thanks,

Nicola

 


Descrizione: image002 



Bressan Nicola | System & Security Engineer 


Via Roma, 4 int. 18 - 31020 Villorba (TV) - Italy 


Tel: +39.0422.9125 | E-Mail: [email protected]

<<image001.jpg>>

_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

[vpn-help] Cannot get dhcp over ipsec working with 2.1.7

Reply via email to