[vpn-help] Security association expires immediately after connection to Juniper SSG

Val Dodge Wed, 06 Jul 2011 09:27:19 -0700

Hi,

We're testing the Shrew Soft VPN client and we're having an issue
establishing a connection to our Juniper SSG-140 firewall; the Shrew
Soft client works fine with our Juniper SSG-5. As far as I can tell, the
VPN configurations on both the firewall and client are identical except
for IP addresses, credentials, and the like.


When I connect to the problematic firewall, the client connects
successfully and reports that the connection is up, But the Network tab
shows one Security Association established and almost immediately
expired and no traffic actually makes it through.

The two Juniper firewalls' configurations are basically identical, with
the exception of having slighly different patch levels of ScreenOS:
6.0.0R5 on the misbehaving connection, versus 6.0.0R3 on the one that's
fine. I'm currently testing from a Windows 7 Professional 64-bit
workstation with version 2.1.7 of the Shrew client, but I also see the
same behaviour with Shrew clients 2.1.5 -> 2.2.0-beta-1 on Linux and
older 32- and 64-bit versions of Windows.

The iked.log is attached. The SSG logs don't show any difference between
the successful and unsuccessful connections.

I'd appreciate any pointers about where to look for the problem or what
other parameters I may be able to tweak.

Thanks,

Val

11/07/05 12:47:16 ## : IKE Daemon, ver 2.1.7
11/07/05 12:47:16 ## : Copyright 2010 Shrew Soft Inc.
11/07/05 12:47:16 ## : This product linked OpenSSL 0.9.8h 28 May 2008
11/07/05 12:47:16 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
11/07/05 12:47:16 ii : rebuilding vnet device list ...
11/07/05 12:47:16 ii : device ROOT\VNET\0000 disabled
11/07/05 12:47:16 ii : network process thread begin ...
11/07/05 12:47:16 ii : pfkey process thread begin ...
11/07/05 12:47:16 ii : ipc server process thread begin ...
11/07/05 12:47:33 ii : ipc client process thread begin ...
11/07/05 12:47:33 <A : peer config add message
11/07/05 12:47:33 DB : peer added ( obj count = 1 )
11/07/05 12:47:33 ii : local address 172.20.30.118 selected for peer
11/07/05 12:47:33 DB : tunnel added ( obj count = 1 )
11/07/05 12:47:33 <A : proposal config message
11/07/05 12:47:33 <A : proposal config message
11/07/05 12:47:33 <A : client config message
11/07/05 12:47:33 <A : xauth username message
11/07/05 12:47:33 <A : xauth password message
11/07/05 12:47:33 <A : local id '<user@fqdn>' message
11/07/05 12:47:33 <A : preshared key message
11/07/05 12:47:33 <A : remote resource message
11/07/05 12:47:33 <A : peer tunnel enable message
11/07/05 12:47:33 DB : new phase1 ( ISAKMP initiator )
11/07/05 12:47:33 DB : exchange type is aggressive
11/07/05 12:47:33 DB : 172.20.30.118:500 <-> <gateway>:500
11/07/05 12:47:33 DB : f612335580096ecb:0000000000000000
11/07/05 12:47:33 DB : phase1 added ( obj count = 1 )
11/07/05 12:47:33 >> : security association payload
11/07/05 12:47:33 >> : - proposal #1 payload 
11/07/05 12:47:33 >> : -- transform #1 payload 
11/07/05 12:47:33 >> : key exchange payload
11/07/05 12:47:33 >> : nonce payload
11/07/05 12:47:33 >> : identification payload
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports XAUTH
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports nat-t ( draft v00 )
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports nat-t ( draft v01 )
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports nat-t ( draft v02 )
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports nat-t ( draft v03 )
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local supports nat-t ( rfc )
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local is SHREW SOFT compatible
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local is NETSCREEN compatible
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local is SIDEWINDER compatible
11/07/05 12:47:33 >> : vendor id payload
11/07/05 12:47:33 ii : local is CISCO UNITY compatible
11/07/05 12:47:33 >= : cookies f612335580096ecb:0000000000000000
11/07/05 12:47:33 >= : message 00000000
11/07/05 12:47:33 -> : send IKE packet 172.20.30.118:500 -> <gateway>:500 ( 487 bytes )
11/07/05 12:47:33 DB : phase1 resend event scheduled ( ref count = 2 )
11/07/05 12:47:33 <- : recv IKE packet <gateway>:500 -> 172.20.30.118:500 ( 432 bytes )
11/07/05 12:47:33 DB : phase1 found
11/07/05 12:47:33 ii : processing phase1 packet ( 432 bytes )
11/07/05 12:47:33 =< : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 =< : message 00000000
11/07/05 12:47:33 << : security association payload
11/07/05 12:47:33 << : - propsal #1 payload 
11/07/05 12:47:33 << : -- transform #1 payload 
11/07/05 12:47:33 ii : matched isakmp proposal #1 transform #1
11/07/05 12:47:33 ii : - transform    = ike
11/07/05 12:47:33 ii : - cipher type  = 3des
11/07/05 12:47:33 ii : - key length   = default
11/07/05 12:47:33 ii : - hash type    = sha1
11/07/05 12:47:33 ii : - dh group     = modp-1024
11/07/05 12:47:33 ii : - auth type    = xauth-initiator-psk
11/07/05 12:47:33 ii : - life seconds = 86400
11/07/05 12:47:33 ii : - life kbytes  = 0
11/07/05 12:47:33 << : vendor id payload
11/07/05 12:47:33 ii : unknown vendor id ( 28 bytes )
11/07/05 12:47:33 0x : 166f932d 55eb64d8 e4df4fd3 7e2313f0 d0fd8451 00000000 00000000
11/07/05 12:47:33 << : vendor id payload
11/07/05 12:47:33 ii : peer supports XAUTH
11/07/05 12:47:33 << : vendor id payload
11/07/05 12:47:33 ii : peer supports DPDv1
11/07/05 12:47:33 << : vendor id payload
11/07/05 12:47:33 ii : peer supports HEARTBEAT-NOTIFY
11/07/05 12:47:33 << : key exchange payload
11/07/05 12:47:33 << : nonce payload
11/07/05 12:47:33 << : identification payload
11/07/05 12:47:33 ii : phase1 id match ( natt prevents ip match )
11/07/05 12:47:33 ii : received = ipv4-host <gateway>
11/07/05 12:47:33 << : hash payload
11/07/05 12:47:33 << : vendor id payload
11/07/05 12:47:33 ii : peer supports nat-t ( draft v02 )
11/07/05 12:47:33 << : nat discovery payload
11/07/05 12:47:33 << : nat discovery payload
11/07/05 12:47:33 ii : nat discovery - local address is translated
11/07/05 12:47:33 ii : switching to src nat-t udp port 4500
11/07/05 12:47:33 ii : switching to dst nat-t udp port 4500
11/07/05 12:47:33 == : DH shared secret ( 128 bytes )
11/07/05 12:47:33 == : SETKEYID ( 20 bytes )
11/07/05 12:47:33 == : SETKEYID_d ( 20 bytes )
11/07/05 12:47:33 == : SETKEYID_a ( 20 bytes )
11/07/05 12:47:33 == : SETKEYID_e ( 20 bytes )
11/07/05 12:47:33 == : cipher key ( 40 bytes )
11/07/05 12:47:33 == : cipher iv ( 8 bytes )
11/07/05 12:47:33 == : phase1 hash_i ( computed ) ( 20 bytes )
11/07/05 12:47:33 >> : hash payload
11/07/05 12:47:33 >> : nat discovery payload
11/07/05 12:47:33 >> : nat discovery payload
11/07/05 12:47:33 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 >= : message 00000000
11/07/05 12:47:33 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:33 == : encrypt packet ( 100 bytes )
11/07/05 12:47:33 == : stored iv ( 8 bytes )
11/07/05 12:47:33 DB : phase1 resend event canceled ( ref count = 1 )
11/07/05 12:47:33 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 132 bytes )
11/07/05 12:47:33 == : phase1 hash_r ( computed ) ( 20 bytes )
11/07/05 12:47:33 == : phase1 hash_r ( received ) ( 20 bytes )
11/07/05 12:47:33 ii : phase1 sa established
11/07/05 12:47:33 ii : <gateway>:4500 <-> 172.20.30.118:4500
11/07/05 12:47:33 ii : f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 ii : sending peer INITIAL-CONTACT notification
11/07/05 12:47:33 ii : - 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:33 ii : - isakmp spi = f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 ii : - data size 0
11/07/05 12:47:33 >> : hash payload
11/07/05 12:47:33 >> : notification payload
11/07/05 12:47:33 == : new informational hash ( 20 bytes )
11/07/05 12:47:33 == : new informational iv ( 8 bytes )
11/07/05 12:47:33 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 >= : message ca423718
11/07/05 12:47:33 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:33 == : encrypt packet ( 80 bytes )
11/07/05 12:47:33 == : stored iv ( 8 bytes )
11/07/05 12:47:33 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 116 bytes )
11/07/05 12:47:33 DB : phase2 not found
11/07/05 12:47:33 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 76 bytes )
11/07/05 12:47:33 DB : phase1 found
11/07/05 12:47:33 ii : processing config packet ( 76 bytes )
11/07/05 12:47:33 DB : config not found
11/07/05 12:47:33 DB : config added ( obj count = 1 )
11/07/05 12:47:33 == : new config iv ( 8 bytes )
11/07/05 12:47:33 =< : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 =< : message a6dbad87
11/07/05 12:47:33 =< : decrypt iv ( 8 bytes )
11/07/05 12:47:33 == : decrypt packet ( 76 bytes )
11/07/05 12:47:33 <= : trimmed packet padding ( 4 bytes )
11/07/05 12:47:33 <= : stored iv ( 8 bytes )
11/07/05 12:47:33 << : hash payload
11/07/05 12:47:33 << : attribute payload
11/07/05 12:47:33 == : configure hash_i ( computed ) ( 20 bytes )
11/07/05 12:47:33 == : configure hash_c ( computed ) ( 20 bytes )
11/07/05 12:47:33 ii : configure hash verified
11/07/05 12:47:33 ii : - xauth authentication type
11/07/05 12:47:33 ii : - xauth username
11/07/05 12:47:33 ii : - xauth password
11/07/05 12:47:33 ii : received basic xauth request - 
11/07/05 12:47:33 ii : - standard xauth username
11/07/05 12:47:33 ii : - standard xauth password
11/07/05 12:47:33 ii : sending xauth response for <user>
11/07/05 12:47:33 >> : hash payload
11/07/05 12:47:33 >> : attribute payload
11/07/05 12:47:33 == : new configure hash ( 20 bytes )
11/07/05 12:47:33 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 >= : message a6dbad87
11/07/05 12:47:33 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:33 == : encrypt packet ( 88 bytes )
11/07/05 12:47:33 == : stored iv ( 8 bytes )
11/07/05 12:47:33 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 124 bytes )
11/07/05 12:47:33 DB : config resend event scheduled ( ref count = 2 )
11/07/05 12:47:33 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 100 bytes )
11/07/05 12:47:33 DB : phase1 found
11/07/05 12:47:33 ii : processing config packet ( 100 bytes )
11/07/05 12:47:33 DB : config found
11/07/05 12:47:33 == : new config iv ( 8 bytes )
11/07/05 12:47:33 =< : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 =< : message 043c7a5c
11/07/05 12:47:33 =< : decrypt iv ( 8 bytes )
11/07/05 12:47:33 == : decrypt packet ( 100 bytes )
11/07/05 12:47:33 <= : trimmed packet padding ( 8 bytes )
11/07/05 12:47:33 <= : stored iv ( 8 bytes )
11/07/05 12:47:33 << : hash payload
11/07/05 12:47:33 << : attribute payload
11/07/05 12:47:33 == : configure hash_i ( computed ) ( 20 bytes )
11/07/05 12:47:33 == : configure hash_c ( computed ) ( 20 bytes )
11/07/05 12:47:33 ii : configure hash verified
11/07/05 12:47:33 ii : received config push request
11/07/05 12:47:33 ii : - IP4 Address = 192.168.8.26
11/07/05 12:47:33 ii : - IP4 Netmask = 255.255.255.255
11/07/05 12:47:33 ii : - IP4 DNS Server = 192.168.0.3
11/07/05 12:47:33 ii : - IP4 DNS Server = 192.168.0.69
11/07/05 12:47:33 ii : building config attribute list
11/07/05 12:47:33 ii : - IP4 Address
11/07/05 12:47:33 ii : - Address Expiry
11/07/05 12:47:33 ii : - IP4 Netamask
11/07/05 12:47:33 ii : - IP4 DNS Server
11/07/05 12:47:33 ii : - IP4 WINS Server
11/07/05 12:47:33 ii : sending config push acknowledge
11/07/05 12:47:33 >> : hash payload
11/07/05 12:47:33 >> : attribute payload
11/07/05 12:47:33 == : new configure hash ( 20 bytes )
11/07/05 12:47:33 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 >= : message 043c7a5c
11/07/05 12:47:33 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:33 == : encrypt packet ( 80 bytes )
11/07/05 12:47:33 == : stored iv ( 8 bytes )
11/07/05 12:47:33 DB : config resend event canceled ( ref count = 1 )
11/07/05 12:47:33 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 116 bytes )
11/07/05 12:47:33 DB : config resend event scheduled ( ref count = 2 )
11/07/05 12:47:33 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 68 bytes )
11/07/05 12:47:33 DB : phase1 found
11/07/05 12:47:33 ii : processing config packet ( 68 bytes )
11/07/05 12:47:33 DB : config found
11/07/05 12:47:33 == : new config iv ( 8 bytes )
11/07/05 12:47:33 =< : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 =< : message bd238728
11/07/05 12:47:33 =< : decrypt iv ( 8 bytes )
11/07/05 12:47:33 == : decrypt packet ( 68 bytes )
11/07/05 12:47:33 <= : trimmed packet padding ( 4 bytes )
11/07/05 12:47:33 <= : stored iv ( 8 bytes )
11/07/05 12:47:33 << : hash payload
11/07/05 12:47:33 << : attribute payload
11/07/05 12:47:33 == : configure hash_i ( computed ) ( 20 bytes )
11/07/05 12:47:33 == : configure hash_c ( computed ) ( 20 bytes )
11/07/05 12:47:33 ii : configure hash verified
11/07/05 12:47:33 ii : received xauth result - 
11/07/05 12:47:33 ii : user <user> authentication succeeded
11/07/05 12:47:33 ii : sending xauth acknowledge
11/07/05 12:47:33 >> : hash payload
11/07/05 12:47:33 >> : attribute payload
11/07/05 12:47:33 == : new configure hash ( 20 bytes )
11/07/05 12:47:33 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:33 >= : message bd238728
11/07/05 12:47:33 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:33 == : encrypt packet ( 60 bytes )
11/07/05 12:47:33 == : stored iv ( 8 bytes )
11/07/05 12:47:33 DB : config resend event canceled ( ref count = 1 )
11/07/05 12:47:33 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 92 bytes )
11/07/05 12:47:33 DB : config resend event scheduled ( ref count = 2 )
11/07/05 12:47:33 DB : config resend event canceled ( ref count = 1 )
11/07/05 12:47:33 ii : enabled adapter ROOT\VNET\0000 
11/07/05 12:47:33 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
11/07/05 12:47:34 ii : apapter ROOT\VNET\0000 MTU is 1500
11/07/05 12:47:34 ii : generating IPSEC security policies at UNIQUE level
11/07/05 12:47:34 ii : creating NONE INBOUND policy ANY:<gateway>:* -> ANY:172.20.30.118:*
11/07/05 12:47:34 DB : policy added ( obj count = 1 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 ii : creating NONE OUTBOUND policy ANY:172.20.30.118:* -> ANY:<gateway>:*
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : created NONE policy route for <gateway>/32
11/07/05 12:47:34 DB : policy added ( obj count = 2 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : calling init phase2 for nailed policy
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 DB : policy not found
11/07/05 12:47:34 !! : unable to locate inbound policy for init phase2
11/07/05 12:47:34 ii : creating NONE INBOUND policy ANY:172.20.30.1:* -> ANY:192.168.8.26:*
11/07/05 12:47:34 DB : policy added ( obj count = 3 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 ii : creating NONE OUTBOUND policy ANY:192.168.8.26:* -> ANY:172.20.30.1:*
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : created NONE policy route for 172.20.30.1/32
11/07/05 12:47:34 DB : policy added ( obj count = 4 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 ii : creating IPSEC INBOUND policy ANY:192.168.0.0/16:* -> ANY:192.168.8.26:*
11/07/05 12:47:34 DB : policy added ( obj count = 5 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 ii : creating IPSEC OUTBOUND policy ANY:192.168.8.26:* -> ANY:192.168.0.0/16:*
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : calling init phase2 for nailed policy
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 DB : policy not found
11/07/05 12:47:34 !! : unable to locate inbound policy for init phase2
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : created IPSEC policy route for 192.168.0.0/16
11/07/05 12:47:34 DB : policy added ( obj count = 6 )
11/07/05 12:47:34 K> : send pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 ii : split DNS bypassed ( no split domains defined )
11/07/05 12:47:34 K< : recv pfkey X_SPDADD UNSPEC message
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 ii : calling init phase2 for nailed policy
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 DB : tunnel found
11/07/05 12:47:34 DB : new phase2 ( IPSEC initiator )
11/07/05 12:47:34 DB : phase2 added ( obj count = 1 )
11/07/05 12:47:34 K> : send pfkey GETSPI ESP message
11/07/05 12:47:34 K< : recv pfkey GETSPI ESP message
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 ii : updated spi for 1 ipsec-esp proposal
11/07/05 12:47:34 DB : phase1 found
11/07/05 12:47:34 >> : hash payload
11/07/05 12:47:34 >> : security association payload
11/07/05 12:47:34 >> : - proposal #1 payload 
11/07/05 12:47:34 >> : -- transform #1 payload 
11/07/05 12:47:34 >> : -- transform #2 payload 
11/07/05 12:47:34 >> : -- transform #3 payload 
11/07/05 12:47:34 >> : -- transform #4 payload 
11/07/05 12:47:34 >> : -- transform #5 payload 
11/07/05 12:47:34 >> : -- transform #6 payload 
11/07/05 12:47:34 >> : -- transform #7 payload 
11/07/05 12:47:34 >> : -- transform #8 payload 
11/07/05 12:47:34 >> : -- transform #9 payload 
11/07/05 12:47:34 >> : -- transform #10 payload 
11/07/05 12:47:34 >> : -- transform #11 payload 
11/07/05 12:47:34 >> : -- transform #12 payload 
11/07/05 12:47:34 >> : -- transform #13 payload 
11/07/05 12:47:34 >> : -- transform #14 payload 
11/07/05 12:47:34 >> : -- transform #15 payload 
11/07/05 12:47:34 >> : -- transform #16 payload 
11/07/05 12:47:34 >> : -- transform #17 payload 
11/07/05 12:47:34 >> : -- transform #18 payload 
11/07/05 12:47:34 >> : nonce payload
11/07/05 12:47:34 >> : identification payload
11/07/05 12:47:34 >> : identification payload
11/07/05 12:47:34 == : phase2 hash_i ( input ) ( 632 bytes )
11/07/05 12:47:34 == : phase2 hash_i ( computed ) ( 20 bytes )
11/07/05 12:47:34 == : new phase2 iv ( 8 bytes )
11/07/05 12:47:34 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:34 >= : message 2e8a60c4
11/07/05 12:47:34 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:34 == : encrypt packet ( 680 bytes )
11/07/05 12:47:34 == : stored iv ( 8 bytes )
11/07/05 12:47:34 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 716 bytes )
11/07/05 12:47:34 DB : phase2 resend event scheduled ( ref count = 2 )
11/07/05 12:47:34 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 164 bytes )
11/07/05 12:47:34 DB : phase1 found
11/07/05 12:47:34 ii : processing phase2 packet ( 164 bytes )
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 =< : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:34 =< : message 2e8a60c4
11/07/05 12:47:34 =< : decrypt iv ( 8 bytes )
11/07/05 12:47:34 == : decrypt packet ( 164 bytes )
11/07/05 12:47:34 <= : trimmed packet padding ( 8 bytes )
11/07/05 12:47:34 <= : stored iv ( 8 bytes )
11/07/05 12:47:34 << : hash payload
11/07/05 12:47:34 << : security association payload
11/07/05 12:47:34 << : - propsal #1 payload 
11/07/05 12:47:34 << : -- transform #1 payload 
11/07/05 12:47:34 << : nonce payload
11/07/05 12:47:34 << : identification payload
11/07/05 12:47:34 << : identification payload
11/07/05 12:47:34 == : phase2 hash_r ( input ) ( 128 bytes )
11/07/05 12:47:34 == : phase2 hash_r ( computed ) ( 20 bytes )
11/07/05 12:47:34 == : phase2 hash_r ( received ) ( 20 bytes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-aes )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : crypto transform type ( esp-3des != esp-blowfish )
11/07/05 12:47:34 ii : unmatched ipsec-esp proposal/transform
11/07/05 12:47:34 ii : msg auth ( hmac-sha != hmac-md5 )
11/07/05 12:47:34 !! : peer violates RFC, transform number mismatch ( 1 != 14 )
11/07/05 12:47:34 ii : matched ipsec-esp proposal #1 transform #14
11/07/05 12:47:34 ii : - transform    = esp-3des
11/07/05 12:47:34 ii : - key length   = default
11/07/05 12:47:34 ii : - encap mode   = udp-tunnel ( draft )
11/07/05 12:47:34 ii : - msg auth     = hmac-sha
11/07/05 12:47:34 ii : - pfs dh group = none
11/07/05 12:47:34 ii : - life seconds = 3600
11/07/05 12:47:34 ii : - life kbytes  = 0
11/07/05 12:47:34 DB : policy found
11/07/05 12:47:34 K> : send pfkey GETSPI ESP message
11/07/05 12:47:34 ii : phase2 ids accepted
11/07/05 12:47:34 ii : - loc ANY:192.168.8.26:* -> ANY:192.168.0.0/16:*
11/07/05 12:47:34 ii : - rmt ANY:192.168.0.0/16:* -> ANY:192.168.8.26:*
11/07/05 12:47:34 ii : phase2 sa established
11/07/05 12:47:34 ii : 172.20.30.118:4500 <-> <gateway>:4500
11/07/05 12:47:34 == : phase2 hash_p ( input ) ( 45 bytes )
11/07/05 12:47:34 == : phase2 hash_p ( computed ) ( 20 bytes )
11/07/05 12:47:34 >> : hash payload
11/07/05 12:47:34 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:34 >= : message 2e8a60c4
11/07/05 12:47:34 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:34 == : encrypt packet ( 52 bytes )
11/07/05 12:47:34 == : stored iv ( 8 bytes )
11/07/05 12:47:34 DB : phase2 resend event canceled ( ref count = 1 )
11/07/05 12:47:34 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 84 bytes )
11/07/05 12:47:34 K< : recv pfkey GETSPI ESP message
11/07/05 12:47:34 == : spi cipher key data ( 24 bytes )
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 == : spi hmac key data ( 20 bytes )
11/07/05 12:47:34 K> : send pfkey UPDATE ESP message
11/07/05 12:47:34 == : spi cipher key data ( 24 bytes )
11/07/05 12:47:34 == : spi hmac key data ( 20 bytes )
11/07/05 12:47:34 K> : send pfkey UPDATE ESP message
11/07/05 12:47:34 K< : recv pfkey UPDATE ESP message
11/07/05 12:47:34 K< : recv pfkey UPDATE ESP message
11/07/05 12:47:34 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 76 bytes )
11/07/05 12:47:34 DB : phase1 found
11/07/05 12:47:34 ii : processing phase2 packet ( 76 bytes )
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 !! : phase2 packet ignored, resending last packet ( phase2 already mature )
11/07/05 12:47:34 -> : resend 1 phase2 packet(s) 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:34 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 76 bytes )
11/07/05 12:47:34 DB : phase1 found
11/07/05 12:47:34 ii : processing phase2 packet ( 76 bytes )
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 !! : phase2 packet ignored, resending last packet ( phase2 already mature )
11/07/05 12:47:34 -> : resend 1 phase2 packet(s) 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:34 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 76 bytes )
11/07/05 12:47:34 DB : phase1 found
11/07/05 12:47:34 ii : processing phase2 packet ( 76 bytes )
11/07/05 12:47:34 DB : phase2 found
11/07/05 12:47:34 !! : phase2 packet ignored, resending last packet ( phase2 already mature )
11/07/05 12:47:34 -> : resend 1 phase2 packet(s) 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:35 <- : recv NAT-T:IKE packet <gateway>:4500 -> 172.20.30.118:4500 ( 76 bytes )
11/07/05 12:47:35 DB : phase1 found
11/07/05 12:47:35 ii : processing phase2 packet ( 76 bytes )
11/07/05 12:47:35 DB : phase2 found
11/07/05 12:47:35 !! : phase2 packet ignored, resending last packet ( phase2 already mature )
11/07/05 12:47:35 ii : resend limit exceeded for phase2 exchange
11/07/05 12:47:35 DB : phase2 soft event canceled ( ref count = 2 )
11/07/05 12:47:35 DB : phase2 hard event canceled ( ref count = 1 )
11/07/05 12:47:35 DB : phase1 found
11/07/05 12:47:35 ii : sending peer DELETE message
11/07/05 12:47:35 ii : - 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:35 ii : - ipsec-esp spi = 0x6c0f293c
11/07/05 12:47:35 ii : - data size 0
11/07/05 12:47:35 >> : hash payload
11/07/05 12:47:35 >> : delete payload
11/07/05 12:47:35 == : new informational hash ( 20 bytes )
11/07/05 12:47:35 == : new informational iv ( 8 bytes )
11/07/05 12:47:35 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:47:35 >= : message 90347538
11/07/05 12:47:35 >= : encrypt iv ( 8 bytes )
11/07/05 12:47:35 == : encrypt packet ( 68 bytes )
11/07/05 12:47:35 == : stored iv ( 8 bytes )
11/07/05 12:47:35 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 100 bytes )
11/07/05 12:47:35 K> : send pfkey DELETE ESP message
11/07/05 12:47:35 K> : send pfkey DELETE ESP message
11/07/05 12:47:35 ii : phase2 removal before expire time
11/07/05 12:47:35 DB : phase2 deleted ( obj count = 0 )
11/07/05 12:47:35 K< : recv pfkey DELETE ESP message
11/07/05 12:47:35 K< : recv pfkey DELETE ESP message
11/07/05 12:47:37 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:47:37 DB : policy found
11/07/05 12:47:37 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:47:48 DB : phase1 found
11/07/05 12:47:48 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:47:57 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:47:57 DB : policy found
11/07/05 12:47:57 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:48:03 DB : phase1 found
11/07/05 12:48:03 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:48:16 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:48:16 DB : policy found
11/07/05 12:48:16 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:48:18 DB : phase1 found
11/07/05 12:48:18 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:48:33 DB : phase1 found
11/07/05 12:48:33 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:48:36 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:48:36 DB : policy found
11/07/05 12:48:36 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:48:48 DB : phase1 found
11/07/05 12:48:48 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:48:56 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:48:56 DB : policy found
11/07/05 12:48:56 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:49:03 DB : phase1 found
11/07/05 12:49:03 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:49:16 K< : recv pfkey ACQUIRE UNSPEC message
11/07/05 12:49:16 DB : policy found
11/07/05 12:49:16 ii : ignoring init phase2 by acquire, tunnel is nailed
11/07/05 12:49:18 DB : phase1 found
11/07/05 12:49:18 -> : send NAT-T:KEEP-ALIVE packet 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:49:28 <A : peer tunnel disable message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing IPSEC INBOUND policy ANY:192.168.0.0/16:* -> ANY:192.168.8.26:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing IPSEC OUTBOUND policy ANY:192.168.8.26:* -> ANY:192.168.0.0/16:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 ii : removed IPSEC policy route for ANY:192.168.0.0/16:*
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing NONE INBOUND policy ANY:<gateway>:* -> ANY:172.20.30.118:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing NONE OUTBOUND policy ANY:172.20.30.118:* -> ANY:<gateway>:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 ii : removed NONE policy route for ANY:<gateway>:*
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing NONE INBOUND policy ANY:172.20.30.1:* -> ANY:192.168.8.26:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 ii : removing NONE OUTBOUND policy ANY:192.168.8.26:* -> ANY:172.20.30.1:*
11/07/05 12:49:28 K> : send pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 ii : removed NONE policy route for ANY:172.20.30.1:*
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 DB : policy deleted ( obj count = 5 )
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 DB : policy deleted ( obj count = 4 )
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 DB : policy deleted ( obj count = 3 )
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 DB : policy deleted ( obj count = 2 )
11/07/05 12:49:28 K< : recv pfkey X_SPDDELETE2 UNSPEC message
11/07/05 12:49:28 DB : policy found
11/07/05 12:49:28 DB : policy deleted ( obj count = 1 )
11/07/05 12:49:28 ii : disable adapter ROOT\VNET\0000
11/07/05 12:49:28 DB : tunnel natt event canceled ( ref count = 4 )
11/07/05 12:49:28 DB : tunnel stats event canceled ( ref count = 3 )
11/07/05 12:49:28 DB : removing tunnel config references
11/07/05 12:49:28 DB : config deleted ( obj count = 0 )
11/07/05 12:49:28 DB : removing tunnel phase2 references
11/07/05 12:49:28 DB : removing tunnel phase1 references
11/07/05 12:49:28 DB : phase1 soft event canceled ( ref count = 3 )
11/07/05 12:49:28 DB : phase1 hard event canceled ( ref count = 2 )
11/07/05 12:49:28 DB : phase1 dead event canceled ( ref count = 1 )
11/07/05 12:49:28 ii : sending peer DELETE message
11/07/05 12:49:28 ii : - 172.20.30.118:4500 -> <gateway>:4500
11/07/05 12:49:28 ii : - isakmp spi = f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:49:28 ii : - data size 0
11/07/05 12:49:28 >> : hash payload
11/07/05 12:49:28 >> : delete payload
11/07/05 12:49:28 == : new informational hash ( 20 bytes )
11/07/05 12:49:28 == : new informational iv ( 8 bytes )
11/07/05 12:49:28 >= : cookies f612335580096ecb:9af7f5e4604b3d8e
11/07/05 12:49:28 >= : message 338652e5
11/07/05 12:49:28 >= : encrypt iv ( 8 bytes )
11/07/05 12:49:28 == : encrypt packet ( 80 bytes )
11/07/05 12:49:28 == : stored iv ( 8 bytes )
11/07/05 12:49:28 -> : send NAT-T:IKE packet 172.20.30.118:4500 -> <gateway>:4500 ( 116 bytes )
11/07/05 12:49:28 ii : phase1 removal before expire time
11/07/05 12:49:28 DB : phase1 deleted ( obj count = 0 )
11/07/05 12:49:28 DB : tunnel deleted ( obj count = 0 )
11/07/05 12:49:28 DB : removing all peer tunnel refrences
11/07/05 12:49:28 DB : peer deleted ( obj count = 0 )
11/07/05 12:49:28 ii : ipc client process thread exit ...
11/07/05 12:49:47 ii : halt signal received, shutting down
11/07/05 12:49:47 ii : pfkey process thread exit ...
11/07/05 12:49:47 ii : ipc server process thread exit ...
11/07/05 12:49:47 ii : network process thread exit ...

_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

[vpn-help] Security association expires immediately after connection to Juniper SSG

Reply via email to