Hi All: Nice SW, very interesting.
I've set the log level to debug and am doing tail -f /var/log/iked.log... A fw questions: 1. How do we know if the SW has correctly read our CAcert? 2. How do we know if the SW has correctly read our client cert? 3. How do we know if the SW has correctly read our private key? it looks to me like the certs are being sent but I'm not sure, can someone comment? 13/05/06 23:30:14 << : security association payload 13/05/06 23:30:14 << : - propsal #1 payload 13/05/06 23:30:14 << : -- transform #1 payload 13/05/06 23:30:14 ii : matched isakmp proposal #1 transform #1 13/05/06 23:30:14 ii : - transform = ike 13/05/06 23:30:14 ii : - cipher type = 3des 13/05/06 23:30:14 ii : - key length = default 13/05/06 23:30:14 ii : - hash type = md5 13/05/06 23:30:14 ii : - dh group = group2 ( modp-1024 ) 13/05/06 23:30:14 ii : - auth type = xauth-initiator-rsa 13/05/06 23:30:14 ii : - life seconds = 86400 13/05/06 23:30:14 ii : - life kbytes = 0 13/05/06 23:30:14 << : vendor id payload 13/05/06 23:30:14 ii : peer supports nat-t ( rfc ) 13/05/06 23:30:14 << : vendor id payload 13/05/06 23:30:14 ii : unknown vendor id ( 20 bytes ) 13/05/06 23:30:14 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000 13/05/06 23:30:14 >> : key exchange payload 13/05/06 23:30:14 >> : nonce payload 13/05/06 23:30:14 >> : cert request payload 13/05/06 23:30:14 >> : nat discovery payload 13/05/06 23:30:14 >> : nat discovery payload 13/05/06 23:30:14 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:14 >= : message 00000000 13/05/06 23:30:14 DB : phase1 resend event canceled ( ref count = 1 ) 13/05/06 23:30:14 -> : send IKE packet 192.168.0.35:500 -> 218.101.54.25:500 ( 257 bytes ) 13/05/06 23:30:14 DB : phase1 resend event scheduled ( ref count = 2 ) 13/05/06 23:30:15 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes ) 13/05/06 23:30:15 DB : phase1 found 13/05/06 23:30:15 ii : processing phase1 packet ( 473 bytes ) 13/05/06 23:30:15 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:15 =< : message 00000000 13/05/06 23:30:15 << : key exchange payload 13/05/06 23:30:15 << : nonce payload 13/05/06 23:30:15 << : cert request payload 13/05/06 23:30:15 << : vendor id payload 13/05/06 23:30:15 ii : peer is CISCO UNITY compatible 13/05/06 23:30:15 << : vendor id payload 13/05/06 23:30:15 ii : peer supports XAUTH 13/05/06 23:30:15 << : vendor id payload 13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes ) 13/05/06 23:30:15 0x : 7a108e42 5f1c29b5 593f9565 b035210b 13/05/06 23:30:15 << : vendor id payload 13/05/06 23:30:15 ii : unknown vendor id ( 16 bytes ) 13/05/06 23:30:15 0x : 1f07f70e aa6514d3 b0fa9654 2a500100 13/05/06 23:30:15 << : nat discovery payload 13/05/06 23:30:15 << : nat discovery payload 13/05/06 23:30:15 ii : nat discovery - local address is translated 13/05/06 23:30:15 ii : switching to src nat-t udp port 4500 13/05/06 23:30:15 ii : switching to dst nat-t udp port 4500 13/05/06 23:30:15 == : DH shared secret ( 128 bytes ) 13/05/06 23:30:15 == : SETKEYID ( 16 bytes ) 13/05/06 23:30:15 == : SETKEYID_d ( 16 bytes ) 13/05/06 23:30:15 == : SETKEYID_a ( 16 bytes ) 13/05/06 23:30:15 == : SETKEYID_e ( 16 bytes ) 13/05/06 23:30:15 == : cipher key ( 32 bytes ) 13/05/06 23:30:15 == : cipher iv ( 8 bytes ) 13/05/06 23:30:15 >> : identification payload 13/05/06 23:30:15 >> : certificate payload 13/05/06 23:30:15 == : phase1 hash_i ( computed ) ( 16 bytes ) 13/05/06 23:30:15 >> : signature payload 13/05/06 23:30:15 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:15 >= : message 00000000 13/05/06 23:30:15 >= : encrypt iv ( 8 bytes ) 13/05/06 23:30:15 == : encrypt packet ( 1706 bytes ) 13/05/06 23:30:15 == : stored iv ( 8 bytes ) 13/05/06 23:30:15 DB : phase1 resend event canceled ( ref count = 1 ) 13/05/06 23:30:15 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 1740 bytes ) 13/05/06 23:30:23 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes ) 13/05/06 23:30:23 DB : phase1 found 13/05/06 23:30:23 ww : initiator port values should only float once per session 13/05/06 23:30:23 ii : processing phase1 packet ( 473 bytes ) 13/05/06 23:30:23 =< : cookies d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:23 =< : message 00000000 13/05/06 23:30:23 << : ignoring duplicate key excahnge payload 13/05/06 23:30:23 !! : unprocessed payload data 13/05/06 23:30:23 << : ignoring duplicate nonce payload 13/05/06 23:30:23 !! : unprocessed payload data 13/05/06 23:30:23 !! : unhandled phase1 payload 'unknown' ( 244 ) 13/05/06 23:30:23 !! : unprocessed payload data 13/05/06 23:30:23 ii : sending peer DELETE message 13/05/06 23:30:23 ii : - 192.168.0.35:4500 -> 218.101.54.25:4500 13/05/06 23:30:23 ii : - isakmp spi = d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:23 ii : - data size 0 13/05/06 23:30:23 >> : hash payload 13/05/06 23:30:23 >> : delete payload 13/05/06 23:30:23 == : new informational hash ( 16 bytes ) 13/05/06 23:30:23 == : new informational iv ( 8 bytes ) 13/05/06 23:30:23 >= : cookies d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:23 >= : message 3b625f76 13/05/06 23:30:23 >= : encrypt iv ( 8 bytes ) 13/05/06 23:30:23 == : encrypt packet ( 76 bytes ) 13/05/06 23:30:23 == : stored iv ( 8 bytes ) 13/05/06 23:30:23 -> : send NAT-T:IKE packet 192.168.0.35:4500 -> 218.101.54.25:4500 ( 108 bytes ) 13/05/06 23:30:23 ii : phase1 removal before expire time 13/05/06 23:30:23 DB : phase1 deleted ( obj count = 0 ) 13/05/06 23:30:23 DB : policy not found 13/05/06 23:30:23 DB : policy not found 13/05/06 23:30:23 DB : policy not found 13/05/06 23:30:23 DB : policy not found 13/05/06 23:30:23 DB : removing tunnel config references 13/05/06 23:30:23 DB : removing tunnel phase2 references 13/05/06 23:30:23 DB : removing tunnel phase1 references 13/05/06 23:30:23 DB : tunnel deleted ( obj count = 0 ) 13/05/06 23:30:23 DB : removing all peer tunnel references 13/05/06 23:30:23 DB : peer deleted ( obj count = 0 ) 13/05/06 23:30:23 ii : ipc client process thread exit ... 13/05/06 23:30:39 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 473 bytes ) 13/05/06 23:30:39 DB : phase1 not found 13/05/06 23:30:39 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer 13/05/06 23:30:39 ww : d0206ace8cde3e11:8fd7295f5f1d29b5 13/05/06 23:30:55 <- : recv IKE packet 218.101.54.25:500 -> 192.168.0.35:500 ( 76 bytes ) 13/05/06 23:30:55 DB : phase1 not found 13/05/06 23:30:55 ww : ike packet from 218.101.54.25 ignored, unknown phase1 sa for peer 13/05/06 23:30:55 ww : 1d62c573424c488b:ade67cd1a4ae13ba It dies before making it past the ike neg. Any suggestions? Cheers, john _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
