Hello, I've set up a connection between a Windows 2012 R2 Server (40.40.40.40) using Shrew VPN Client (version 2.2.2) and a SonicWALL (and for tests also with a FortiGate) (50.50.50.50).
The initial VPN tunnel comes up with either firewall. When the softlimit timeout for the phase2 is reached the VPN Client starts the renewal of phase2. With the SonicWALL this renewal shows two errors (!!:) towards its end. While the tunnel as such seems to fire up again it is not possible to reach the final destination server (10.10.10.10) behind the SonicWALL for some time (using Test-Connection i.e. pings). Only after the hardlimit timeout for phase2 is reached the pings go through again. The identical setup (VPN Client wise) with a FortiGate does not have this problem. Here the phase2 renewal produces no erros and the destination server can be reached by pings all times. Shrew VPN Client setup n:version:4 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-dns-used:0 n:client-dns-auto:0 n:client-dns-suffix-auto:0 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:client-wins-used:0 n:client-wins-auto:1 n:phase1-dhgroup:5 n:phase1-life-secs:28800 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:1800 n:phase2-life-kbytes:0 n:policy-nailed:1 n:policy-list-auto:0 s:network-host:40.40.40.40 s:client-auto-mode:disabled s:client-iface:virtual s:client-ip-addr:192.168.1.1 s:client-ip-mask:255.255.255.255 s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk s:ident-client-type:address s:ident-server-type:address b:auth-mutual-psk:(secret) s:phase1-exchange:aggressive s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-3des s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:5 s:policy-level:require s:policy-list-include:50.50.50.50 / 255.255.255.255,10.10.10.10 / 255.255.255.255 Connection with the SonicWALL phase 2 renewal last part (VPN Client log) <- : recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes ) DB : phase1 found ii : processing informational packet ( 76 bytes ) == : new informational iv ( 8 bytes ) =< : cookies 915d9ca44709a15b:e77b80b9c572d32d =< : message 552fc103 =< : decrypt iv ( 8 bytes ) == : decrypt packet ( 76 bytes ) <= : trimmed packet padding ( 4 bytes ) <= : stored iv ( 8 bytes ) << : hash payload << : delete payload !! : unprocessed payload data !!! == : informational hash_i ( computed ) ( 20 bytes ) == : informational hash_c ( received ) ( 20 bytes ) !! : informational hash verification failed ii : received peer DELETE message ii : - 50.50.50.50:500 -> 40.40.40.40:500 ii : - ipsec-esp spi = 0x5347bf9c no further entries until a few minutes later ii : phase2 sa is dead ii : phase2 removal after expire time DB : phase2 deleted ( obj count = 1 ) Connection with the SonicWALL phase 2 renewal last part (VPN Client log) <- : recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes ) DB : phase1 found ii : processing informational packet ( 76 bytes ) == : new informational iv ( 8 bytes ) =< : cookies 30319e5309693dd8:33dfc550c179a81b =< : message 2db6a00f =< : decrypt iv ( 8 bytes ) == : decrypt packet ( 76 bytes ) <= : trimmed packet padding ( 8 bytes ) <= : stored iv ( 8 bytes ) << : hash payload << : delete payload == : informational hash_i ( computed ) ( 20 bytes ) == : informational hash_c ( received ) ( 20 bytes ) ii : informational hash verified ii : received peer DELETE message ii : - 50.50.50.50:500 -> 40.40.40.40:500 ii : - ipsec-esp spi = 0xb9b142e9 DB : phase2 found DB : cleanup, marked phase2 0xb9b142e9 for removal DB : phase2 hard event canceled ( ref count = 1 ) K> : send pfkey DELETE ESP message K< : recv pfkey DELETE ESP message K> : send pfkey DELETE ESP message K< : recv pfkey DELETE ESP message ii : phase2 removal before expire time DB : phase2 deleted ( obj count = 1 ) Has anyone an idea why the phase2 renewal with the SonicWALL produces the !! : unprocessed payload data !!! !! : informational hash verification failed errors? Even setting the log level to "loud" I could see nothing in the logs why the pings don't go through for some minutes and afterwards go again through. Thank You! _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
