Re: [vpn-help] Problem connecting to FVS318N

john espiro Wed, 29 Jul 2015 23:20:57 -0700

I found out how to get a debug log and noticed that I am getting:

received peer INVALID-CERT-AUTHORITY notification


Figuring this might be my problem, but not sure what to do.

15/07/30 02:14:52 ## : IKE Daemon, ver 2.2.2
15/07/30 02:14:52 ## : Copyright 2013 Shrew Soft Inc.
15/07/30 02:14:52 ## : This product linked OpenSSL 1.0.1c 10 May 2012
15/07/30 02:14:52 ii : opened 'C:\Program Files\ShrewSoft\VPN 
Client\debug\iked.log'
15/07/30 02:14:52 ii : rebuilding vnet device list ...
15/07/30 02:14:52 ii : device ROOT\VNET\0000 disabled
15/07/30 02:14:52 ii : network process thread begin ...
15/07/30 02:14:52 ii : pfkey process thread begin ...
15/07/30 02:14:52 ii : ipc server process thread begin ...
15/07/30 02:15:03 ii : ipc client process thread begin ...
15/07/30 02:15:03 <A : peer config add message
15/07/30 02:15:03 <A : proposal config message
15/07/30 02:15:03 <A : proposal config message
15/07/30 02:15:03 <A : client config message
15/07/30 02:15:03 <A : remote id 
'/C=US/ST=Montana/L=MyCity/O=MyVPN/OU=VPN/CN=Router' message
15/07/30 02:15:03 <A : remote certificate data message
15/07/30 02:15:03 ii : remote certificate read complete ( 902 bytes )
15/07/30 02:15:03 <A : local certificate data message
15/07/30 02:15:03 ii : local certificate read complete ( 875 bytes )
15/07/30 02:15:03 <A : local key data message
15/07/30 02:15:03 ii : local key read complete ( 1193 bytes )
15/07/30 02:15:03 <A : remote resource message
15/07/30 02:15:03 <A : peer tunnel enable message
15/07/30 02:15:03 DB : peer added ( obj count = 1 )
15/07/30 02:15:03 ii : local address 10.0.0.18 selected for peer
15/07/30 02:15:03 DB : tunnel added ( obj count = 1 )
15/07/30 02:15:03 ii : obtained x509 cert subject ( 106 bytes )
15/07/30 02:15:03 DB : new phase1 ( ISAKMP initiator )
15/07/30 02:15:03 DB : exchange type is aggressive
15/07/30 02:15:03 DB : 10.0.0.18:500 <-> xx.xx.xx.xx:500
15/07/30 02:15:03 DB : 334ded61cbdd2a04:0000000000000000
15/07/30 02:15:03 DB : phase1 added ( obj count = 1 )
15/07/30 02:15:03 >> : security association payload
15/07/30 02:15:03 >> : - proposal #1 payload 
15/07/30 02:15:03 >> : -- transform #1 payload 
15/07/30 02:15:03 >> : key exchange payload
15/07/30 02:15:03 >> : nonce payload
15/07/30 02:15:03 >> : cert request payload
15/07/30 02:15:03 >> : identification payload
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports nat-t ( draft v00 )
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports nat-t ( draft v01 )
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports nat-t ( draft v02 )
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports nat-t ( draft v03 )
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports nat-t ( rfc )
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports FRAGMENTATION
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local supports DPDv1
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local is SHREW SOFT compatible
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local is NETSCREEN compatible
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local is SIDEWINDER compatible
15/07/30 02:15:03 >> : vendor id payload
15/07/30 02:15:03 ii : local is CISCO UNITY compatible
15/07/30 02:15:03 >= : cookies 334ded61cbdd2a04:0000000000000000
15/07/30 02:15:03 >= : message 00000000
15/07/30 02:15:03 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 699 
bytes )
15/07/30 02:15:03 DB : phase1 resend event scheduled ( ref count = 2 )
15/07/30 02:15:06 <- : recv IKE packet xx.xx.xx.xx:500 -> 10.0.0.18:500 ( 1685 
bytes )
15/07/30 02:15:06 DB : phase1 found
15/07/30 02:15:06 ii : processing phase1 packet ( 1685 bytes )
15/07/30 02:15:06 =< : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 =< : message 00000000
15/07/30 02:15:06 << : security association payload
15/07/30 02:15:06 << : - propsal #1 payload 
15/07/30 02:15:06 << : -- transform #1 payload 
15/07/30 02:15:06 ii : matched isakmp proposal #1 transform #1
15/07/30 02:15:06 ii : - transform    = ike
15/07/30 02:15:06 ii : - cipher type  = 3des
15/07/30 02:15:06 ii : - key length   = default
15/07/30 02:15:06 ii : - hash type    = sha1
15/07/30 02:15:06 ii : - dh group     = group5 ( modp-1536 )
15/07/30 02:15:06 ii : - auth type    = sig-rsa
15/07/30 02:15:06 ii : - life seconds = 28800
15/07/30 02:15:06 ii : - life kbytes  = 0
15/07/30 02:15:06 << : key exchange payload
15/07/30 02:15:06 << : nonce payload
15/07/30 02:15:06 << : identification payload
15/07/30 02:15:06 ii : phase1 id match 
15/07/30 02:15:06 ii : received = asn1-dn 
C=US,ST=Montana,L=MyCity,O=MyVPN,OU=VPN,CN=Router
15/07/30 02:15:06 << : certificate payload
15/07/30 02:15:06 << : signature payload
15/07/30 02:15:06 << : vendor id payload
15/07/30 02:15:06 ii : peer is CISCO UNITY compatible
15/07/30 02:15:06 << : vendor id payload
15/07/30 02:15:06 ii : peer is IPSEC-TOOLS compatible
15/07/30 02:15:06 << : cert request payload
15/07/30 02:15:06 << : vendor id payload
15/07/30 02:15:06 ii : peer supports nat-t ( rfc )
15/07/30 02:15:06 << : nat discovery payload
15/07/30 02:15:06 << : nat discovery payload
15/07/30 02:15:06 << : vendor id payload
15/07/30 02:15:06 ii : peer supports DPDv1
15/07/30 02:15:06 ii : disabled nat-t ( no nat detected )
15/07/30 02:15:06 == : DH shared secret ( 192 bytes )
15/07/30 02:15:06 == : SETKEYID ( 20 bytes )
15/07/30 02:15:06 == : SETKEYID_d ( 20 bytes )
15/07/30 02:15:06 == : SETKEYID_a ( 20 bytes )
15/07/30 02:15:06 == : SETKEYID_e ( 20 bytes )
15/07/30 02:15:06 == : cipher key ( 40 bytes )
15/07/30 02:15:06 == : cipher iv ( 8 bytes )
15/07/30 02:15:06 >> : certificate payload
15/07/30 02:15:06 == : phase1 hash_i ( computed ) ( 20 bytes )
15/07/30 02:15:06 >> : signature payload
15/07/30 02:15:06 >> : nat discovery payload
15/07/30 02:15:06 >> : nat discovery payload
15/07/30 02:15:06 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 >= : message 00000000
15/07/30 02:15:06 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:06 == : encrypt packet ( 1216 bytes )
15/07/30 02:15:06 == : stored iv ( 8 bytes )
15/07/30 02:15:06 DB : phase1 resend event canceled ( ref count = 1 )
15/07/30 02:15:06 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 1248 
bytes )
15/07/30 02:15:06 ii : unable to get certificate CRL(3) at depth:0
15/07/30 02:15:06 ii : subject 
:/C=US/ST=Montana/L=MyCity/O=MyVPN/OU=VPN/CN=Router
15/07/30 02:15:06 ii : unable to get certificate CRL(3) at depth:1
15/07/30 02:15:06 ii : subject :/C=US/ST=Montana/L=MyCity/O=MyVPN/OU=Authority 
Certificate/CN=My VPN CA
15/07/30 02:15:06 == : phase1 hash_r ( computed ) ( 20 bytes )
15/07/30 02:15:06 == : phase1 hash_r ( received ) ( 20 bytes )
15/07/30 02:15:06 ii : phase1 sa established
15/07/30 02:15:06 ii : xx.xx.xx.xx:500 <-> 10.0.0.18:500
15/07/30 02:15:06 ii : 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 ii : sending peer INITIAL-CONTACT notification
15/07/30 02:15:06 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:06 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 ii : - data size 0
15/07/30 02:15:06 >> : hash payload
15/07/30 02:15:06 >> : notification payload
15/07/30 02:15:06 == : new informational hash ( 20 bytes )
15/07/30 02:15:06 == : new informational iv ( 8 bytes )
15/07/30 02:15:06 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 >= : message 52b8fe7a
15/07/30 02:15:06 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:06 == : encrypt packet ( 80 bytes )
15/07/30 02:15:06 == : stored iv ( 8 bytes )
15/07/30 02:15:06 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:06 DB : config added ( obj count = 1 )
15/07/30 02:15:06 ii : building config attribute list
15/07/30 02:15:06 ii : - IP4 Address
15/07/30 02:15:06 ii : - Address Expiry
15/07/30 02:15:06 ii : - IP4 Netmask
15/07/30 02:15:06 ii : - IP4 DNS Server
15/07/30 02:15:06 ii : - IP4 WINS Server
15/07/30 02:15:06 ii : - DNS Suffix
15/07/30 02:15:06 ii : - Login Banner
15/07/30 02:15:06 ii : - CISCO UDP Port
15/07/30 02:15:06 ii : - Application Version = Cisco Systems VPN Client 
4.8.01.0300:WinNT
15/07/30 02:15:06 ii : - Firewall Type = CISCO-UNKNOWN
15/07/30 02:15:06 == : new config iv ( 8 bytes )
15/07/30 02:15:06 ii : sending config pull request
15/07/30 02:15:06 >> : hash payload
15/07/30 02:15:06 >> : attribute payload
15/07/30 02:15:06 == : new configure hash ( 20 bytes )
15/07/30 02:15:06 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 >= : message 4ebc87f5
15/07/30 02:15:06 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:06 == : encrypt packet ( 154 bytes )
15/07/30 02:15:06 == : stored iv ( 8 bytes )
15/07/30 02:15:06 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 184 
bytes )
15/07/30 02:15:06 DB : config resend event scheduled ( ref count = 2 )
15/07/30 02:15:06 DB : phase2 not found
15/07/30 02:15:06 <- : recv IKE packet xx.xx.xx.xx:500 -> 10.0.0.18:500 ( 68 
bytes )
15/07/30 02:15:06 DB : phase1 found
15/07/30 02:15:06 ii : processing informational packet ( 68 bytes )
15/07/30 02:15:06 == : new informational iv ( 8 bytes )
15/07/30 02:15:06 =< : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:06 =< : message 93f44f14
15/07/30 02:15:06 =< : decrypt iv ( 8 bytes )
15/07/30 02:15:06 == : decrypt packet ( 68 bytes )
15/07/30 02:15:06 <= : trimmed packet padding ( 4 bytes )
15/07/30 02:15:06 <= : stored iv ( 8 bytes )
15/07/30 02:15:06 << : hash payload
15/07/30 02:15:06 << : notification payload
15/07/30 02:15:06 == : informational hash_i ( computed ) ( 20 bytes )
15/07/30 02:15:06 == : informational hash_c ( received ) ( 20 bytes )
15/07/30 02:15:06 ii : informational hash verified
15/07/30 02:15:06 ii : received peer INVALID-CERT-AUTHORITY notification
15/07/30 02:15:06 ii : - xx.xx.xx.xx:500 -> 10.0.0.18:500
15/07/30 02:15:06 ii : - isakmp spi = none
15/07/30 02:15:06 ii : - data size 0
15/07/30 02:15:11 -> : resend 1 config packet(s) [0/2] 10.0.0.18:500 -> 
xx.xx.xx.xx:500
15/07/30 02:15:16 -> : resend 1 config packet(s) [1/2] 10.0.0.18:500 -> 
xx.xx.xx.xx:500
15/07/30 02:15:21 DB : phase1 found
15/07/30 02:15:21 ii : sending peer DPDV1-R-U-THERE notification
15/07/30 02:15:21 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:21 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:21 ii : - data size 4
15/07/30 02:15:21 >> : hash payload
15/07/30 02:15:21 >> : notification payload
15/07/30 02:15:21 == : new informational hash ( 20 bytes )
15/07/30 02:15:21 == : new informational iv ( 8 bytes )
15/07/30 02:15:21 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:21 >= : message 8feaf452
15/07/30 02:15:21 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:21 == : encrypt packet ( 84 bytes )
15/07/30 02:15:21 == : stored iv ( 8 bytes )
15/07/30 02:15:21 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:21 ii : DPD ARE-YOU-THERE sequence 192f52ca requested
15/07/30 02:15:21 -> : resend 1 config packet(s) [2/2] 10.0.0.18:500 -> 
xx.xx.xx.xx:500
15/07/30 02:15:26 ii : resend limit exceeded for config exchange
15/07/30 02:15:26 DB : config deleted ( obj count = 0 )
15/07/30 02:15:36 DB : phase1 found
15/07/30 02:15:36 ii : next tunnel DPD retry in 4 secs for peer xx.xx.xx.xx:500
15/07/30 02:15:36 ii : sending peer DPDV1-R-U-THERE notification
15/07/30 02:15:36 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:36 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:36 ii : - data size 4
15/07/30 02:15:36 >> : hash payload
15/07/30 02:15:36 >> : notification payload
15/07/30 02:15:36 == : new informational hash ( 20 bytes )
15/07/30 02:15:36 == : new informational iv ( 8 bytes )
15/07/30 02:15:36 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:36 >= : message d6602ea4
15/07/30 02:15:36 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:36 == : encrypt packet ( 84 bytes )
15/07/30 02:15:36 == : stored iv ( 8 bytes )
15/07/30 02:15:36 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:36 ii : DPD ARE-YOU-THERE sequence 192f52cb requested
15/07/30 02:15:40 DB : phase1 found
15/07/30 02:15:40 ii : next tunnel DPD retry in 3 secs for peer xx.xx.xx.xx:500
15/07/30 02:15:40 ii : sending peer DPDV1-R-U-THERE notification
15/07/30 02:15:40 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:40 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:40 ii : - data size 4
15/07/30 02:15:40 >> : hash payload
15/07/30 02:15:40 >> : notification payload
15/07/30 02:15:40 == : new informational hash ( 20 bytes )
15/07/30 02:15:40 == : new informational iv ( 8 bytes )
15/07/30 02:15:40 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:40 >= : message acfe5847
15/07/30 02:15:40 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:40 == : encrypt packet ( 84 bytes )
15/07/30 02:15:40 == : stored iv ( 8 bytes )
15/07/30 02:15:40 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:40 ii : DPD ARE-YOU-THERE sequence 192f52cc requested
15/07/30 02:15:43 DB : phase1 found
15/07/30 02:15:43 ii : next tunnel DPD retry in 2 secs for peer xx.xx.xx.xx:500
15/07/30 02:15:43 ii : sending peer DPDV1-R-U-THERE notification
15/07/30 02:15:43 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:43 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:43 ii : - data size 4
15/07/30 02:15:43 >> : hash payload
15/07/30 02:15:43 >> : notification payload
15/07/30 02:15:43 == : new informational hash ( 20 bytes )
15/07/30 02:15:43 == : new informational iv ( 8 bytes )
15/07/30 02:15:43 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:43 >= : message 099dc1a7
15/07/30 02:15:43 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:43 == : encrypt packet ( 84 bytes )
15/07/30 02:15:43 == : stored iv ( 8 bytes )
15/07/30 02:15:43 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:43 ii : DPD ARE-YOU-THERE sequence 192f52cd requested
15/07/30 02:15:45 DB : phase1 found
15/07/30 02:15:45 ii : next tunnel DPD retry in 1 secs for peer xx.xx.xx.xx:500
15/07/30 02:15:45 ii : sending peer DPDV1-R-U-THERE notification
15/07/30 02:15:45 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:45 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:45 ii : - data size 4
15/07/30 02:15:45 >> : hash payload
15/07/30 02:15:45 >> : notification payload
15/07/30 02:15:45 == : new informational hash ( 20 bytes )
15/07/30 02:15:45 == : new informational iv ( 8 bytes )
15/07/30 02:15:45 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:45 >= : message ff40d3f3
15/07/30 02:15:45 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:45 == : encrypt packet ( 84 bytes )
15/07/30 02:15:45 == : stored iv ( 8 bytes )
15/07/30 02:15:45 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:45 ii : DPD ARE-YOU-THERE sequence 192f52ce requested
15/07/30 02:15:46 !! : tunnel DPD timeout for peer xx.xx.xx.xx:500
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : policy not found
15/07/30 02:15:46 DB : removing tunnel config references
15/07/30 02:15:46 DB : removing tunnel phase2 references
15/07/30 02:15:46 DB : removing tunnel phase1 references
15/07/30 02:15:46 DB : phase1 soft event canceled ( ref count = 3 )
15/07/30 02:15:46 DB : phase1 hard event canceled ( ref count = 2 )
15/07/30 02:15:46 DB : phase1 dead event canceled ( ref count = 1 )
15/07/30 02:15:46 ii : sending peer DELETE message
15/07/30 02:15:46 ii : - 10.0.0.18:500 -> xx.xx.xx.xx:500
15/07/30 02:15:46 ii : - isakmp spi = 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:46 ii : - data size 0
15/07/30 02:15:46 >> : hash payload
15/07/30 02:15:46 >> : delete payload
15/07/30 02:15:46 == : new informational hash ( 20 bytes )
15/07/30 02:15:46 == : new informational iv ( 8 bytes )
15/07/30 02:15:46 >= : cookies 334ded61cbdd2a04:f2486043183b32c0
15/07/30 02:15:46 >= : message e94f3d6a
15/07/30 02:15:46 >= : encrypt iv ( 8 bytes )
15/07/30 02:15:46 == : encrypt packet ( 80 bytes )
15/07/30 02:15:46 == : stored iv ( 8 bytes )
15/07/30 02:15:46 -> : send IKE packet 10.0.0.18:500 -> xx.xx.xx.xx:500 ( 112 
bytes )
15/07/30 02:15:46 ii : phase1 removal before expire time
15/07/30 02:15:46 DB : phase1 deleted ( obj count = 0 )
15/07/30 02:15:46 DB : tunnel deleted ( obj count = 0 )
15/07/30 02:15:46 DB : removing all peer tunnel references
15/07/30 02:15:46 DB : peer deleted ( obj count = 0 )
15/07/30 02:15:46 ii : ipc client process thread exit ...
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help

Re: [vpn-help] Problem connecting to FVS318N

Reply via email to