Hosting Provided By

Re: [Users] WinXP -> FreeSWAN 2nd try

From: Andreas Ninaus <andreas.ninaus(at)cdx.at>
Date: Tue Sep 23 2003 - 08:46:06 EDT

its just a guess but
try to create certificates without blanks, dashes onetime I had this phenomen and it worked than

Andreas

Original Message ----- From: "Helge Lenz" <h.lenz@gmx.de> To: "Andreas Ninaus" <andreas.ninaus@cdx.at> Cc: <users@mj2.freeswan.org> Sent: Tuesday, September 23, 2003 2:17 PM Subject: Re: [Users] WinXP -> FreeSWAN 2nd try

> Andreas Ninaus wrote:
snap
> >in of the mmc
Zertifikaten(3)
> >>>9-18: 10:55:50:180:438 Life type in Seconds
> >>>9-18: 10:55:50:180:438 Life duration of 28800
> >>>9-18: 10:55:50:180:438 Phase 1 SA accepted: transform=1
> >>>9-18: 10:55:50:180:438 SA - Oakley proposal accepted
> >>>9-18: 10:55:50:180:438 constructing ISAKMP Header
> >>>9-18: 10:55:50:240:438 constructing KE
> >>>9-18: 10:55:50:240:438 constructing NONCE (ISAKMP)
> >>>9-18: 10:55:50:240:438
> >>>9-18: 10:55:50:240:438 Sending: SA = 0x000CDB78 to 192.168.10.1:Type 2
> >>>9-18: 10:55:50:240:438 ISAKMP Header: (V1.0), len = 184
> >>>9-18: 10:55:50:240:438 I-COOKIE e97a526ca21d8e48
> >>>9-18: 10:55:50:240:438 R-COOKIE 0f9a37c1620ab05f
> >>>9-18: 10:55:50:240:438 exchange: Oakley Main Mode
> >>>9-18: 10:55:50:240:438 flags: 0
> >>>9-18: 10:55:50:240:438 next payload: KE
> >>>9-18: 10:55:50:240:438 message ID: 00000000
> >>>9-18: 10:55:50:250:438
> >>>9-18: 10:55:50:250:438 Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 10:55:50:250:438 ISAKMP Header: (V1.0), len = 188
> >>>9-18: 10:55:50:250:438 I-COOKIE e97a526ca21d8e48
> >>>9-18: 10:55:50:250:438 R-COOKIE 0f9a37c1620ab05f
> >>>9-18: 10:55:50:250:438 exchange: Oakley Main Mode
> >>>9-18: 10:55:50:250:438 flags: 0
> >>>9-18: 10:55:50:250:438 next payload: KE
> >>>9-18: 10:55:50:250:438 message ID: 00000000
> >>>9-18: 10:55:50:250:438 processing payload KE 9-18: 10:55:50:270:438
> >>>processing payload NONCE
> >>>9-18: 10:55:50:270:438 processing payload CRP
> >>>9-18: 10:55:50:270:438 constructing ISAKMP Header
> >>>9-18: 10:55:50:270:438 constructing ID
> >>>9-18: 10:55:50:270:438 Received no valid CRPs. Using all configured
> >>>9-18: 10:55:50:270:438 Looking for IPSec only cert
> >>>9-18: 10:55:50:280:438 failed to get chain 80092004
> >>>9-18: 10:55:50:280:438 Received no valid CRPs. Using all configured
> >>>9-18: 10:55:50:280:438 Looking for any cert
> >>>9-18: 10:55:50:280:438 failed to get chain 80092004
> >>>9-18: 10:55:50:280:438 ProcessFailure: sa:000CDB78 centry:00000000
> >>>status:35ee
> >>>9-18: 10:55:50:280:438 isadb_set_status sa:000CDB78 centry:00000000
> >>>status 35ee
> >>>9-18: 10:55:50:290:438 Schlüsselaustauschmodus (Hauptmodus)
> >>>
> >>>
> >>>9-18: 10:55:50:290:438 Quell-IP-Adresse 192.168.10.96
> >>>
> >>>Quell-IP-Adressmaske 255.255.255.255
> >>>
> >>>Ziel-IP-Adresse 192.168.10.1
> >>>
> >>>Ziel-IP-Adressmaske 255.255.255.255
> >>>
> >>>Protokoll 0
> >>>
> >>>Quellport 0
> >>>
> >>>Zielport 0
> >>>
> >>>Lokale IKE-Adresse
> >>>
> >>>Peer-IKE-Adresse
> >>>
> >>>
> >>>9-18: 10:55:50:290:438 Zertifikat-basierte Identität.
> >>>Peer-IP-Adresse: 192.168.10.1
> >>>
> >>>
> >>>9-18: 10:55:50:290:438 Benutzer
> >>>
> >>>
> >>>9-18: 10:55:50:290:438 IKE konnte kein gültiges Computerzertifikat
> >>>finden.
> >>>
> >>>
> >>>9-18: 10:55:50:290:438 0x80092004 0x0
> >>>9-18: 10:55:50:290:438 ProcessFailure: sa:000CDB78 centry:00000000
> >>>status:35ee
> >>>9-18: 10:55:50:290:438 constructing ISAKMP Header
> >>>9-18: 10:55:50:290:438 constructing HASH (null)
> >>>9-18: 10:55:50:290:438 constructing NOTIFY 28
> >>>9-18: 10:55:50:290:438 constructing HASH (Notify/Delete)
> >>>9-18: 10:55:50:290:438
> >>>9-18: 10:55:50:290:438 Sending: SA = 0x000CDB78 to 192.168.10.1:Type 1
> >>>9-18: 10:55:50:290:438 ISAKMP Header: (V1.0), len = 84
> >>>9-18: 10:55:50:290:438 I-COOKIE e97a526ca21d8e48
> >>>9-18: 10:55:50:290:438 R-COOKIE 0f9a37c1620ab05f
> >>>9-18: 10:55:50:290:438 exchange: ISAKMP Informational Exchange
> >>>9-18: 10:55:50:290:438 flags: 1 ( encrypted )
> >>>9-18: 10:55:50:290:438 next payload: HASH
> >>>9-18: 10:55:50:290:438 message ID: 42c62c59
> >>>9-18: 10:55:59:353:20c
> >>>9-18: 10:55:59:353:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 10:55:59:353:20c ISAKMP Header: (V1.0), len = 188
> >>>9-18: 10:55:59:353:20c I-COOKIE e97a526ca21d8e48
> >>>9-18: 10:55:59:353:20c R-COOKIE 0f9a37c1620ab05f
> >>>9-18: 10:55:59:353:20c exchange: Oakley Main Mode
> >>>9-18: 10:55:59:353:20c flags: 0
> >>>9-18: 10:55:59:353:20c next payload: KE
> >>>9-18: 10:55:59:353:20c message ID: 00000000
> >>>9-18: 10:55:59:353:20c received an unencrypted packet when crypto
active
> >>>9-18: 10:55:59:353:20c GetPacket failed 35ec
> >>>9-18: 10:56:19:372:20c
> >>>9-18: 10:56:19:372:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 10:56:19:372:20c ISAKMP Header: (V1.0), len = 188
> >>>9-18: 10:56:19:372:20c I-COOKIE e97a526ca21d8e48
> >>>9-18: 10:56:19:372:20c R-COOKIE 0f9a37c1620ab05f
> >>>9-18: 10:56:19:372:20c exchange: Oakley Main Mode
> >>>9-18: 10:56:19:372:20c flags: 0
> >>>9-18: 10:56:19:372:20c next payload: KE
> >>>9-18: 10:56:19:372:20c message ID: 00000000
> >>>9-18: 10:56:19:372:20c received an unencrypted packet when crypto
active
> >>>9-18: 10:56:19:372:20c GetPacket failed 35ec
> >>>
> >>>
>
>>--------------------------------------------------------------------------
> >>
> >>
> >---
> >
> >
> >>>As you can see, it doesn't work. BTW the same configuration works with
> >>>Win2k with no problems.
> >>>
> >>>Now I changed the followin line in the ipsec.conf under WinXP:
> >>> rightca="C=DE, L=Braunschweig, O=HL CCC, OU=CA-Unit, CN=gateway"
> >>>which is the wrong DN. Then I opened the management console and
> >>>changed every certificate for all FreeSWAN rules by picking the right
> >>>certificate from the list (yes, it is installed correctly!). And now
> >>>it works:
> >>>
> >>>oakley.log
> >>>
> >>>
>
>>--------------------------------------------------------------------------
> >>
> >>
> >---
> >
> >
> >>>9-18: 11:00:16:643:6d8 Acquire from driver: op=80E12E70
> >>>src=192.168.10.96.0 dst=192.168.10.1.0 proto = 0,
> >>>SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 1,
> >>>TunnelEndpt=192.168.10.1 Inbound TunnelEndpt=192.168.10.96
> >>>9-18: 11:00:16:643:20c Filter to match: Src 192.168.10.1 Dst
> >>>192.168.10.96
> >>>9-18: 11:00:16:643:20c MM PolicyName: 88
> >>>9-18: 11:00:16:643:20c MMPolicy dwFlags 2 SoftSAExpireTime 28800
> >>>9-18: 11:00:16:643:20c MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
> >>>9-18: 11:00:16:643:20c MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
> >>>9-18: 11:00:16:643:20c MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
> >>>9-18: 11:00:16:643:20c MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
> >>>9-18: 11:00:16:643:20c MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
> >>>9-18: 11:00:16:643:20c MMOffer[2] Encrypt: DES CBC Hash: SHA
> >>>9-18: 11:00:16:643:20c MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
> >>>9-18: 11:00:16:653:20c MMOffer[3] Encrypt: DES CBC Hash: MD5
> >>>9-18: 11:00:16:653:20c Auth[0]:RSA Sig C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:16:653:20c QM PolicyName: Host-roadwarrior filter action
> >>>dwFlags 1
> >>>9-18: 11:00:16:653:20c QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
> >>>9-18: 11:00:16:653:20c QMOffer[0] dwFlags 0 dwPFSGroup 268435456
> >>>9-18: 11:00:16:653:20c Algo[0] Operation: ESP Algo: Dreifach-DES CBC
> >>>HMAC: MD5
> >>>9-18: 11:00:16:653:20c Starting Negotiation: src = 192.168.10.96.0000,
> >>>dst = 192.168.10.1.0500, proto = 00, context = 80E12E70, ProxySrc =
> >>>192.168.10.96.0000, ProxyDst = 192.168.10.1.0000 SrcMask =
> >>>255.255.255.255 DstMask = 255.255.255.255
> >>>9-18: 11:00:16:653:20c constructing ISAKMP Header
> >>>9-18: 11:00:16:653:20c constructing SA (ISAKMP)
> >>>9-18: 11:00:16:653:20c Constructing Vendor
> >>>9-18: 11:00:16:653:20c
> >>>9-18: 11:00:16:653:20c Sending: SA = 0x000CDB78 to 192.168.10.1:Type 2
> >>>9-18: 11:00:16:653:20c ISAKMP Header: (V1.0), len = 216
> >>>9-18: 11:00:16:653:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:653:20c R-COOKIE 0000000000000000
> >>>9-18: 11:00:16:653:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:653:20c flags: 0
> >>>9-18: 11:00:16:653:20c next payload: SA
> >>>9-18: 11:00:16:653:20c message ID: 00000000
> >>>9-18: 11:00:16:653:20c
> >>>9-18: 11:00:16:653:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 11:00:16:653:20c ISAKMP Header: (V1.0), len = 84
> >>>9-18: 11:00:16:653:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:653:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:653:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:653:20c flags: 0
> >>>9-18: 11:00:16:653:20c next payload: SA
> >>>9-18: 11:00:16:653:20c message ID: 00000000
> >>>9-18: 11:00:16:653:20c processing payload SA 9-18: 11:00:16:653:20c
> >>>Received Phase 1 Transform 1
> >>>9-18: 11:00:16:653:20c Encryption Alg Dreifach-DES CBC(5)
> >>>9-18: 11:00:16:653:20c Hash Alg SHA(2)
> >>>9-18: 11:00:16:653:20c Oakley Group 2
> >>>9-18: 11:00:16:653:20c Auth Method RSA-Signatur mit
Zertifikaten(3)
> >>>9-18: 11:00:16:653:20c Life type in Seconds
> >>>9-18: 11:00:16:653:20c Life duration of 28800
> >>>9-18: 11:00:16:653:20c Phase 1 SA accepted: transform=1
> >>>9-18: 11:00:16:653:20c SA - Oakley proposal accepted
> >>>9-18: 11:00:16:653:20c constructing ISAKMP Header
> >>>9-18: 11:00:16:713:20c constructing KE
> >>>9-18: 11:00:16:713:20c constructing NONCE (ISAKMP)
> >>>9-18: 11:00:16:713:20c
> >>>9-18: 11:00:16:713:20c Sending: SA = 0x000CDB78 to 192.168.10.1:Type 2
> >>>9-18: 11:00:16:713:20c ISAKMP Header: (V1.0), len = 184
> >>>9-18: 11:00:16:713:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:713:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:713:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:713:20c flags: 0
> >>>9-18: 11:00:16:713:20c next payload: KE
> >>>9-18: 11:00:16:713:20c message ID: 00000000
> >>>9-18: 11:00:16:733:20c
> >>>9-18: 11:00:16:733:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 11:00:16:733:20c ISAKMP Header: (V1.0), len = 188
> >>>9-18: 11:00:16:733:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:733:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:733:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:733:20c flags: 0
> >>>9-18: 11:00:16:733:20c next payload: KE
> >>>9-18: 11:00:16:733:20c message ID: 00000000
> >>>9-18: 11:00:16:733:20c processing payload KE 9-18: 11:00:16:753:20c
> >>>processing payload NONCE
> >>>9-18: 11:00:16:753:20c processing payload CRP
> >>>9-18: 11:00:16:753:20c constructing ISAKMP Header
> >>>9-18: 11:00:16:753:20c constructing ID
> >>>9-18: 11:00:16:753:20c Received no valid CRPs. Using all configured
> >>>9-18: 11:00:16:753:20c Looking for IPSec only cert
> >>>9-18: 11:00:16:753:20c Cert Trustes. 0 100
> >>>9-18: 11:00:16:773:20c Entered CRL check
> >>>9-18: 11:00:16:773:20c Left CRL check
> >>>9-18: 11:00:16:773:20c Cert SHA Thumbprint
> >>>8a2076249489a4a0109f6415d78702ca
> >>>9-18: 11:00:16:773:20c aacd17b4
> >>>9-18: 11:00:16:773:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=Aussendienst, CN=root@jinni.lokalnetz.de
> >>>9-18: 11:00:16:773:20c Cert Serialnumber 02
> >>>9-18: 11:00:16:773:20c Cert SHA Thumbprint
> >>>8a2076249489a4a0109f6415d78702ca
> >>>9-18: 11:00:16:773:20c aacd17b4
> >>>9-18: 11:00:16:773:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:16:773:20c Cert Serialnumber 00
> >>>9-18: 11:00:16:773:20c Cert SHA Thumbprint
> >>>7c44a1a1c6f14f7f519c7afa1371a230
> >>>9-18: 11:00:16:773:20c 46197b33
> >>>9-18: 11:00:16:773:20c constructing CERT
> >>>9-18: 11:00:16:773:20c Construct SIG
> >>>9-18: 11:00:16:783:20c Constructing Cert Request
> >>>9-18: 11:00:16:783:20c C=DE, L=Braunschweig, O=HL CCC, OU=CA-Unit,
> >>>CN=h.lenz@gmx.de
> >>>9-18: 11:00:16:783:20c
> >>>9-18: 11:00:16:783:20c Sending: SA = 0x000CDB78 to 192.168.10.1:Type 2
> >>>9-18: 11:00:16:783:20c ISAKMP Header: (V1.0), len = 1132
> >>>9-18: 11:00:16:783:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:783:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:783:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:783:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:16:783:20c next payload: ID
> >>>9-18: 11:00:16:783:20c message ID: 00000000
> >>>9-18: 11:00:16:793:20c
> >>>9-18: 11:00:16:793:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 11:00:16:793:20c ISAKMP Header: (V1.0), len = 988
> >>>9-18: 11:00:16:793:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:793:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:793:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:16:793:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:16:793:20c next payload: ID
> >>>9-18: 11:00:16:793:20c message ID: 00000000
> >>>9-18: 11:00:16:793:20c processing payload ID 9-18: 11:00:16:793:20c
> >>>processing payload CERT
> >>>9-18: 11:00:16:793:20c processing payload SIG
> >>>9-18: 11:00:16:793:20c Verifying CertStore
> >>>9-18: 11:00:16:793:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=Gateway
> >>>9-18: 11:00:16:793:20c Cert Serialnumber 01
> >>>9-18: 11:00:16:793:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:16:793:20c dd1cb57a
> >>>9-18: 11:00:16:793:20c Cert Trustes. 0 100
> >>>9-18: 11:00:16:793:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=Gateway
> >>>9-18: 11:00:16:793:20c Cert Serialnumber 01
> >>>9-18: 11:00:16:793:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:16:793:20c dd1cb57a
> >>>9-18: 11:00:16:793:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:16:793:20c Cert Serialnumber 00
> >>>9-18: 11:00:16:793:20c Cert SHA Thumbprint
> >>>7c44a1a1c6f14f7f519c7afa1371a230
> >>>9-18: 11:00:16:793:20c 46197b33
> >>>9-18: 11:00:16:793:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:16:793:20c dd1cb57a
> >>>9-18: 11:00:16:793:20c Entered CRL check
> >>>9-18: 11:00:16:803:20c Left CRL check
> >>>9-18: 11:00:16:803:20c Signature validated
> >>>
> >>>9-18: 11:00:16:803:20c MM established. SA: 000CDB78
> >>>9-18: 11:00:16:803:20c GetSpi: src = 192.168.10.1.0000, dst =
> >>>192.168.10.96.0000, proto = 00, context = 80E12E70, srcMask =
> >>>255.255.255.255, destMask = 255.255.255.255, TunnelFilter 1
> >>>9-18: 11:00:16:813:20c Setting SPI 3289714726
> >>>9-18: 11:00:16:813:20c constructing ISAKMP Header
> >>>9-18: 11:00:16:813:20c constructing HASH (null)
> >>>9-18: 11:00:16:813:20c constructing SA (IPSEC)
> >>>9-18: 11:00:16:813:20c Sending Tunnelling Attribute
> >>>9-18: 11:00:16:813:20c constructing QM KE
> >>>9-18: 11:00:16:863:20c constructing NONCE (IPSEC)
> >>>9-18: 11:00:16:863:20c constructing ID (proxy)
> >>>9-18: 11:00:16:863:20c constructing ID (proxy)
> >>>9-18: 11:00:16:863:20c constructing HASH (QM)
> >>>9-18: 11:00:16:863:20c
> >>>9-18: 11:00:16:863:20c Sending: SA = 0x000CDB78 to 192.168.10.1:Type 2
> >>>9-18: 11:00:16:863:20c ISAKMP Header: (V1.0), len = 300
> >>>9-18: 11:00:16:863:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:863:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:863:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:16:863:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:16:863:20c next payload: HASH
> >>>9-18: 11:00:16:873:20c message ID: e4ab1512
> >>>9-18: 11:00:16:873:20c
> >>>9-18: 11:00:16:873:20c Receive: (get) SA = 0x000cdb78 from 192.168.10.1
> >>>9-18: 11:00:16:873:20c ISAKMP Header: (V1.0), len = 300
> >>>9-18: 11:00:16:873:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:873:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:873:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:16:873:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:16:873:20c next payload: HASH
> >>>9-18: 11:00:16:873:20c message ID: e4ab1512
> >>>9-18: 11:00:16:873:20c Received commit re-send
> >>>9-18: 11:00:16:873:20c processing HASH (QM)
> >>>9-18: 11:00:16:873:20c processing payload NONCE
> >>>9-18: 11:00:16:873:20c processing payload KE 9-18: 11:00:16:873:20c
> >>>Quick Mode KE processed; Saved KE data
> >>>9-18: 11:00:16:873:20c processing payload ID 9-18: 11:00:16:873:20c
> >>>processing payload ID 9-18: 11:00:16:873:20c processing payload SA
> >>>9-18: 11:00:16:873:20c Negotiated Proxy ID: Src 192.168.10.96.0 Dst
> >>>192.168.10.1.0
> >>>9-18: 11:00:16:873:20c Checking Proposal 1: Proto= ESP(3), num trans=1
> >>>Next=0
> >>>9-18: 11:00:16:873:20c Checking Transform # 1: ID=Dreifach-DES CBC(3)
> >>>9-18: 11:00:16:873:20c SA life type in seconds
> >>>9-18: 11:00:16:873:20c SA life duration 00000e10
> >>>9-18: 11:00:16:873:20c SA life type in kilobytes
> >>>9-18: 11:00:16:873:20c SA life duration 0000c350
> >>>9-18: 11:00:16:883:20c tunnel mode is Tunnelmodus(1)
> >>>9-18: 11:00:16:883:20c HMAC algorithm is MD5(1)
> >>>9-18: 11:00:16:883:20c group description for PFS is 2
> >>>9-18: 11:00:16:883:20c Phase 2 SA accepted: proposal=1 transform=1
> >>>9-18: 11:00:16:913:20c constructing ISAKMP Header
> >>>9-18: 11:00:16:913:20c constructing HASH (QM)
> >>>9-18: 11:00:16:913:20c Adding QMs: src = 192.168.10.96.0000, dst =
> >>>192.168.10.1.0000, proto = 00, context = 80E12E70, my tunnel =
> >>>192.168.10.96, peer tunnel = 192.168.10.1, SrcMask = 0.0.0.0, DestMask
> >>>= 0.0.0.0 Lifetime = 3600 LifetimeKBytes 50000 dwFlags 1
> >>>9-18: 11:00:16:913:20c Algo[0] Operation: ESP Algo: Dreifach-DES CBC
> >>>HMAC: MD5
> >>>9-18: 11:00:16:913:20c Algo[0] MySpi: 3289714726 PeerSpi: 661398693
> >>>9-18: 11:00:16:923:20c QM Established SA: 000CDB78 Centry: 0011AE10
> >>>9-18: 11:00:16:933:20c isadb_set_status sa:000CDB78 centry:0011AE10
> >>>status 0
> >>>9-18: 11:00:16:933:20c
> >>>9-18: 11:00:16:933:20c Sending: SA = 0x000CDB78 to 192.168.10.1:Type 4
> >>>9-18: 11:00:16:933:20c ISAKMP Header: (V1.0), len = 52
> >>>9-18: 11:00:16:933:20c I-COOKIE 113dfced10d7ac5d
> >>>9-18: 11:00:16:933:20c R-COOKIE ba6ca5eaadd18abc
> >>>9-18: 11:00:16:933:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:16:933:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:16:933:20c next payload: HASH
> >>>9-18: 11:00:16:933:20c message ID: e4ab1512
> >>>9-18: 11:00:30:653:6d8 Acquire from driver: op=80E12360
> >>>src=192.168.10.96.0 dst=192.168.0.1.0 proto = 0,
> >>>SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1,
> >>>TunnelEndpt=192.168.10.1 Inbound TunnelEndpt=192.168.10.96
> >>>9-18: 11:00:30:653:20c Filter to match: Src 192.168.10.1 Dst
> >>>192.168.10.96
> >>>9-18: 11:00:30:653:20c MM PolicyName: 88
> >>>9-18: 11:00:30:653:20c MMPolicy dwFlags 2 SoftSAExpireTime 28800
> >>>9-18: 11:00:30:653:20c MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
> >>>9-18: 11:00:30:653:20c MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
> >>>9-18: 11:00:30:653:20c MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
> >>>9-18: 11:00:30:653:20c MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
> >>>9-18: 11:00:30:653:20c MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
> >>>9-18: 11:00:30:653:20c MMOffer[2] Encrypt: DES CBC Hash: SHA
> >>>9-18: 11:00:30:653:20c MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
> >>>9-18: 11:00:30:653:20c MMOffer[3] Encrypt: DES CBC Hash: MD5
> >>>9-18: 11:00:30:653:20c Auth[0]:RSA Sig C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:30:653:20c QM PolicyName: Host-roadwarrior-net filter
> >>>action dwFlags 1
> >>>9-18: 11:00:30:653:20c QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
> >>>9-18: 11:00:30:653:20c QMOffer[0] dwFlags 0 dwPFSGroup 268435456
> >>>9-18: 11:00:30:653:20c Algo[0] Operation: ESP Algo: Dreifach-DES CBC
> >>>HMAC: MD5
> >>>9-18: 11:00:30:653:20c Starting Negotiation: src = 192.168.10.96.0000,
> >>>dst = 192.168.10.1.0500, proto = 00, context = 80E12360, ProxySrc =
> >>>192.168.10.96.0000, ProxyDst = 192.168.0.0.0000 SrcMask =
> >>>255.255.255.255 DstMask = 255.255.255.0
> >>>9-18: 11:00:30:653:20c constructing ISAKMP Header
> >>>9-18: 11:00:30:653:20c constructing SA (ISAKMP)
> >>>9-18: 11:00:30:653:20c Constructing Vendor
> >>>9-18: 11:00:30:653:20c
> >>>9-18: 11:00:30:653:20c Sending: SA = 0x00118490 to 192.168.10.1:Type 2
> >>>9-18: 11:00:30:653:20c ISAKMP Header: (V1.0), len = 216
> >>>9-18: 11:00:30:653:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:653:20c R-COOKIE 0000000000000000
> >>>9-18: 11:00:30:653:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:653:20c flags: 0
> >>>9-18: 11:00:30:653:20c next payload: SA
> >>>9-18: 11:00:30:653:20c message ID: 00000000
> >>>9-18: 11:00:30:653:20c
> >>>9-18: 11:00:30:653:20c Receive: (get) SA = 0x00118490 from 192.168.10.1
> >>>9-18: 11:00:30:653:20c ISAKMP Header: (V1.0), len = 84
> >>>9-18: 11:00:30:653:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:653:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:653:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:653:20c flags: 0
> >>>9-18: 11:00:30:653:20c next payload: SA
> >>>9-18: 11:00:30:653:20c message ID: 00000000
> >>>9-18: 11:00:30:653:20c processing payload SA 9-18: 11:00:30:653:20c
> >>>Received Phase 1 Transform 1
> >>>9-18: 11:00:30:653:20c Encryption Alg Dreifach-DES CBC(5)
> >>>9-18: 11:00:30:663:20c Hash Alg SHA(2)
> >>>9-18: 11:00:30:663:20c Oakley Group 2
> >>>9-18: 11:00:30:663:20c Auth Method RSA-Signatur mit
Zertifikaten(3)
> >>>9-18: 11:00:30:663:20c Life type in Seconds
> >>>9-18: 11:00:30:663:20c Life duration of 28800
> >>>9-18: 11:00:30:663:20c Phase 1 SA accepted: transform=1
> >>>9-18: 11:00:30:663:20c SA - Oakley proposal accepted
> >>>9-18: 11:00:30:663:20c constructing ISAKMP Header
> >>>9-18: 11:00:30:713:20c constructing KE
> >>>9-18: 11:00:30:713:20c constructing NONCE (ISAKMP)
> >>>9-18: 11:00:30:713:20c
> >>>9-18: 11:00:30:713:20c Sending: SA = 0x00118490 to 192.168.10.1:Type 2
> >>>9-18: 11:00:30:713:20c ISAKMP Header: (V1.0), len = 184
> >>>9-18: 11:00:30:713:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:713:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:713:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:713:20c flags: 0
> >>>9-18: 11:00:30:713:20c next payload: KE
> >>>9-18: 11:00:30:713:20c message ID: 00000000
> >>>9-18: 11:00:30:723:20c
> >>>9-18: 11:00:30:723:20c Receive: (get) SA = 0x00118490 from 192.168.10.1
> >>>9-18: 11:00:30:723:20c ISAKMP Header: (V1.0), len = 188
> >>>9-18: 11:00:30:723:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:723:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:723:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:723:20c flags: 0
> >>>9-18: 11:00:30:723:20c next payload: KE
> >>>9-18: 11:00:30:723:20c message ID: 00000000
> >>>9-18: 11:00:30:723:20c processing payload KE 9-18: 11:00:30:743:20c
> >>>processing payload NONCE
> >>>9-18: 11:00:30:753:20c processing payload CRP
> >>>9-18: 11:00:30:753:20c constructing ISAKMP Header
> >>>9-18: 11:00:30:753:20c constructing ID
> >>>9-18: 11:00:30:753:20c Received no valid CRPs. Using all configured
> >>>9-18: 11:00:30:753:20c Looking for IPSec only cert
> >>>9-18: 11:00:30:753:20c Cert Trustes. 0 100
> >>>9-18: 11:00:30:753:20c Entered CRL check
> >>>9-18: 11:00:30:753:20c Left CRL check
> >>>9-18: 11:00:30:763:20c Cert SHA Thumbprint
> >>>8a2076249489a4a0109f6415d78702ca
> >>>9-18: 11:00:30:763:20c aacd17b4
> >>>9-18: 11:00:30:763:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=Aussendienst, CN=root@jinni.lokalnetz.de
> >>>9-18: 11:00:30:763:20c Cert Serialnumber 02
> >>>9-18: 11:00:30:763:20c Cert SHA Thumbprint
> >>>8a2076249489a4a0109f6415d78702ca
> >>>9-18: 11:00:30:763:20c aacd17b4
> >>>9-18: 11:00:30:763:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:30:763:20c Cert Serialnumber 00
> >>>9-18: 11:00:30:763:20c Cert SHA Thumbprint
> >>>7c44a1a1c6f14f7f519c7afa1371a230
> >>>9-18: 11:00:30:763:20c 46197b33
> >>>9-18: 11:00:30:763:20c constructing CERT
> >>>9-18: 11:00:30:763:20c Construct SIG
> >>>9-18: 11:00:30:763:20c Constructing Cert Request
> >>>9-18: 11:00:30:763:20c C=DE, L=Braunschweig, O=HL CCC, OU=CA-Unit,
> >>>CN=h.lenz@gmx.de
> >>>9-18: 11:00:30:763:20c
> >>>9-18: 11:00:30:763:20c Sending: SA = 0x00118490 to 192.168.10.1:Type 2
> >>>9-18: 11:00:30:763:20c ISAKMP Header: (V1.0), len = 1132
> >>>9-18: 11:00:30:763:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:763:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:763:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:773:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:30:773:20c next payload: ID
> >>>9-18: 11:00:30:773:20c message ID: 00000000
> >>>9-18: 11:00:30:773:20c
> >>>9-18: 11:00:30:773:20c Receive: (get) SA = 0x00118490 from 192.168.10.1
> >>>9-18: 11:00:30:773:20c ISAKMP Header: (V1.0), len = 988
> >>>9-18: 11:00:30:773:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:773:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:773:20c exchange: Oakley Main Mode
> >>>9-18: 11:00:30:773:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:30:773:20c next payload: ID
> >>>9-18: 11:00:30:773:20c message ID: 00000000
> >>>9-18: 11:00:30:773:20c processing payload ID 9-18: 11:00:30:773:20c
> >>>processing payload CERT
> >>>9-18: 11:00:30:773:20c processing payload SIG
> >>>9-18: 11:00:30:773:20c Verifying CertStore
> >>>9-18: 11:00:30:773:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=Gateway
> >>>9-18: 11:00:30:773:20c Cert Serialnumber 01
> >>>9-18: 11:00:30:773:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:30:773:20c dd1cb57a
> >>>9-18: 11:00:30:783:20c Cert Trustes. 0 100
> >>>9-18: 11:00:30:783:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=Gateway
> >>>9-18: 11:00:30:783:20c Cert Serialnumber 01
> >>>9-18: 11:00:30:783:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:30:783:20c dd1cb57a
> >>>9-18: 11:00:30:783:20c SubjectName: C=DE, L=Braunschweig, O=HL CCC,
> >>>OU=CA-Unit, CN=h.lenz@gmx.de
> >>>9-18: 11:00:30:783:20c Cert Serialnumber 00
> >>>9-18: 11:00:30:783:20c Cert SHA Thumbprint
> >>>7c44a1a1c6f14f7f519c7afa1371a230
> >>>9-18: 11:00:30:783:20c 46197b33
> >>>9-18: 11:00:30:783:20c Cert SHA Thumbprint
> >>>ed13936f44a66f88cf036efea0885047
> >>>9-18: 11:00:30:783:20c dd1cb57a
> >>>9-18: 11:00:30:783:20c Entered CRL check
> >>>9-18: 11:00:30:783:20c Left CRL check
> >>>9-18: 11:00:30:783:20c Signature validated
> >>>
> >>>9-18: 11:00:30:783:20c MM established. SA: 00118490
> >>>9-18: 11:00:30:783:20c GetSpi: src = 192.168.0.0.0000, dst =
> >>>192.168.10.96.0000, proto = 00, context = 80E12360, srcMask =
> >>>255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
> >>>9-18: 11:00:30:783:20c Setting SPI 2350217156
> >>>9-18: 11:00:30:783:20c constructing ISAKMP Header
> >>>9-18: 11:00:30:783:20c constructing HASH (null)
> >>>9-18: 11:00:30:783:20c constructing SA (IPSEC)
> >>>9-18: 11:00:30:783:20c Sending Tunnelling Attribute
> >>>9-18: 11:00:30:783:20c constructing QM KE
> >>>9-18: 11:00:30:853:20c constructing NONCE (IPSEC)
> >>>9-18: 11:00:30:853:20c constructing ID (proxy)
> >>>9-18: 11:00:30:853:20c constructing ID (proxy)
> >>>9-18: 11:00:30:853:20c constructing HASH (QM)
> >>>9-18: 11:00:30:853:20c
> >>>9-18: 11:00:30:853:20c Sending: SA = 0x00118490 to 192.168.10.1:Type 2
> >>>9-18: 11:00:30:853:20c ISAKMP Header: (V1.0), len = 308
> >>>9-18: 11:00:30:853:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:853:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:853:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:30:853:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:30:853:20c next payload: HASH
> >>>9-18: 11:00:30:853:20c message ID: 300e7ed8
> >>>9-18: 11:00:30:864:20c
> >>>9-18: 11:00:30:864:20c Receive: (get) SA = 0x00118490 from 192.168.10.1
> >>>9-18: 11:00:30:864:20c ISAKMP Header: (V1.0), len = 300
> >>>9-18: 11:00:30:864:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:864:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:864:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:30:864:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:30:864:20c next payload: HASH
> >>>9-18: 11:00:30:864:20c message ID: 300e7ed8
> >>>9-18: 11:00:30:864:20c Received commit re-send
> >>>9-18: 11:00:30:864:20c processing HASH (QM)
> >>>9-18: 11:00:30:864:20c processing payload NONCE
> >>>9-18: 11:00:30:864:20c processing payload KE 9-18: 11:00:30:864:20c
> >>>Quick Mode KE processed; Saved KE data
> >>>9-18: 11:00:30:864:20c processing payload ID 9-18: 11:00:30:864:20c
> >>>processing payload ID 9-18: 11:00:30:864:20c processing payload SA
> >>>9-18: 11:00:30:864:20c Negotiated Proxy ID: Src 192.168.10.96.0 Dst
> >>>192.168.0.0.0
> >>>9-18: 11:00:30:864:20c Dst id for subnet. Mask 255.255.255.0
> >>>9-18: 11:00:30:864:20c Checking Proposal 1: Proto= ESP(3), num trans=1
> >>>Next=0
> >>>9-18: 11:00:30:864:20c Checking Transform # 1: ID=Dreifach-DES CBC(3)
> >>>9-18: 11:00:30:864:20c SA life type in seconds
> >>>9-18: 11:00:30:864:20c SA life duration 00000e10
> >>>9-18: 11:00:30:864:20c SA life type in kilobytes
> >>>9-18: 11:00:30:864:20c SA life duration 0000c350
> >>>9-18: 11:00:30:864:20c tunnel mode is Tunnelmodus(1)
> >>>9-18: 11:00:30:864:20c HMAC algorithm is MD5(1)
> >>>9-18: 11:00:30:864:20c group description for PFS is 2
> >>>9-18: 11:00:30:864:20c Phase 2 SA accepted: proposal=1 transform=1
> >>>9-18: 11:00:30:884:20c constructing ISAKMP Header
> >>>9-18: 11:00:30:894:20c constructing HASH (QM)
> >>>9-18: 11:00:30:894:20c Adding QMs: src = 192.168.10.96.0000, dst =
> >>>192.168.0.0.0000, proto = 00, context = 80E12360, my tunnel =
> >>>192.168.10.96, peer tunnel = 192.168.10.1, SrcMask = 0.0.0.0, DestMask
> >>>= 255.255.255.0 Lifetime = 3600 LifetimeKBytes 50000 dwFlags 1
> >>>9-18: 11:00:30:894:20c Algo[0] Operation: ESP Algo: Dreifach-DES CBC
> >>>HMAC: MD5
> >>>9-18: 11:00:30:894:20c Algo[0] MySpi: 2350217156 PeerSpi: 661398694
> >>>9-18: 11:00:30:894:20c QM Established SA: 00118490 Centry: 001133F0
> >>>9-18: 11:00:30:894:20c isadb_set_status sa:00118490 centry:001133F0
> >>>status 0
> >>>9-18: 11:00:30:894:20c
> >>>9-18: 11:00:30:894:20c Sending: SA = 0x00118490 to 192.168.10.1:Type 4
> >>>9-18: 11:00:30:894:20c ISAKMP Header: (V1.0), len = 52
> >>>9-18: 11:00:30:894:20c I-COOKIE 82cbed8576c7bb6d
> >>>9-18: 11:00:30:894:20c R-COOKIE 07d090648f8bcaf0
> >>>9-18: 11:00:30:894:20c exchange: Oakley Quick Mode
> >>>9-18: 11:00:30:894:20c flags: 1 ( encrypted )
> >>>9-18: 11:00:30:894:20c next payload: HASH
> >>>9-18: 11:00:30:894:20c message ID: 300e7ed8
> >>>
> >>>
>
>>--------------------------------------------------------------------------
> >>
> >>
> >---
> >
> >
> >>>As you can the, the CA is exactly the same so I suspect that the
> >>>ipseccmd.exe can not set up the rules correctly. If somebody sees any
> >>>other reason for this strange behaviour, please HELP!!!!!
> >>>
> >>>Regards Helge.
> >>>
> >>>_______________________________________________

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Tue Sep 23 08:58:42 2003

This message: [ Message body ]
Next message: Johann LUCE: "[Users] can't ping from freeswan gateway to the remote freeswan gateway subnet"
Previous message: Andreas Steffen: "Re: [Users] af+type of Oakley attribute has an unknown value: 65535"
In reply to Helge Lenz: "Re: [Users] WinXP -> FreeSWAN 2nd try"
Next in thread: Helge Lenz: "Re: [Users] WinXP -> FreeSWAN 2nd try"
Reply: Helge Lenz: "Re: [Users] WinXP -> FreeSWAN 2nd try"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:59 EDT