Hosting Provided By

Re: [Users] Symantec Firewall/VPN interop

From: Ryley Breiddal <RBreiddal(at)presinet.com>
Date: Fri Feb 13 2004 - 12:01:22 EST

Hi,

auth.log follows with plutodebug=all (550ish lines). I may have taken too much off the top and bottom, but I think I got everything important.

auth.log ======================== ... next event EVENT_SHUNT_SCAN in 120 seconds

*received whack message

creating state object #1 at 0x80f0b08
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: 00 00 00 00 00 00 00 00
peer: 8e b3 43 41
state hash entry 17
inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 Queuing pending Quick Mode with 111.111.111.111 "sg1-sg3" "sg1-sg3" #1: initiating Main Mode
**emit ISAKMP Message:

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   00 00 00 00 00 00 00 00
    next payload type: ISAKMP_NEXT_SA
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_IDPROT
    flags: none
    message ID: 00 00 00 00
***emit ISAKMP Security Association Payload:

next payload type: ISAKMP_NEXT_NONE
DOI: ISAKMP_DOI_IPSEC
****emit IPsec DOI SIT:

IPsec DOI SIT: SIT_IDENTITY_ONLY
5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
****emit ISAKMP Proposal Payload:

    next payload type: ISAKMP_NEXT_NONE
    proposal number: 0
    protocol ID: PROTO_ISAKMP
    SPI size: 0
    number of transforms: 6
*****emit ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_T
    transform number: 0
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

Do you need help?

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 1
     [1 is OAKLEY_MD5]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 5
     [5 is OAKLEY_GROUP_MODP1536 (extension)] emitting length of ISAKMP Transform Payload (ISAKMP): 32
*****emit ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_T
    transform number: 1
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

Do you need more help?

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 2
     [2 is OAKLEY_SHA]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

    next payload type: ISAKMP_NEXT_T
    transform number: 2
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

Can we help you?

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 1
     [1 is OAKLEY_MD5]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 2
     [2 is OAKLEY_GROUP_MODP1024]
emitting length of ISAKMP Transform Payload (ISAKMP): 32
*****emit ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_T
    transform number: 3
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

Can't find what you're looking for?

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 2
     [2 is OAKLEY_SHA]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 2
     [2 is OAKLEY_GROUP_MODP1024]
emitting length of ISAKMP Transform Payload (ISAKMP): 32
*****emit ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_T
    transform number: 4
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 1
     [1 is OAKLEY_MD5]
******emit ISAKMP Oakley attribute:

Don't know where to look next?

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 1
     [1 is OAKLEY_GROUP_MODP768]
emitting length of ISAKMP Transform Payload (ISAKMP): 32
*****emit ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_NONE
    transform number: 5
    transform ID: KEY_IKE
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
     [1 is OAKLEY_LIFE_SECONDS]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
******emit ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 2
     [2 is OAKLEY_SHA]
******emit ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******emit ISAKMP Oakley attribute:

Confused? Frustrated?

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 1
     [1 is OAKLEY_GROUP_MODP768]
emitting length of ISAKMP Transform Payload (ISAKMP): 32 emitting length of ISAKMP Proposal Payload: 200 emitting length of ISAKMP Security Association Payload: 212 emitting length of ISAKMP Message: 240
sending 240 bytes for main_outI1 through eth0 to 111.111.111.111:500:    e9 7e 9a 94 96 55 75 e7 00 00 00 00 00 00 00 00    01 10 02 00 00 00 00 00 00 00 00 f0 00 00 00 d4    00 00 00 01 00 00 00 01 00 00 00 c8 00 01 00 06    03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05    03 00 00 20 01 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05    03 00 00 20 02 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02    03 00 00 20 03 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02    03 00 00 20 04 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 01    00 00 00 20 05 01 00 00 80 0b 00 01 80 0c 0e 10    80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 01 inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 next event EVENT_RETRANSMIT in 10 seconds for #1

*received 80 bytes from 111.111.111.111:500 on eth0
e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb 01 10 02 00 00 00 00 00 00 00 00 50 00 00 00 34 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05
**parse ISAKMP Message:

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   b9 7f 4e 8e f1 39 ce fb
    next payload type: ISAKMP_NEXT_SA
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_IDPROT
    flags: none
    message ID: 00 00 00 00
    length: 80
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: b9 7f 4e 8e f1 39 ce fb
peer: 8e b3 43 41
state hash entry 12
state object not found
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: 00 00 00 00 00 00 00 00
peer: 8e b3 43 41
state hash entry 17
state object #1 found, in STATE_MAIN_I1
***parse ISAKMP Security Association Payload:

    next payload type: ISAKMP_NEXT_NONE
    length: 52
    DOI: ISAKMP_DOI_IPSEC
****parse IPsec DOI SIT:

IPsec DOI SIT: SIT_IDENTITY_ONLY
****parse ISAKMP Proposal Payload:

    next payload type: ISAKMP_NEXT_NONE
    length: 40
    proposal number: 0
    protocol ID: PROTO_ISAKMP
    SPI size: 0
    number of transforms: 1
*****parse ISAKMP Transform Payload (ISAKMP):

    next payload type: ISAKMP_NEXT_NONE
    length: 32
    transform number: 0
    transform ID: KEY_IKE
******parse ISAKMP Oakley attribute:

    af+type: OAKLEY_LIFE_TYPE
    length/value: 1
    [1 is OAKLEY_LIFE_SECONDS]
******parse ISAKMP Oakley attribute:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

af+type: OAKLEY_LIFE_DURATION
length/value: 3600
******parse ISAKMP Oakley attribute:

af+type: OAKLEY_ENCRYPTION_ALGORITHM length/value: 5
[5 is OAKLEY_3DES_CBC]
ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1
******parse ISAKMP Oakley attribute:

    af+type: OAKLEY_HASH_ALGORITHM
    length/value: 1
    [1 is OAKLEY_MD5]
******parse ISAKMP Oakley attribute:

af+type: OAKLEY_AUTHENTICATION_METHOD length/value: 1
[1 is OAKLEY_PRESHARED_KEY]
******parse ISAKMP Oakley attribute:

    af+type: OAKLEY_GROUP_DESCRIPTION
    length/value: 5
    [5 is OAKLEY_GROUP_MODP1536 (extension)] Oakley Transform 0 accepted
**emit ISAKMP Message:

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   b9 7f 4e 8e f1 39 ce fb
    next payload type: ISAKMP_NEXT_KE
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_IDPROT
    flags: none
    message ID: 00 00 00 00
Local DH secret:
   57 1f 93 11 bf 61 09 f8 8c c2 91 82 b8 0f 6f cd    85 ce 3c cf 4e a6 eb 01 5f 5c e3 12 5e 8e 2e 28 Public DH value sent:
   50 c5 b8 8e bb ae 21 f6 06 fd c0 23 01 0a 5c 37    a2 11 f7 8c 98 0b 5a 92 ba 93 83 64 56 f1 ff cc    0c 3f b7 a6 a5 61 6f b8 62 d0 89 9c 73 ff 3c f2    87 8d f3 47 66 6f c1 ce 6f b9 a9 d0 05 be c1 16    83 b5 fc fa e3 81 2a 58 f3 04 20 0a 3c 00 26 06    0e b5 8a 79 40 48 cf a9 8e 6d dc 14 bc 09 07 2a    2e 60 32 7f db 1a 4d 92 20 f3 6c da fd 84 bb 8c    1e 23 b4 24 77 16 cc 80 0a 83 ce ca 79 d9 a5 54    1d cf 7b e6 b0 11 7e 8b f5 65 3d 55 72 d7 92 00    de 6e 58 a8 22 a3 85 98 e5 98 ab cc 32 19 ce ff    87 7c 16 c6 77 8d 1a e0 d9 39 71 3a d8 e8 51 19    9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d
***emit ISAKMP Key Exchange Payload:

next payload type: ISAKMP_NEXT_NONCE emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload keyex value 50 c5 b8 8e bb ae 21 f6 06 fd c0 23 01 0a 5c 37 a2 11 f7 8c 98 0b 5a 92 ba 93 83 64 56 f1 ff cc 0c 3f b7 a6 a5 61 6f b8 62 d0 89 9c 73 ff 3c f2 87 8d f3 47 66 6f c1 ce 6f b9 a9 d0 05 be c1 16 83 b5 fc fa e3 81 2a 58 f3 04 20 0a 3c 00 26 06 0e b5 8a 79 40 48 cf a9 8e 6d dc 14 bc 09 07 2a 2e 60 32 7f db 1a 4d 92 20 f3 6c da fd 84 bb 8c 1e 23 b4 24 77 16 cc 80 0a 83 ce ca 79 d9 a5 54 1d cf 7b e6 b0 11 7e 8b f5 65 3d 55 72 d7 92 00 de 6e 58 a8 22 a3 85 98 e5 98 ab cc 32 19 ce ff 87 7c 16 c6 77 8d 1a e0 d9 39 71 3a d8 e8 51 19 9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d emitting length of ISAKMP Key Exchange Payload: 196
***emit ISAKMP Nonce Payload:

    next payload type: ISAKMP_NEXT_NONE
emitting 16 raw bytes of Ni into ISAKMP Nonce Payload Ni eb 8c 2b 67 15 fd 7d e1 a8 a4 d2 68 d2 b8 ad d0 emitting length of ISAKMP Nonce Payload: 20 emitting length of ISAKMP Message: 244
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: 00 00 00 00 00 00 00 00
peer: 8e b3 43 41
state hash entry 17
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: b9 7f 4e 8e f1 39 ce fb
peer: 8e b3 43 41
state hash entry 12
sending 244 bytes for STATE_MAIN_I1 through eth0 to 111.111.111.111:500:    e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb    04 10 02 00 00 00 00 00 00 00 00 f4 0a 00 00 c4    50 c5 b8 8e bb ae 21 f6 06 fd c0 23 01 0a 5c 37    a2 11 f7 8c 98 0b 5a 92 ba 93 83 64 56 f1 ff cc    0c 3f b7 a6 a5 61 6f b8 62 d0 89 9c 73 ff 3c f2    87 8d f3 47 66 6f c1 ce 6f b9 a9 d0 05 be c1 16    83 b5 fc fa e3 81 2a 58 f3 04 20 0a 3c 00 26 06    0e b5 8a 79 40 48 cf a9 8e 6d dc 14 bc 09 07 2a    2e 60 32 7f db 1a 4d 92 20 f3 6c da fd 84 bb 8c    1e 23 b4 24 77 16 cc 80 0a 83 ce ca 79 d9 a5 54    1d cf 7b e6 b0 11 7e 8b f5 65 3d 55 72 d7 92 00    de 6e 58 a8 22 a3 85 98 e5 98 ab cc 32 19 ce ff    87 7c 16 c6 77 8d 1a e0 d9 39 71 3a d8 e8 51 19    9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d    00 00 00 14 eb 8c 2b 67 15 fd 7d e1 a8 a4 d2 68    d2 b8 ad d0
inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 next event EVENT_RETRANSMIT in 10 seconds for #1

Do you need help?

*received 244 bytes from 111.111.111.111:500 on eth0
e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb 04 10 02 00 00 00 00 00 00 00 00 f4 0a 00 00 c4 c8 f7 ac 94 a8 e8 b6 d7 ed 97 98 1b a9 4e 82 f9 27 a8 b2 1f 50 b9 6d 46 67 6e ec d7 b2 04 a7 b1 4c 86 31 27 f0 55 82 ec 86 82 8d 53 15 6f 3d 7c b6 6a 41 c7 11 2f 40 fd b4 4a 08 a5 f9 eb e2 1d 44 dd 5c 63 f9 07 dd de 53 24 31 83 32 8a a0 1f b6 37 17 88 a4 e7 b3 b6 2e 8d 23 36 3d 11 ad b4 cd b9 02 cb 44 aa 9b b2 6a 7c 54 ce d8 4d 88 9e 1e 09 54 e9 e7 6e 91 04 ec 46 19 dc 47 d3 c8 d8 d0 47 83 77 ca 81 55 6b 00 33 e0 7c 8e 01 3f 7a ec 56 e7 ef 66 76 6f 70 1f e4 1e 53 6b 88 60 56 80 d6 e2 a9 9f bb cb 28 e9 11 fc 7c 59 66 61 ce 77 c9 b3 b7 fb 47 a3 c9 a4 ec d6 67 82 69 8a 28 00 00 00 14 a5 6b c7 bc e9 af 7f 76 94 cd 37 ca ea 32 c1 04
**parse ISAKMP Message:

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   b9 7f 4e 8e f1 39 ce fb
    next payload type: ISAKMP_NEXT_KE
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_IDPROT
    flags: none
    message ID: 00 00 00 00
    length: 244
ICOOKIE: e9 7e 9a 94 96 55 75 e7
RCOOKIE: b9 7f 4e 8e f1 39 ce fb
peer: 8e b3 43 41
state hash entry 12
state object #1 found, in STATE_MAIN_I2
***parse ISAKMP Key Exchange Payload:

next payload type: ISAKMP_NEXT_NONCE length: 196
***parse ISAKMP Nonce Payload:

next payload type: ISAKMP_NEXT_NONE
length: 20
**emit ISAKMP Message:

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   b9 7f 4e 8e f1 39 ce fb
    next payload type: ISAKMP_NEXT_ID
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_IDPROT
    flags: ISAKMP_FLAG_ENCRYPTION
    message ID: 00 00 00 00
DH public value received:
   c8 f7 ac 94 a8 e8 b6 d7 ed 97 98 1b a9 4e 82 f9    27 a8 b2 1f 50 b9 6d 46 67 6e ec d7 b2 04 a7 b1    4c 86 31 27 f0 55 82 ec 86 82 8d 53 15 6f 3d 7c    b6 6a 41 c7 11 2f 40 fd b4 4a 08 a5 f9 eb e2 1d    44 dd 5c 63 f9 07 dd de 53 24 31 83 32 8a a0 1f    b6 37 17 88 a4 e7 b3 b6 2e 8d 23 36 3d 11 ad b4    cd b9 02 cb 44 aa 9b b2 6a 7c 54 ce d8 4d 88 9e    1e 09 54 e9 e7 6e 91 04 ec 46 19 dc 47 d3 c8 d8    d0 47 83 77 ca 81 55 6b 00 33 e0 7c 8e 01 3f 7a    ec 56 e7 ef 66 76 6f 70 1f e4 1e 53 6b 88 60 56    80 d6 e2 a9 9f bb cb 28 e9 11 fc 7c 59 66 61 ce    77 c9 b3 b7 fb 47 a3 c9 a4 ec d6 67 82 69 8a 28 compute_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1536 (extension)): 30612 usec
DH shared secret:
   1f 35 11 5b d9 8d 59 06 aa d6 99 71 1f 91 e0 d6    f6 17 3c 88 db d6 a0 77 16 82 cc 6d b6 36 2f 77    08 96 ea 52 e8 6e 8c 9d b3 bb 79 3a e2 b5 cb fb    f7 43 8d 0c d9 4f f4 d0 fb 22 f2 5a 16 1d 8e ae    28 76 f5 a0 94 44 e5 79 d8 02 02 76 5e d8 30 59    07 fa 20 0a d1 4a 56 90 43 e2 ae 06 24 ee d7 2d    cf 5b eb 31 c7 ed 38 d7 e7 f3 ac 9f 13 dd 09 33    c2 03 9f 46 a7 02 fe 9a 55 0d b7 3d 44 ee f5 05    bb 11 ff d2 f0 16 8a e3 57 5c d6 9b ee ef a4 f0    a1 83 75 4d 1f 07 08 af 0b 15 ad 95 6a d6 97 5e    b9 55 1c 3e e6 be ca a8 e4 1b 53 7a 2f 58 7f 21    c4 62 7d 77 f4 ff b7 78 09 19 6e 79 2d 38 49 0e DH_i: 50 c5 b8 8e bb ae 21 f6 06 fd c0 23 01 0a 5c 37    a2 11 f7 8c 98 0b 5a 92 ba 93 83 64 56 f1 ff cc    0c 3f b7 a6 a5 61 6f b8 62 d0 89 9c 73 ff 3c f2    87 8d f3 47 66 6f c1 ce 6f b9 a9 d0 05 be c1 16    83 b5 fc fa e3 81 2a 58 f3 04 20 0a 3c 00 26 06    0e b5 8a 79 40 48 cf a9 8e 6d dc 14 bc 09 07 2a    2e 60 32 7f db 1a 4d 92 20 f3 6c da fd 84 bb 8c    1e 23 b4 24 77 16 cc 80 0a 83 ce ca 79 d9 a5 54    1d cf 7b e6 b0 11 7e 8b f5 65 3d 55 72 d7 92 00    de 6e 58 a8 22 a3 85 98 e5 98 ab cc 32 19 ce ff    87 7c 16 c6 77 8d 1a e0 d9 39 71 3a d8 e8 51 19    9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d DH_r: c8 f7 ac 94 a8 e8 b6 d7 ed 97 98 1b a9 4e 82 f9    27 a8 b2 1f 50 b9 6d 46 67 6e ec d7 b2 04 a7 b1    4c 86 31 27 f0 55 82 ec 86 82 8d 53 15 6f 3d 7c    b6 6a 41 c7 11 2f 40 fd b4 4a 08 a5 f9 eb e2 1d    44 dd 5c 63 f9 07 dd de 53 24 31 83 32 8a a0 1f    b6 37 17 88 a4 e7 b3 b6 2e 8d 23 36 3d 11 ad b4    cd b9 02 cb 44 aa 9b b2 6a 7c 54 ce d8 4d 88 9e    1e 09 54 e9 e7 6e 91 04 ec 46 19 dc 47 d3 c8 d8    d0 47 83 77 ca 81 55 6b 00 33 e0 7c 8e 01 3f 7a    ec 56 e7 ef 66 76 6f 70 1f e4 1e 53 6b 88 60 56    80 d6 e2 a9 9f bb cb 28 e9 11 fc 7c 59 66 61 ce    77 c9 b3 b7 fb 47 a3 c9 a4 ec d6 67 82 69 8a 28 Skeyid: 37 16 94 8c 64 65 f8 2d 40 2e e2 c1 f5 04 47 4d

 Skeyid_d:  75 8a 41 14  e0 5a 12 c8  1d fd ab 8b  ce 2f 5d 9b
 Skeyid_a:  de 25 9c 71  ac d0 53 e1  8b c2 0c b0  b5 a8 3f e3
 Skeyid_e:  a5 05 56 d9  f2 a2 a6 e4  02 44 5d fa  f9 92 5f ab

enc key: 2e 44 91 5e 9e c1 65 31 d2 33 0f 20 92 1a e3 18 11 76 a7 6b 4d 89 04 ee
IV: ba 6e 7e 4e 58 fe 90 80 0a ed 17 8b 33 f8 6c ca
***emit ISAKMP Identification Payload (IPsec DOI):

    next payload type: ISAKMP_NEXT_HASH
    ID type: ID_IPV4_ADDR
    Protocol ID: 0
    port: 0
emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
my identity cf c2 c4 4c
emitting length of ISAKMP Identification Payload (IPsec DOI): 12 hashing 208 bytes of SA
***emit ISAKMP Hash Payload:

    next payload type: ISAKMP_NEXT_NONE
emitting 16 raw bytes of HASH_I into ISAKMP Hash Payload HASH_I 61 76 44 30 f4 d8 52 cc c8 c4 6c 06 53 ec 82 cb emitting length of ISAKMP Hash Payload: 20 encrypting:
   08 00 00 0c 01 00 00 00 cf c2 c4 4c 00 00 00 14    61 76 44 30 f4 d8 52 cc c8 c4 6c 06 53 ec 82 cb encrypting using OAKLEY_3DES_CBC
next IV: f3 47 13 cd ab 27 cf 0e
emitting length of ISAKMP Message: 60
sending 60 bytes for STATE_MAIN_I2 through eth0 to 111.111.111.111:500:    e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb    05 10 02 01 00 00 00 00 00 00 00 3c 7e 18 fe 86    12 fa 2c 31 fb 7e e4 7a 8e e7 f0 63 57 0c 5f d0    7f e0 db f6 f3 47 13 cd ab 27 cf 0e inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 next event EVENT_RETRANSMIT in 10 seconds for #1

*received 300 bytes from 111.111.111.111:500 on eth0
e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb 0b 10 05 00 e6 ec 12 0b 00 00 00 28 00 00 00 0c 00 00 00 01 01 00 00 10 06 fd c0 23 01 0a 5c 37 a2 11 f7 8c 98 0b 5a 92 ba 93 83 64 56 f1 ff cc 0c 3f b7 a6 a5 61 6f b8 62 d0 89 9c 73 ff 3c f2 87 8d f3 47 66 6f c1 ce 6f b9 a9 d0 05 be c1 16 83 b5 fc fa e3 81 2a 58 f3 04 20 0a 3c 00 26 06 0e b5 8a 79 40 48 cf a9 8e 6d dc 14 bc 09 07 2a 2e 60 32 7f db 1a 4d 92 20 f3 6c da fd 84 bb 8c 1e 23 b4 24 77 16 cc 80 0a 83 ce ca 79 d9 a5 54 1d cf 7b e6 b0 11 7e 8b f5 65 3d 55 72 d7 92 00 de 6e 58 a8 22 a3 85 98 e5 98 ab cc 32 19 ce ff 87 7c 16 c6 77 8d 1a e0 d9 39 71 3a d8 e8 51 19 9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d 00 00 00 14 eb 8c 2b 67 15 fd 7d e1 a8 a4 d2 68 d2 b8 ad d0 d8 e8 51 19 9b 21 04 b6 6a fd e8 3e 15 e2 de 1e 31 6c 8c 6d 00 00 00 14 eb 8c 2b 67 15 fd 7d e1 a8 a4 d2 68 d2 b8 ad d0 1e 8b 03 3d 55 8b ec 51 74 05 be 1c 10 ae 42 ff
**parse ISAKMP Message:

Do you need more help?

    initiator cookie:
   e9 7e 9a 94 96 55 75 e7
    responder cookie:
   b9 7f 4e 8e f1 39 ce fb
    next payload type: ISAKMP_NEXT_N
    ISAKMP version: ISAKMP Version 1.0
    exchange type: ISAKMP_XCHG_INFO
    flags: none
    message ID: e6 ec 12 0b
    length: 40
packet from 111.111.111.111:500: size (300) differs from size specified in ISAKMP HDR (40)
packet from 111.111.111.111:500: sending notification PAYLOAD_MALFORMED to 111.111.111.111:500
**emit ISAKMP Message:

    next payload type: ISAKMP_NEXT_NONE
    DOI: ISAKMP_DOI_IPSEC
    protocol ID: 1
    SPI size: 0
    Notify Message Type: PAYLOAD_MALFORMED emitting 0 raw bytes of spi into ISAKMP Notification Payload spi
emitting length of ISAKMP Notification Payload: 12 emitting length of ISAKMP Message: 40
sending 40 bytes for notification packet through eth0 to 111.111.111.111:500:

e9 7e 9a 94 96 55 75 e7 b9 7f 4e 8e f1 39 ce fb 0b 10 05 00 00 00 00 00 00 00 00 28 00 00 00 0c 00 00 00 01 01 00 00 10
next event EVENT_RETRANSMIT in 10 seconds for #1 ...

Thanks,

Ryley Breiddal
PresiNET Systems

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen@strongsec.net] Sent: Thursday, February 12, 2004 11:16 PM To: Ryley Breiddal
Cc: users@lists.freeswan.org
Subject: Re: [Users] Symantec Firewall/VPN interop

Hi,

Can we help you?

the actual error is:

> Feb 12 14:58:52 Foobox pluto[12549]: packet from 111.111.111.111:500: size differs from size specified in ISAKMP HDR (40)

The Symantec box sends an IKE message with a total size of 300 bytes but declares a size of 40 bytes in the header length field.

This malformed payload does not conform with RFC 2408 ISAKMP and must be rejected:

> sending notification PAYLOAD_MALFORMED to 111.111.111.111:500

See also the similar behaviour of the Cisco VPN client 4.0x

https://lists.freeswan.org/archives/users/2003-August/msg00087.html

It would help if you could generate a freeswan log with

Can't find what you're looking for?

plutodebug=all

set in ipsec.conf.

Regards

Andreas

Ryley Breiddal wrote:

> Hi there,
> 
> I have read Andreas Steffen's suggestions for connecting to a Symantec
> Firewall/VPN Appliance
> (
http://lists.freeswan.org/pipermail/users/2002-April/009037.html) but I

> still having some problems getting FreeSWAN working with it.
> 
> Here's what I have, and a few log files.  Please request more info if you
> need it:
> 
> Symantec: 111.111.111.111, subnet 192.168.1.0/24
> FreeSWAN: 222.222.222.221, subnet 192.168.2.0/24
> 
> =========== ipsec.conf ===============
> conn sg1-sg3
> 
>         left=111.111.111.111
>         leftsubnet=192.168.1.0/24 
>         leftnexthop=111.111.111.112
>         right=222.222.222.221
>         rightnexthop=222.222.222.222
>         rightsubnet=192.168.2.0/24 
>         authby=secret 
>         keylife=8h 
>         auto=start
> 
> =========== ipsec.secrets ==============
> 111.111.111.111 222.222.222.222 : "foobar!"
> 
> 
> =========== Symantec config ==============
> Phase 1 Negotiation - Main Mode
> Encryption and Authentication Method - ESP 3DES SHA1
> SA Lifetime - 480
> Data Volume Limit - 0
> Inactivity Timeout - 0
> Perfect Forward Secrecy - Disabled
> Local Phase1 ID = 111.111.111.111
> PSK - "foobar!"
> NetBIOS Broadcast - Disabled
> Global Tunnel - Disabled
> Remote Subnet 1 - 192.168.2.0/24
> 
> =========== FreeSWAN log ==============
> ...
> Feb 12 14:58:49 Foobox pluto[12549]: "sg1-sg3" #57: initiating Main Mode
> Feb 12 14:58:52 Foobox pluto[12549]: packet from 111.111.111.111:500: size
> (300) differs from size specified in ISAKMP HDR (40)
> Feb 12 14:58:52 Foobox pluto[12549]: packet from 111.111.111.111:500:
> sending notification PAYLOAD_MALFORMED to 111.111.111.111:500
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
> Feb 12 15:00:02 Foobox pluto[12549]: "sg1-sg3" #57: max number of
> retransmissions (2) reached STATE_MAIN_I3.  Possible authentication

failure:
> no acceptable response to our first encrypted message > Feb 12 15:00:02 Foobox pluto[12549]: "sg1-sg3" #57: starting keying attempt
> 2 of at most 3, but releasing whack
> Feb 12 15:00:02 Foobox pluto[12549]: "sg1-sg3" #58: initiating Main Mode to

> replace #57
> Feb 12 15:00:05 Foobox pluto[12549]: packet from 111.111.111.111:500: size
> (300) differs from size specified in ISAKMP HDR (40)
> Feb 12 15:00:05 Foobox pluto[12549]: packet from 111.111.111.111:500:
> sending notification PAYLOAD_MALFORMED to 111.111.111.111:500
> ...
> 
> =========== Symantec log ==============
> ...
> 02/13/2004 00:00:20.61	sg1-sg3 - Terminating connection 
> 02/13/2004 00:00:34.03	- ERR:Main Mode message is part of an

unknown

> exchange
> 02/13/2004 00:00:34.03	- (null): UNSUPPORTED_EXCHANGE_TYPE 
> 02/13/2004 00:00:34.03	- state transition function for (null)

failed:

> UNSUPPORTED_EXCHANGE_TYPE 
> 02/13/2004 00:00:34.03	- Terminating connection
> ...
> 
> I'm not even sure if the Symantec Firewall log is relevant, but I'm
> including it anyways.  Note that I know very little about how to setup the
> Symantec side, so if there's a glaring mistake, I expect it to be on that
> side.
> 
> 
> Thanks for any help,
> 
> Ryley Breiddal
> PresiNET Systems
> (250) 405-5368
> 
> 
> _______________________________________________
> FreeS/WAN Users mailing list
> users@lists.freeswan.org
> 
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


Content Security by MailMarshal
_______________________________________________
FreeS/WAN Users mailing list
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

Received on Fri Feb 13 12:16:27 2004

This message: [ Message body ]
Next message: Sam Sgro: "Re: [Users] Problem with Freeswan and Road-Warrior on XP"
Previous message: Peter Osterberg: "[Users] OpenSSL, was Sentinel and Accession"
In reply to Jarl Stefansson: "[Users] Problems with FreeSwan (SuperFreeswan) - Netscreen (4)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:35 EDT