From owner-freebsd-security@FreeBSD.ORG Thu Nov 15 11:40:52 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DD6C16A421 for ; Thu, 15 Nov 2007 11:40:52 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55411.mail.re4.yahoo.com (web55411.mail.re4.yahoo.com [206.190.58.205]) by mx1.freebsd.org (Postfix) with SMTP id BAD0D13C45B for ; Thu, 15 Nov 2007 11:40:51 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 94542 invoked by uid 60001); 15 Nov 2007 11:14:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=RbtP/lHcmVeEcnou6/ct9DEDiAhd0igv1whL6vnsKoT83evTekvYeDDRpt+pPNsFStaiAOk9FlqA8Fz9rb49D6i62P3+yXgE5CB+Gzb6BmBchj9zR0FpbWgS0IwjF1ZZqTBbEL4S78CkDHIXyQAz5GGLBrsnA7iFrRTtw5oLTFg=; X-YMail-OSG: LWaFjfsVM1nQA_yiU4UJrOCqyLsTJVTUJTnJNVzVwJM8S1CtZMu5TGl_paE1BmLSZLxuuif7BkgX6UP9hBlvvsyUBLuNHBhGj.G02ojK2Fxgq0MbhXk- Received: from [63.219.0.15] by web55411.mail.re4.yahoo.com via HTTP; Thu, 15 Nov 2007 03:14:04 PST Date: Thu, 15 Nov 2007 03:14:04 -0800 (PST) From: john decot To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <199790.94058.qm@web55411.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Nov 2007 11:40:52 -0000 Hi, I am new to ipsec and trying to connect my bsd server with win 2000. I have succeeded to tunnel using pre-shared key. But regarding certificate , I failed to get success. The following are configuration : racoon.conf path certificate "/usr/local/openssl/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; remote anonymous { exchange_mode main,aggressive,base; #exchange_mode main,base; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "bsd.public" "bsd.priv" ; lifetime time 24 hour ; # sec,min,hour #initial_contact off ; #passive on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig ; dh_group 2 ; } # the configuration makes racoon (as a responder) to obey the # initiator's lifetime and PFS group proposal. # this makes testing so much easier. proposal_check obey; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { # pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } --------------------------END------------------------------------------------------------------ certificate are created in bsd with following commands: openssl req -new -nodes -newkey rsa:1024 -sha1 -days 1095 -keyout bsd.private -out request.pem openssl x509 -req -in request.pem -days 1095 -signkey bsd.private -out bsd.public openssl pkcs12 -export -inkey bsd.private -in bsd.public -out win.p12 -name "win cert" ln -s bsd.public `openssl x509 -noout -hash -in bsd.public`.0 I have used win.p12 in windows 2000 prof. box for this process. Please anyone help me out to configure it. Thankyou, Regards, John --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage. From owner-freebsd-security@FreeBSD.ORG Thu Nov 15 13:04:37 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19B7316A417 for ; Thu, 15 Nov 2007 13:04:37 +0000 (UTC) (envelope-from bj@0x20.net) Received: from mail.0x20.net (mail.ipv6.0x20.net [IPv6:2001:aa8:fffb::3]) by mx1.freebsd.org (Postfix) with ESMTP id AD58413C4AC for ; Thu, 15 Nov 2007 13:04:36 +0000 (UTC) (envelope-from bj@0x20.net) Received: by mail.0x20.net (Postfix, from userid 1001) id EA7DD3A582; Thu, 15 Nov 2007 14:04:34 +0100 (CET) Date: Thu, 15 Nov 2007 14:04:34 +0100 From: Bjoern Engels To: john decot Message-ID: <20071115130434.GA78982@e.0x20.net> References: <199790.94058.qm@web55411.mail.re4.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <199790.94058.qm@web55411.mail.re4.yahoo.com> X-PGP-KeyID: FB601479 User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Nov 2007 13:04:37 -0000 Hi John, On Thu, Nov 15, 2007 at 03:14:04AM -0800, john decot wrote: > I am new to ipsec and trying to connect my bsd server with win 2000. I have succeeded to tunnel using pre-shared key. But regarding certificate , I failed to get success. > > The following are configuration : > > racoon.conf [...] > --------------------------END------------------------------------------------------------------ > certificate are created in bsd with following commands: Log file contents would be helpful. Anyway - I had these statements in my config file a while ago, when I used racoon with certificates: remote anonymous { [...] ca_type x509 "cacert.pem"; certificate_type x509 "foo.net.pem" "foo.key-nopass"; peers_certfile x509 "bar.pem"; send_cert on; my_identifier asn1dn; peers_identifier asn1dn "C=foo, ST=foo, L=foo, O=foo, CN=bar/emailAddress=foo"; verify_identifier on; [...] } You'll have to fill in the correct values for peers_identifier asn1dn, of course. HTH -- Viele Gruesse // Best regards Bjoern Engels :wq! From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 09:06:47 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86C6816A421 for ; Sat, 17 Nov 2007 09:06:47 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55403.mail.re4.yahoo.com (web55403.mail.re4.yahoo.com [206.190.58.197]) by mx1.freebsd.org (Postfix) with SMTP id C12DD13C474 for ; Sat, 17 Nov 2007 09:06:46 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 19731 invoked by uid 60001); 17 Nov 2007 09:06:32 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=FrittPKer2aZU2bSZCGhFD4nzQ1VlTWT6rSR5X5UY0Nr3WmdYkS8abpsfT5/XjD2YjFpN5kqf9qamubbEjV1/fFyONY3HyD6IOerdvU9U52Ioc9TesBcbUNYIbrEbrSJBusI9TRgo6MwiREzUm+0lUljJFtYK5lPEpeEqGiV7Fc=; X-YMail-OSG: WpJi0kUVM1mYk4aVwFeO4Gt4.YZGT4XzXuoUc3js8y1WhJjYHQKy55YXBgQXAlwKOUd99tzw7_tOMnd4BWCzGeIhJL9XtcIRZ6A.DXarOebLqRDu2vGV033RmiTlr1px7TQFolPrcTyAhBUmQaQqVYoJWY5b_OXfY9jz2FvuxwnFEo0VUpTglayqxk6g5h.7umrSaGNp Received: from [63.219.0.15] by web55403.mail.re4.yahoo.com via HTTP; Sat, 17 Nov 2007 01:06:32 PST Date: Sat, 17 Nov 2007 01:06:32 -0800 (PST) From: john decot To: Bjoern Engels In-Reply-To: <20071116093123.GC76465@e.0x20.net> MIME-Version: 1.0 Message-ID: <899269.18771.qm@web55403.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2007 09:06:47 -0000 Hi , As per suggestion, The following are the logs generated by racoon : 2007-11-17 13:46:19: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2007-11-17 13:46:19: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-11-17 13:46:19: DEBUG: DN: C=XX 2007-11-17 13:46:19: DEBUG: DN: ST=XXX 2007-11-17 13:46:19: DEBUG: DN: L=XXXX 2007-11-17 13:46:19: DEBUG: DN: O=Resident 2007-11-17 13:46:19: DEBUG: DN: OU=Network 2007-11-17 13:46:19: DEBUG: DN: CN=YYY 2007-11-17 13:46:19: DEBUG: Parsed DN: C=XX, ST=XXX, L=XXXX, O=Resident, OU=Network, CN=YYY 2007-11-17 13:46:19: WARNING: racoon.conf:53: "support_mip6" it is obsoleted. use "support_proxy". 2007-11-17 13:46:19: DEBUG2: lifetime = 1800 2007-11-17 13:46:19: DEBUG2: lifebyte = 0 2007-11-17 13:46:19: DEBUG2: encklen=0 2007-11-17 13:46:19: DEBUG2: p:1 t:1 2007-11-17 13:46:19: DEBUG2: 3DES-CBC(5) 2007-11-17 13:46:19: DEBUG2: SHA(2) 2007-11-17 13:46:19: DEBUG2: 1024-bit MODP group(2) 2007-11-17 13:46:19: DEBUG2: RSA signatures(3) 2007-11-17 13:46:19: DEBUG2: 2007-11-17 13:46:19: DEBUG: hmac(modp1024) 2007-11-17 13:46:19: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2007-11-17 13:46:19: DEBUG2: parse successed. 2007-11-17 13:46:19: DEBUG: my interface: 202.70.87.123 (lnc0) 2007-11-17 13:46:19: DEBUG: my interface: fe80::1%lo0 (lo0) 2007-11-17 13:46:19: DEBUG: my interface: ::1 (lo0) 2007-11-17 13:46:19: DEBUG: my interface: 127.0.0.1 (lo0) 2007-11-17 13:46:19: DEBUG: configuring default isakmp port. 2007-11-17 13:46:19: DEBUG: 4 addrs are configured successfully 2007-11-17 13:46:19: INFO: 127.0.0.1[500] used as isakmp port (fd=4) 2007-11-17 13:46:19: INFO: ::1[500] used as isakmp port (fd=5) 2007-11-17 13:46:19: INFO: fe80::1%lo0[500] used as isakmp port (fd=6) 2007-11-17 13:46:19: INFO: 202.70.87.123[500] used as isakmp port (fd=7) 2007-11-17 13:46:19: DEBUG: get pfkey X_SPDDUMP message 2007-11-17 13:46:19: DEBUG2: 02120000 17000100 01000000 cf030000 03000500 ff200000 10020000 cb5b82ad 00000000 00000000 03000600 ff200000 10020000 ca46577b 00000000 00000000 07001200 02000100 04400000 00000000 28003200 02020000 10020000 cb5b82ad 00000000 00000000 10020000 ca46577b 00000000 00000000 04000200 00000000 00000000 00000000 95973e47 00000000 bf9a3e47 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2007-11-17 13:46:19: DEBUG: get pfkey X_SPDDUMP message 2007-11-17 13:46:19: DEBUG2: 02120000 17000100 00000000 cf030000 03000500 ff200000 10020000 ca46577b 00000000 00000000 03000600 ff200000 10020000 cb5b82ad 00000000 00000000 07001200 02000200 05400000 00000000 28003200 02020000 10020000 ca46577b 00000000 00000000 10020000 cb5b82ad 00000000 00000000 04000200 00000000 00000000 00000000 95973e47 00000000 a19f3e47 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2007-11-17 13:46:19: DEBUG: sub:0xbfbfe600: 202.70.87.123/32[0] 203.91.130.173/32[0] proto=any dir=out 2007-11-17 13:46:19: DEBUG: db :0x809fa08: 203.91.130.173/32[0] 202.70.87.123/32[0] proto=any dir=in 2007-11-17 13:46:22: DEBUG: === 2007-11-17 13:46:22: DEBUG: 276 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 00000000 00000000 01100200 00000000 00000114 0d0000a4 00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80040002 80030003 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80040001 80030003 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80040001 80030003 800b0001 000c0004 00007080 0d000018 1e2b5169 05991c7d 7c96fcbf b587e461 00000004 0d000014 4048b7d5 6ebce885 25e7de7f 00d6c2d3 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 00000014 26244d38 eddb61b3 172a36e3 d0cfb819 2007-11-17 13:46:22: DEBUG: anonymous configuration selected for 203.91.130.173[500]. 2007-11-17 13:46:22: DEBUG: === 2007-11-17 13:46:22: INFO: respond new phase 1 negotiation: 202.70.87.123[500]<=>203.91.130.173[500] 2007-11-17 13:46:22: INFO: begin Identity Protection mode. 2007-11-17 13:46:22: DEBUG: begin. 2007-11-17 13:46:22: DEBUG: seen nptype=1(sa) 2007-11-17 13:46:22: DEBUG: seen nptype=13(vid) 2007-11-17 13:46:22: DEBUG: seen nptype=13(vid) 2007-11-17 13:46:22: DEBUG: seen nptype=13(vid) 2007-11-17 13:46:22: DEBUG: seen nptype=13(vid) 2007-11-17 13:46:22: DEBUG: succeed. 2007-11-17 13:46:22: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-11-17 13:46:22: INFO: received Vendor ID: FRAGMENTATION 2007-11-17 13:46:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-11-17 13:46:22: DEBUG: received unknown Vendor ID 2007-11-17 13:46:22: DEBUG: total SA len=160 2007-11-17 13:46:22: DEBUG: 00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80040002 80030003 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80040001 80030003 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80040001 80030003 800b0001 000c0004 00007080 2007-11-17 13:46:22: DEBUG: begin. 2007-11-17 13:46:22: DEBUG: seen nptype=2(prop) 2007-11-17 13:46:22: DEBUG: succeed. 2007-11-17 13:46:22: DEBUG: proposal #1 len=152 2007-11-17 13:46:22: DEBUG: begin. 2007-11-17 13:46:22: DEBUG: seen nptype=3(trns) 2007-11-17 13:46:22: DEBUG: seen nptype=3(trns) 2007-11-17 13:46:22: DEBUG: seen nptype=3(trns) 2007-11-17 13:46:22: DEBUG: seen nptype=3(trns) 2007-11-17 13:46:22: DEBUG: succeed. 2007-11-17 13:46:22: DEBUG: transform #1 len=36 2007-11-17 13:46:22: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-17 13:46:22: DEBUG: hash(sha1) 2007-11-17 13:46:22: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-17 13:46:22: DEBUG: hmac(modp1024) 2007-11-17 13:46:22: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-17 13:46:22: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-17 13:46:22: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-17 13:46:22: DEBUG: transform #2 len=36 2007-11-17 13:46:22: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5 2007-11-17 13:46:22: DEBUG: hash(md5) 2007-11-17 13:46:22: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-17 13:46:22: DEBUG: hmac(modp1024) 2007-11-17 13:46:22: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-17 13:46:22: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-17 13:46:22: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-17 13:46:22: DEBUG: transform #3 len=36 2007-11-17 13:46:22: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 2007-11-17 13:46:22: DEBUG: encryption(des) 2007-11-17 13:46:22: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-17 13:46:22: DEBUG: hash(sha1) 2007-11-17 13:46:22: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group 2007-11-17 13:46:22: DEBUG: hmac(modp768) 2007-11-17 13:46:22: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-17 13:46:22: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-17 13:46:22: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-17 13:46:22: DEBUG: transform #4 len=36 2007-11-17 13:46:22: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 2007-11-17 13:46:22: DEBUG: encryption(des) 2007-11-17 13:46:22: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5 2007-11-17 13:46:22: DEBUG: hash(md5) 2007-11-17 13:46:22: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group 2007-11-17 13:46:22: DEBUG: hmac(modp768) 2007-11-17 13:46:22: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-17 13:46:22: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-17 13:46:22: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-17 13:46:22: DEBUG: pair 1: 2007-11-17 13:46:22: DEBUG: 0x80a94d0: next=0x0 tnext=0x80a94e0 2007-11-17 13:46:22: DEBUG: 0x80a94e0: next=0x0 tnext=0x80a94f0 2007-11-17 13:46:22: DEBUG: 0x80a94f0: next=0x0 tnext=0x80a9500 2007-11-17 13:46:22: DEBUG: 0x80a9500: next=0x0 tnext=0x0 2007-11-17 13:46:22: DEBUG: proposal #1: 4 transform 2007-11-17 13:46:22: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4 2007-11-17 13:46:22: DEBUG: trns#=1, trns-id=IKE 2007-11-17 13:46:22: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-17 13:46:22: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-17 13:46:22: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-17 13:46:22: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-17 13:46:22: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-17 13:46:22: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-17 13:46:22: DEBUG: Compared: DB:Peer 2007-11-17 13:46:22: DEBUG: (lifetime = 1800:28800) 2007-11-17 13:46:22: DEBUG: (lifebyte = 0:0) 2007-11-17 13:46:22: DEBUG: enctype = 3DES-CBC:3DES-CBC 2007-11-17 13:46:22: DEBUG: (encklen = 0:0) 2007-11-17 13:46:22: DEBUG: hashtype = SHA:SHA 2007-11-17 13:46:22: DEBUG: authmethod = RSA signatures:RSA signatures 2007-11-17 13:46:22: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group 2007-11-17 13:46:22: DEBUG: an acceptable proposal found. 2007-11-17 13:46:22: DEBUG: hmac(modp1024) 2007-11-17 13:46:22: DEBUG: new cookie: 082dacfe812390c3 2007-11-17 13:46:22: DEBUG: add payload of len 52, next type 13 2007-11-17 13:46:22: DEBUG: add payload of len 16, next type 0 2007-11-17 13:46:22: DEBUG: 104 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: 1 times of 104 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2007-11-17 13:46:22: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:46:22: DEBUG: === 2007-11-17 13:46:22: DEBUG: 184 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b8 0a000084 a7082d3e 26f867e4 19ced03b 1f5f90f3 2dec94c2 83c5a32a 79d77c79 5ba8ed5c 687a22d8 450848eb 57b67c31 baf0c185 19d67691 d4660c97 9b780959 76704293 ce285b25 d4f74433 0c5b61e4 b356d04f 73097603 9b96caec 385706db 525a0ed4 4da05711 afb6d739 5a8c940e 6a9374ca a5c1b8b2 70500193 a97ad094 4297b30b 00000018 bfed4f26 bd3d37c1 da6f7418 3c02447f c407c549 2007-11-17 13:46:22: DEBUG: begin. 2007-11-17 13:46:22: DEBUG: seen nptype=4(ke) 2007-11-17 13:46:22: DEBUG: seen nptype=10(nonce) 2007-11-17 13:46:22: DEBUG: succeed. 2007-11-17 13:46:22: DEBUG: === 2007-11-17 13:46:22: DEBUG: compute DH's private. 2007-11-17 13:46:22: DEBUG: 546756e2 29017b07 09e9c080 10480c25 3de862c8 d053b054 832d30f0 b4f4dc5e ce791561 f37aa97e 60f9ce18 9147750d a1e695ba 2aaf8712 44e811fd a6f80153 1f973bda d0a95d71 14a12af7 2ad61304 e1f823c9 4541371f 6c5e9bfc 0134bce0 c41b1d26 fd5b4b9a a58c24d3 29602634 4ea8c292 4a413f76 d1bed837 366b7b4e 2007-11-17 13:46:22: DEBUG: compute DH's public. 2007-11-17 13:46:22: DEBUG: da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 2007-11-17 13:46:22: DEBUG: create my CR: X.509 Certificate Signature 2007-11-17 13:46:22: DEBUG: add payload of len 128, next type 10 2007-11-17 13:46:22: DEBUG: add payload of len 16, next type 7 2007-11-17 13:46:22: DEBUG: add payload of len 1, next type 0 2007-11-17 13:46:22: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:46:22: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:46:22: DEBUG: compute DH's shared. 2007-11-17 13:46:22: DEBUG: 836162af a21acc24 c1c4892a 50b7b5aa 6492bb77 a96a05ca 50330a6f 3255fb86 5a8dcc08 760d4d97 93861c32 b862e73d d536e092 15988bdb 2d008bea f973c518 c8b189fb 70b68b28 ce3217e1 1acb045b 7a8f0994 604f5f69 b4fc92c2 70afd465 fe8cfa2e 1d31993d 10bf909d 3e708dff 63822ac1 32ee89c2 0f008431 87da02d3 2007-11-17 13:46:22: DEBUG: nonce1: 2007-11-17 13:46:22: DEBUG: bfed4f26 bd3d37c1 da6f7418 3c02447f c407c549 2007-11-17 13:46:22: DEBUG: nonce2: 2007-11-17 13:46:22: DEBUG: d417a1a3 9d6d48a8 b6e6b521 c735715b 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: SKEYID computed: 2007-11-17 13:46:22: DEBUG: 017c2f21 01a66f1a 73720e7b d287c09c 311f9e3c 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: SKEYID_d computed: 2007-11-17 13:46:22: DEBUG: 7cf331f1 46a12eab e5806374 66ba1f02 69b8552b 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: SKEYID_a computed: 2007-11-17 13:46:22: DEBUG: b1d4144f 7252dab1 c530d46b c5ced014 e9cf8170 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: SKEYID_e computed: 2007-11-17 13:46:22: DEBUG: dc716f0e 69e86d9f 8953d4a6 e885e9f9 1ce01d3e 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: hash(sha1) 2007-11-17 13:46:22: DEBUG: len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: compute intermediate encryption key K1 2007-11-17 13:46:22: DEBUG: 00 2007-11-17 13:46:22: DEBUG: 2b50e17a 147fc34a e2a0201d 65328e07 03e9a14d 2007-11-17 13:46:22: DEBUG: hmac(hmac_sha1) 2007-11-17 13:46:22: DEBUG: compute intermediate encryption key K2 2007-11-17 13:46:22: DEBUG: 2b50e17a 147fc34a e2a0201d 65328e07 03e9a14d 2007-11-17 13:46:22: DEBUG: 6ab29a51 47035c1a 3dec4a8d 74d3b9a0 afd70be2 2007-11-17 13:46:22: DEBUG: final encryption key computed: 2007-11-17 13:46:22: DEBUG: 2b50e17a 147fc34a e2a0201d 65328e07 03e9a14d 6ab29a51 2007-11-17 13:46:22: DEBUG: hash(sha1) 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: IV computed: 2007-11-17 13:46:22: DEBUG: 4fac448d 4e7c6dd4 2007-11-17 13:46:22: DEBUG: === 2007-11-17 13:46:22: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 08100501 a1bb6774 00000054 3651c37a 51d0154e 88839bf4 afbec602 0650be17 6010346e 5d5ba4bb c0f91490 773c82b1 53f93a76 3dfb8fc7 e5a9df73 91d15932 7de30475 2007-11-17 13:46:22: DEBUG: receive Information. 2007-11-17 13:46:22: DEBUG: compute IV for phase2 2007-11-17 13:46:22: DEBUG: phase1 last IV: 2007-11-17 13:46:22: DEBUG: 4fac448d 4e7c6dd4 a1bb6774 2007-11-17 13:46:22: DEBUG: hash(sha1) 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: phase2 IV computed: 2007-11-17 13:46:22: DEBUG: d79599c8 f1760aad 2007-11-17 13:46:22: DEBUG: begin decryption. 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: IV was saved for next processing: 2007-11-17 13:46:22: DEBUG: 91d15932 7de30475 2007-11-17 13:46:22: DEBUG: encryption(3des) 2007-11-17 13:46:22: DEBUG: with key: 2007-11-17 13:46:22: DEBUG: 2b50e17a 147fc34a e2a0201d 65328e07 03e9a14d 6ab29a51 2007-11-17 13:46:22: DEBUG: decrypted payload by IV: 2007-11-17 13:46:22: DEBUG: d79599c8 f1760aad 2007-11-17 13:46:22: DEBUG: decrypted payload, but not trimed. 2007-11-17 13:46:22: DEBUG: 0b000018 10240f69 9e97a58a b52e5f9c 772b2aa1 1e3851fb 0000001c 00000001 0110001c a40e0e86 c6a792cc 082dacfe 812390c3 00000000 2007-11-17 13:46:22: DEBUG: padding len=1 2007-11-17 13:46:22: DEBUG: skip to trim padding. 2007-11-17 13:46:22: DEBUG: decrypted. 2007-11-17 13:46:22: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 08100501 a1bb6774 00000054 0b000018 10240f69 9e97a58a b52e5f9c 772b2aa1 1e3851fb 0000001c 00000001 0110001c a40e0e86 c6a792cc 082dacfe 812390c3 00000000 2007-11-17 13:46:22: ERROR: ignore information because ISAKMP-SA has not been established yet. 2007-11-17 13:46:32: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:46:32: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:46:32: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:46:32: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:46:32: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:46:32: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:46:32: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:46:42: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:46:42: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:46:42: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:46:42: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:46:42: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:46:42: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:46:42: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:46:52: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:46:52: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:46:52: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:46:52: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:46:52: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:46:52: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:46:52: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:47:02: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:47:02: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:47:02: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:47:02: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:47:02: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:47:02: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:47:02: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:47:12: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-17 13:47:12: DEBUG: sockname 202.70.87.123[500] 2007-11-17 13:47:12: DEBUG: send packet from 202.70.87.123[500] 2007-11-17 13:47:12: DEBUG: send packet to 203.91.130.173[500] 2007-11-17 13:47:12: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-17 13:47:12: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 04100200 00000000 000000b9 0a000084 da922729 94451e1d e45c8a42 1567adbd 0fedcaac a57c5d00 341aeaae 0b82d775 cca668e5 f8bf26be a803619e 202d47cd 81792497 c94acbfb 818950d2 cd0dceb7 45dc1cd7 4bd051ee 95fc3321 fac883e6 0273a853 fddf83b0 323f1a33 b286881c 8da9348b da556113 79f8ade3 06ef3183 fd0b3881 644ebf34 1a65f8c3 b753e6ec 07000014 d417a1a3 9d6d48a8 b6e6b521 c735715b 00000005 04 2007-11-17 13:47:12: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:47:22: ERROR: phase1 negotiation failed due to time up. a40e0e86c6a792cc:082dacfe812390c3 2007-11-17 13:47:30: DEBUG: === 2007-11-17 13:47:30: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-17 13:47:30: DEBUG: a40e0e86 c6a792cc 082dacfe 812390c3 08100501 f8741a02 00000054 c2bb39a8 a07f54b1 54f51db2 2aed505c a952f463 93382d99 a1f4f751 de0a1157 86280a18 a2c28d9a feb948a5 befc112c 805ed633 03ba7de4 2007-11-17 13:47:30: ERROR: unknown Informational exchange received. Any suggestion will be appreciated . Thankyou, Regards, John Bjoern Engels wrote: Hi John, there must be more in the log file. It would be interesting what happens before the stuff you postet me. Please continue writing to the list (I wrote my answer cc: to the list, too), not just to me personally. There will be people who do have more clue regarding racoon than I do. ;-) -- Viele Gruesse // Best regards Bjoern Engels :wq! --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage.