Screenos Dailup VPN Xauth Pool Debug
debug ike detail
SSG-1-> get db str ## 2014-12-12 02:11:59 : IKE<192.168.3.1> setting xauth_check_dead timeout for later. username <test-usr>, ip<10.1.1.20/255.255.255.255> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 579, action 1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 551 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 551 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 551, nxp 1[SA], exch 4[AG], flag 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] ## 2014-12-12 02:12:06 : [VID] [VID] [VID] [VID] [VID] [VID] [VID] ## 2014-12-12 02:12:06 : valid id checking, id type:U-FQDN, len:23. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > Validate (523): SA/128 KE/100 NONCE/44 ID/23 VID/12 VID/12 VID/20 VID/20 VID/20 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Receive Id in AG mode, id-type=3, id=aman1@wipro.com, idlen = 15 ## 2014-12-12 02:12:06 : IKE<192.168.2.1> peer <VPN1-GW> has static ip. ## 2014-12-12 02:12:06 : locate peer entry for (3/aman1@wipro.com), by identity. ## 2014-12-12 02:12:06 : found single user entry(3/aman1@wipro.com). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Found peer entry (Dialup-VPNGW) from 192.168.3.1. ## 2014-12-12 02:12:06 : responder create sa: 192.168.3.1->192.168.1.1 ## 2014-12-12 02:12:06 : init p1sa, pidt = 0x0 ## 2014-12-12 02:12:06 : change peer identity for p1 sa, pidt = 0x0 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > create peer identity 0x2a7a2f8 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2014-12-12 02:12:06 : peer identity 2a7a2f8 created. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > EDIPI disabled ## 2014-12-12 02:12:06 : IKE<192.168.3.1> getProfileFromP1Proposal-> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> find profile[0]=<00000001 00000001 00000001 00000001> for p1 proposal (id 0), xauth(1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> responder create sa: 192.168.3.1->192.168.1.1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 1: Responder starts AGGRESSIVE mode negotiations. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> AG in state OAK_AG_NOSTATE. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : da 8e 93 78 80 01 00 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> receive unknown vendor ID payload ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 09 00 26 89 df d6 b7 12 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv XAUTH v6.0 vid ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 97 87 98 c6 28 e5 82 a8 3b 2a 97 bf 0d 6e 60 dd ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : cb e7 94 44 a0 87 0d e4 22 4a 2c 15 1f bf e0 99 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : c6 1b ac a1 f1 a6 0c c1 08 00 00 00 00 00 00 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 2014-12-12 02:12:06 : c0 00 00 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> receive unknown vendor ID payload ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [VID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Vendor ID: ## 2014-12-12 02:12:06 : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> rcv non-NAT-Traversal VID payload. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [SA]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Proposal received: xauthflag 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> P1 attributes not supported. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> [0] expect: xauthflag 3 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth attribute: responder ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Proposal received: xauthflag 1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth attribute: initiator ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 1 proposal [0] selected. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> SA Life Type = seconds ## 2014-12-12 02:12:06 : IKE<192.168.3.1> SA lifetime (TLV) = 86400 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> DH_BG_consume OK. p1 resp ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [KE]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing ISA_KE in phase 1. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase1: his_DH_pub_len is 96 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [NONCE]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing NONCE in phase 1. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [ID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ID received: type=ID_USER_FQDN, USER FQDN = aman1@wipro.com, port=0, protocol=0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> process_id need to update peer entry, cur <Dialup-VPNGW>. ## 2014-12-12 02:12:06 : IKE<192.168.2.1> peer <VPN1-GW> has static ip. ## 2014-12-12 02:12:06 : locate peer entry for (3/aman1@wipro.com), by identity. ## 2014-12-12 02:12:06 : found single user entry(3/aman1@wipro.com). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Dynamic peer IP addr, search peer by identity. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> peer gateway entry has no peer id configured ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ID processed. return 0. sa->p1_state = 0. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 1 AG Responder constructing 2nd message. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct ISAKMP header. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Msg header built (next payload #1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [SA] for ISAKMP ## 2014-12-12 02:12:06 : IKE<192.168.3.1> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth attribute: disabled ## 2014-12-12 02:12:06 : IKE<192.168.3.1> lifetime/lifesize (86400/0) ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > set_phase1_transform, dh_group(1). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct NetScreen [VID] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct custom [VID] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct custom [VID] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct custom [VID] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [KE] for ISAKMP ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [NONCE] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> gen_skeyid() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> gen_skeyid: returning 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [ID] for ISAKMP ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [HASH] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ID, len=8, type=1, pro=17, port=500, ## 2014-12-12 02:12:06 : IKE<192.168.3.1> addr=192.168.1.1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct NAT-T [VID]: draft 2 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder psk ag mode: natt vid constructed. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> responder (psk) constructing remote NAT-D ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [NATD] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> responder (psk) constructing local NAT-D ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [NATD] ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Xmit : [SA] [VID] [VID] [VID] [VID] [KE] [NONCE] [ID] [HASH] ## 2014-12-12 02:12:06 : [VID] [NATD] [NATD] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder sending IPv4 IP 192.168.3.1/port 10952 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Send Phase 1 packet (len=400) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<5/91180f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 144, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 116 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 116 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 116, nxp 8[HASH], exch 4[AG], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 88) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] [NATD] [NATD] [NOTIF] ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > extract payload (88): ## 2014-12-12 02:12:06 : IKE<192.168.3.1> AG in state OAK_AG_INIT_EXCH. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [NATD]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [NATD]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [HASH]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ID, len=19, type=3, pro=0, port=0, ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [NOTIF]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Received notify message for DOI <1> <24578> <INITIAL-CONTACT>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Received initial contact notification and removed Phase 2 SAs. ## 2014-12-12 02:12:06 : clear phase 2 sa of peer Dialup-VPNGW. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> deactive p2 sa 0 send_delete 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> process notify exit with <0>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> completing Phase 1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> sa_pidt = 2a7a2f8 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> found existing peer identity 2a79d90 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> peer_identity_unregister_p1_sa. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > delete peer identity 0x2a7a2f8 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> clear p1sa(0x2a4bee8) xauth because new p1sa (0x2a4ccd4) gets initial-contact ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE Xauth: release prefix route, ret=<-2>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> phase 1 sa timeout value reduced <28743> to <30>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 1: Completed for ip <192.168.3.1>, user<test-usr> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 1: Completed Aggressive mode negotiation with a <28800>-second lifetime. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth is started: server, p1responder, aggr mode. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> start_xauth() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> start_xauth(): as:0 ac:-1 enable:1 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: xauthstatus 20. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val empty string, type <16521> added, len 0. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val empty string, type <16522> added, len 0. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Create conn entry... ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ...done(new ed440210) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct ISAKMP header. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Msg header built (next payload #8) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [HASH] ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 20, type 1, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 0, valstr empty string, type <16521> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 0, valstr empty string, type <16522> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<192.168.3.1> construct QM HASH ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Xmit*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Encrypt P2 payload (len 68) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder sending IPv4 IP 192.168.3.1/port 10952 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Send Phase 2 packet (len=76) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg packet sent. msgid ed440210, len: 68, peer<192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth status updated by state machine: 20 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > proc_other_session_notify-> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > process Notify Payload: doi(1), msg(24578), txt<INITIAL-CONTACT> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Received initial contact notification and removed Phase 1 SAs. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 112, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 84 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 84 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 84, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 56) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [IKECFG]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing IKECFG payload. msgid ed440210, msgtype 2, payload ID 40803 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 35, type 2, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > basic attr type 16520, valint 0 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 16521, vallen 8, valstr test-us ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 16522, vallen 7, valstr test12 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16520, val 0 added, len 0. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16521, val test-us added, len 8. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16522, val test12 added, len 7. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth server got type: 16520 v<0> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth server got var type: 16521 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth server got var type: 16522 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth server entering state machine: 20 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: xauthstatus 20. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_auth_pap: authing locally: uname test-usr, passwd test123 SUCCESS ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Get config for client(local auth) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg_assign_client_cfg(): Sa->ip_addr = 0x0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> getting xauth local user <test-usr> remote setting ## 2014-12-12 02:12:06 : IKE<192.168.3.1> getting xauth local user IP from pool <Pool1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Don't do xauth RADIUS accounting. Send cfg to client directly. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg_send_client_cfg: ip 10.1.1.20, v4mask 255.255.255.255 dns1 0.0.0.0, dns2 0.0.0.0, win1 0.0.0.0, win2 0.0.0.0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg_send_client_cfg v6: id ::, prefix ::/0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg_send_client_cfg v6: dns1 ::, dns2 ::, win1 ::, win2 :: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 1, val 10.1.1.20 added, len 4. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 2, val 255.255.255.255 added, len 4. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Create conn entry... ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ...done(new 0024e2eb) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct ISAKMP header. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Msg header built (next payload #8) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [HASH] ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 24, type 3, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 1, vallen 4, valstr 10.1.1.20 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 2, vallen 4, valstr 255.255.255.255 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<192.168.3.1> construct QM HASH ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Xmit*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Encrypt P2 payload (len 72) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder sending IPv4 IP 192.168.3.1/port 10952 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Send Phase 2 packet (len=76) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg packet sent. msgid 24e2eb, len: 72, peer<192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth status updated by state machine: 90 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 96, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 68 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 68 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 68, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 40) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [IKECFG]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing IKECFG payload. msgid 24e2eb, msgtype 4, payload ID 40803 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 16, type 4, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 1, vallen 0, valstr 0.2.0.0 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 2, vallen 0, valstr 0.0.0.0 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 1, val 0.0.0.0 added, len 0. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 2, val 0.0.0.0 added, len 0. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth server entering state machine: 90 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: accounting server id 0 (use auth server as acct server). ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_process_server: xauthstatus 90. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ikecfg list add attr type 16527, val 1 added, len 0. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Create conn entry... ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ...done(new 9664b261) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct ISAKMP header. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Msg header built (next payload #8) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [HASH] ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 3, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > basic attr type 16527, valint 1 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<192.168.3.1> construct QM HASH ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Xmit*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Encrypt P2 payload (len 60) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder sending IPv4 IP 192.168.3.1/port 10952 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Send Phase 2 packet (len=68) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikecfg packet sent. msgid 9664b261, len: 60, peer<192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth status updated by state machine: 100 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_passed() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth login PASSED. gw <Dialup-VPNGW>, username <test-usr>, retry: 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_cleanup() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 88, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 200, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 60 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 60 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 60, nxp 8[HASH], exch 6[XACT_EXCH], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 32) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] [IKECFG] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [IKECFG]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing IKECFG payload. msgid 9664b261, msgtype 4, payload ID 40803 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > print ikecfg attribute payload: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > next: 0, payloadlength 12, type 4, identifier 40803. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > variable attr type 16527, vallen 0, valstr ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth: bad state negt<00000000> peer<00000000> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 172 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 172 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 172, nxp 8[HASH], exch 32[QM], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Create conn entry... ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ...done(new 519fb6b9) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 2 msg-id <519fb6b9>: Responded to the first peer message. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 144) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] [SA] [NONCE] [ID] [ID] ## 2014-12-12 02:12:06 : valid id checking, id type:IP Address, len:12. ## 2014-12-12 02:12:06 : valid id checking, id type:IP Subnet, len:16. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > extract payload (144): ## 2014-12-12 02:12:06 : valid id checking, id type:IP Address, len:12. ## 2014-12-12 02:12:06 : valid id checking, id type:IP Subnet, len:16. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> QM in state OAK_QM_SA_ACCEPT. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> receive init proxy id type ID_IPV4_ADDR with mask 0: force mask to all 1. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Start by finding matching member SA (verify -1/-1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE: Matching policy: gw ip <192.168.3.1> peer entry id<1> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Peer is dial up. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> configured ID for sa(4): ## 2014-12-12 02:12:06 : IKE<192.168.3.1> local 10.1.1.0/24 prot<0> port<0> type<4> remote 10.1.1.20/32 prot<0> port<0> type<1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> member without dynamic policy found, match local address only ## 2014-12-12 02:12:06 : ipvx = IPV4 ## 2014-12-12 02:12:06 : rcv_local_addr = 10.1.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : rcv_remote_addr = 10.1.1.20, rcv_remote_mask = 255.255.255.255, p_rcv_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : ike_p2_id->local_ip = 10.1.1.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : ike_p2_id->remote_ip = 10.1.1.20, cfg_remote_mask = 255.255.255.255, p_cfg_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Start by finding matching member SA (verify -1/-1) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE: Matching policy: gw ip <192.168.3.1> peer entry id<1> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Peer is dial up. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> configured ID for sa(4): ## 2014-12-12 02:12:06 : IKE<192.168.3.1> local 10.1.1.0/24 prot<0> port<0> type<4> remote 10.1.1.20/32 prot<0> port<0> type<1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> member without dynamic policy found, match local address only ## 2014-12-12 02:12:06 : ipvx = IPV4 ## 2014-12-12 02:12:06 : rcv_local_addr = 10.1.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : rcv_remote_addr = 10.1.1.20, rcv_remote_mask = 255.255.255.255, p_rcv_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : ike_p2_id->local_ip = 10.1.1.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : ike_p2_id->remote_ip = 10.1.1.20, cfg_remote_mask = 255.255.255.255, p_cfg_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [SA]: ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > Check P2 Proposal ## 2014-12-12 02:12:06 : IKE<192.168.3.1> SA life type = seconds ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > SA life duration (TV) = 28800 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > encap mode from peer = 1. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 2 received: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> P2 proposal [0] selected. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > add sa list for msg id <519fb6b9> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> get_unique_spi 0, 1314921947, 4e601ddb ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [NONCE]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> processing NONCE in phase 2. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [ID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Process [ID]: ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 2 Responder constructing 2nd message. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct ISAKMP header. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Msg header built (next payload #8) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [HASH] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [SA] for IPSEC ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > Set IPSEC SA attrs tunnel(1) MD5 grp0 lifetime(28800/0) ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > Before NAT-T attr unmap: P2 prop tunnel = 1. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > After NAT-T attr unmap: P2 prop tunnel = 1. ## 2014-12-12 02:12:06 : IKE<10.1.1.20> IP<10.1.1.20> mask<255.255.255.255> prot<0> port<0> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Initiator P2 ID built: ...h ## 2014-12-12 02:12:06 : IKE<10.1.1.0> IP<10.1.1.0> mask<255.255.255.0> prot<0> port<0> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder P2 ID built: ...h ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [NONCE] for IPSec ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [ID] for Phase 2 ## 2014-12-12 02:12:06 : id payload constructed. type(1),ip(10.1.1.20),mask(255.255.255.255), prot(0), port(0) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [ID] for Phase 2 ## 2014-12-12 02:12:06 : id payload constructed. type(4),ip(10.1.1.0),mask(255.255.255.0), prot(0), port(0) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> send out RESPONDER_LIFETIME notification. prot=3, ## 2014-12-12 02:12:06 : IKE<192.168.3.1> life_sec=3600 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Construct [NOTIF] (RESPONDER-LIFETIME) for IPSEC ## 2014-12-12 02:12:06 : IKE<192.168.3.1> construct QM HASH ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] [NOTIF] ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Encrypt P2 payload (len 192) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Responder sending IPv4 IP 192.168.3.1/port 10952 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Send Phase 2 packet (len=196) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> oakley_process_quick_mode():exit ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ike packet, len 80, action 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: received 52 bytes from socket. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Catcher: get 52 bytes. src port 10952 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > ISAKMP msg: len 52, nxp 8[HASH], exch 32[QM], flag 01 E ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Decrypting payload (length 24) ## 2014-12-12 02:12:06 : IKE<192.168.3.1 > Recv*: [HASH] ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > extract payload (24): ## 2014-12-12 02:12:06 : IKE<192.168.3.1> QM in state OAK_QM_AUTH_AWAIT. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> xauth_cleanup() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Done cleaning up IKE Phase 1 SA ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Start by finding matching member SA (verify 0/0) ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Verify sa: index 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE: Matching policy: gw ip <192.168.3.1> peer entry id<1> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Peer is dial up. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> configured ID for sa(4): ## 2014-12-12 02:12:06 : IKE<192.168.3.1> local 10.1.1.0/24 prot<0> port<0> type<4> remote 10.1.1.20/32 prot<0> port<0> type<1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> member without dynamic policy found, match local address only ## 2014-12-12 02:12:06 : ipvx = IPV4 ## 2014-12-12 02:12:06 : rcv_local_addr = 10.1.1.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : rcv_remote_addr = 10.1.1.20, rcv_remote_mask = 255.255.255.255, p_rcv_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : ike_p2_id->local_ip = 10.1.1.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 10.1.1.0 ## 2014-12-12 02:12:06 : ike_p2_id->remote_ip = 10.1.1.20, cfg_remote_mask = 255.255.255.255, p_cfg_remote_real = 10.1.1.20 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> sa ID for phase 2 sa is <4>. IP version is 4. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Single user entry. ## 2014-12-12 02:12:06 : ikmpd.c 3871. pidt == 2a79d90 ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 28800, set 3600. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> gen_qm_key() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> load_sa_keys(): enter. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> gen_qm_key() ## 2014-12-12 02:12:06 : IKE<192.168.3.1> load_sa_keys(): enter. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> ikmpd.c 3999. sa ID for phase 2 sa is <4>. IP version is 4. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<4e601dda>,ip<192.168.1.1> ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<c8248b85>,ip<192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> clean_all_sa_state_node_from_list-> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> no relocate earlier SA-state, not active. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> key_modify: sa index <0> bk_idx <0>. ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<4e601ddb>, sa_index<0>, Incoming ## 2014-12-12 02:12:06 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<643e9307>, sa_index<0>, Outgoing ## 2014-12-12 02:12:06 : IKE<192.168.3.1> update acvpn flags for sa 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> update acvpn flags for sa 0 - 0x400033 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> modify esp tunnel: src (peer) ipv4 <192.168.3.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> modifying esp tunnel: self <ipv4 192.168.1.1> ## 2014-12-12 02:12:06 : IKE<192.168.3.1> update auto NHTB status for sa 0 ## 2014-12-12 02:12:06 : IKE<192.168.3.1> after mod, out nsptunnel <03661890>. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Phase 2 msg-id <519fb6b9>: Completed Quick Mode negotiation with SPI <4e601ddb>,tunnel ID <4>, and lifetime <3600> seconds/<0> KB. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> Application sa installed. ## 2014-12-12 02:12:06 : IKE<192.168.3.1> oakley_process_quick_mode():exit ## 2014-12-12 02:12:06 : IKE<192.168.3.1> IKE msg done: PKI state<0> IKE state<6/1097182f> ## 2014-12-12 02:12:07 : IKE<192.168.2.1> nhtb_list_update_status: vpn VPN1-PH2 ## 2014-12-12 02:12:07 : IKE<192.168.2.1> ** link ready return 8 ## 2014-12-12 02:12:07 : IKE<192.168.2.1> sa_link_status_for_tunl_ifp: saidx 1, preliminary status 8 ## 2014-12-12 02:12:07 : IKE<192.168.2.1> local_if is ethernet0/3 SSG-1->
get config
set interface ethernet0/1.1 ip 10.1.1.1/24 set interface ethernet0/1.1 nat set interface ethernet0/3 ip 192.168.1.1/24 set interface ethernet0/3 route set ippool "Pool1" 10.1.1.20 10.1.1.25 set user "test-usr" uid 2 set user "test-usr" ike-id u-fqdn "aman1@wipro.com" share-limit 1 set user "test-usr" type ike xauth set user "test-usr" remote ippool "Pool1" set user "test-usr" password "OW73BW/zNXx/Tqs/rgC0l/3xySn6JZ4RAg==" unset user "test-usr" type auth set user "test-usr" "enable" set crypto-policy set ike gateway "Dialup-VPNGW" dialup "test-usr" Aggr outgoing-interface "ethernet0/3" preshare "Tvh0IpHtNk8w1AsnRUCWBK1GHknZF/BSwA==" proposal "pre-g1-des-md5" set ike gateway "Dialup-VPNGW" nat-traversal keepalive-frequency 5 set ike gateway "Dialup-VPNGW" xauth server "Local" user "test-usr" set xauth default ippool "Pool1" set vpn "Dialup-PH2" gateway "Dialup-VPNGW" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" set policy id 5 from "Untrust" to "Trust" "Dial-Up VPN IPv4" "10.1.1.0/24" "ANY" tunnel vpn "Dialup-PH2" id 0x4 log
get vpn
SSG-1-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- Dialup-PH2 Dialup-VPNGW tunl No nopfs-esp-des-md5 off 1 eth0/3 Total Auto VPN: 1 Total Pure Transport Mode IPSEC VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- Total Manual VPN 0
get ike cookie
SSG-1-> get ike cookie IKEv1 SA -- Active: 1, Dead: 0, Total 1 1097182f/0006, 192.168.3.1:10952->192.168.1.1:500, PRESHR/grp1/DES/MD5, xchg(5) (Dialup-VPNGW/grp-1/usr2) resent-tmr 322 lifetime 28800 lt-recv 86400 nxt_rekey 28773 cert-expire 0 responder, err cnt 0, send dir 1, cond 0xc0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 100 DPD seq local 0, peer 8842451 IKEv2 SA -- Active: 0, Dead: 0, Total 0
get sa
SSG-1-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 192.168.3.1 500 esp: des/md5 4e601ddb 3567 unlim A/- 5 0 00000004> 192.168.3.1 500 esp: des/md5 643e9307 3567 unlim A/- -1 0
get sa id
SSG-1-> get sa id 0x4 index 0, name Dialup-PH2, peer gateway ip 192.168.3.1. vsys<Root> auto key. policy node, tunnel mode, policy id in:<5> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 4, peer id 1, NSRP Local. dialup, original. site-to-site. Local interface is ethernet0/3 <192.168.1.1>. esp, group 0, des encryption, md5 authentication autokey, IN active, OUT active monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x2400033 proxy id: local 10.1.1.0/255.255.255.0, remote 10.1.1.20/255.255.255.255, proto 0, port 0/0 ike activity timestamp: 87547605 DSCP-mark : disabled nat-traversal map not available incoming: SPI 4e601ddb, flag 00004000, tunnel info 40000004, pipeline life 3600 sec, 3549 remain, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 51 seconds next pak sequence number: 0x0 bytes/paks:1620/27; sw bytes/paks:1620/27 outgoing: SPI 643e9307, flag 00000000, tunnel info 40000004, pipeline life 3600 sec, 3549 remain, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 51 seconds next pak sequence number: 0x0 bytes/paks:1620/27; sw bytes/paks:1620/27
get event
SSG-1-> get event Total event entries = 3037 Date Time Module Level Type Description 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 Phase 2 msg ID 519fb6b9: Completed negotiations with SPI 4e601ddb, tunnel ID 4, and lifetime 3600 seconds/0 KB. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 phase 2:The symmetric crypto key has been generated successfully. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 Phase 2 msg ID 519fb6b9: Responded to the peer's first message. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1: XAuth login was passed for gateway Dialup-VPNGW, username test-usr, retry: 0, Client IP Addr 10.1.1.20, IPPool name: Pool1, Session-Timeout: 0s, Idle-Timeout: 0s. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1: Received initial contact notification and removed Phase 1 SAs. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 Phase 1: Completed for user test-usr. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1: Received initial contact notification and removed Phase 2 SAs. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1: Received a notification message for DOI 1 24578 INITIAL-CONTACT. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 phase 1:The symmetric crypto key has been generated successfully. 2014-12-12 02:12:06 system info 00536 IKE 192.168.3.1 Phase 1: Responder starts AGGRESSIVE mode negotiations.
NCP-e Client Profile
[GENERAL] Export=1 Product=NCP Secure Client - Juniper Edition Version=9.32 Build 218 Date=12/11/2014 3:34:09 PM [PROFILE1] Name=dialup-ssg NotKeepVpn=0 BootProfile=0 ConnMode=0 Timeout=1000 PkiConfig= ExchMode=4 IKE-Policy=Pre-shared Key IkeDhGroup=1 IkeLTSec=001:00:00:00 IPSec-Policy=proposal PFS=0 IPSecLTType=1 IpsecLTSec=000:08:00:00 IPSecLTKb=50000 IkeIdType=3 IkeIdStr=aman1@wipro.com XAUTH-Id=":&#Thþ;þ4þ;" XAUTH-Pw=":&#Tt\T" Gateway=192.168.1.1 UseTunnel=0 UseXAUTH=1 DisDPD=0 DPDInterval=20 DPDRetrys=8 AntiReplay=0 IpAddrAssign=0 IPAddress= SubnetMask=255.255.255.0 DNS1=0.0.0.0 DNS2=0.0.0.0 WINS1=0.0.0.0 WINS2=0.0.0.0 DomainName= SubjectCert= IssuerCert= FingerPrint= UseSHA1=0 DNSActiv=0 DNS1Tmp=0.0.0.0 DNS2Tmp=0.0.0.0 WINS1Tmp=0.0.0.0 WINS2Tmp=0.0.0.0 Secret="?qc" UsePreShKey=1 Network1=10.1.1.0 SubMask1=255.255.255.0 [IKEPOLICY1] IkeName=Pre-shared Key IkeCrypt=1 IkeHash=1 IkeAuth=1 IkeDhGroup=2 [IPSECPOLICY1] IPSecName=proposal IpsecCrypt=1 IpsecAuth=1
{{#widget:DISQUS
|id=networkm
|uniqid=Screenos Dailup VPN Xauth Pool Debug
|url=https://aman.awiki.org/wiki/Screenos_Dailup_VPN_Xauth_Pool_Debug
}}