Discussion:
[Vpn-help] Phase 1 ok; Phase 2 ok; but tunnel not ok
Hugues CHARBONNIER
2008-08-12 12:36:46 UTC
Permalink
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".

In the log file i have in loop:

DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b5f accepted
ii : exchange packet resend limit exceeded
DB : config deleted ( config count 0 )
ii : sending peer DPDV1-R-U-THERE notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
: hash payload
: notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 112 bytes )
ii : DPD ARE-YOU-THERE sequence edf25b60 requested
<- : recv IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 84 bytes )
DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b60 accepted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20080812/9cd135bd/attachment.vcf>
Matthew Grooms
2008-08-16 17:25:52 UTC
Permalink
Post by Hugues CHARBONNIER
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".
Hugues,

The Fortigate platform uses DHCP over IPsec for dynamic IPsec clients.
Please have a look at the following document ...

http://www.shrew.net/support/wiki/HowtoFortigate

You will need to use the 2.1.1 client as 2.0.x does not support DHCP
over IPsec configuration.

-Matthew
Hugues CHARBONNIER
2008-08-12 12:36:46 UTC
Permalink
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".

In the log file i have in loop:

DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b5f accepted
ii : exchange packet resend limit exceeded
DB : config deleted ( config count 0 )
ii : sending peer DPDV1-R-U-THERE notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
Post by Hugues CHARBONNIER
: hash payload
: notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 112 bytes )
ii : DPD ARE-YOU-THERE sequence edf25b60 requested
<- : recv IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 84 bytes )
DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b60 accepted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20080812/9cd135bd/attachment-0001.vcf>
Matthew Grooms
2008-08-16 17:25:52 UTC
Permalink
Post by Hugues CHARBONNIER
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".
Hugues,

The Fortigate platform uses DHCP over IPsec for dynamic IPsec clients.
Please have a look at the following document ...

http://www.shrew.net/support/wiki/HowtoFortigate

You will need to use the 2.1.1 client as 2.0.x does not support DHCP
over IPsec configuration.

-Matthew
Hugues CHARBONNIER
2008-08-12 12:36:46 UTC
Permalink
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".

In the log file i have in loop:

DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b5f accepted
ii : exchange packet resend limit exceeded
DB : config deleted ( config count 0 )
ii : sending peer DPDV1-R-U-THERE notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
Post by Hugues CHARBONNIER
: hash payload
: notification payload
== : new informational hash ( 20 bytes )
== : new phase2 iv ( 8 bytes )
= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
-> : send IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 112 bytes )
ii : DPD ARE-YOU-THERE sequence edf25b60 requested
<- : recv IKE packet xx.xx.xx.xx:500 -> xx.xx.xx.xx:500 ( 84 bytes )
DB : phase1 found
== : new phase2 iv ( 8 bytes )
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 84 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : notification payload
== : informational hash_i ( computed ) ( 20 bytes )
== : informational hash_c ( received ) ( 20 bytes )
ii : informational hash verified
ii : received peer DPDV1-R-U-THERE-ACK notification
ii : - xx.xx.xx.xx:500 -> xx.xx.xx.xx:500
ii : - isakmp spi = 6e235cd7f56acf54:58b0c6e793740ce7
ii : - data size 4
ii : DPD ARE-YOU-THERE-ACK sequence edf25b60 accepted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20080812/9cd135bd/attachment-0002.vcf>
Matthew Grooms
2008-08-16 17:25:52 UTC
Permalink
Post by Hugues CHARBONNIER
Hi, i'am tryng to use Shrew soft vpn client v 2.0.3 to establish a vpn
link with a Fortigate 1000.
Phase 1 et 2 seem to be ok, but the client is blocked at the step
"Bringing up tunnel".
Hugues,

The Fortigate platform uses DHCP over IPsec for dynamic IPsec clients.
Please have a look at the following document ...

http://www.shrew.net/support/wiki/HowtoFortigate

You will need to use the 2.1.1 client as 2.0.x does not support DHCP
over IPsec configuration.

-Matthew

Continue reading on narkive:
Loading...