Discussion:
[vpn-help] invalid message from gateway
Libor Arndt
2010-02-27 10:46:32 UTC
Permalink
Hello,

I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately this is all I got:


config loaded for site 'Remote access to T-Mobile VPN for GNCS'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon ...

No log in trace utility.

thanks in advance for any advice.

Libor Arndt
Libor Arndt
2010-02-27 12:30:17 UTC
Permalink
Hello,

I set debug level in registry and got the log output, so again:


I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway

IPSEC.log:

10/02/27 13:16:52 ## : IPSEC Daemon, ver 2.1.6
10/02/27 13:16:52 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:52 ## : This product linked zlib v1.2.3
10/02/27 13:16:52 ii : network send process thread begin ...
10/02/27 13:16:52 ii : network recv process thread begin ...
10/02/27 13:16:52 ii : pfkey server process thread begin ...
10/02/27 13:16:52 ii : vflt recv device attached
10/02/27 13:16:52 ii : vflt send device attached
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:56 ii : inspecting ARP request ...
10/02/27 13:16:56 !! : ARP packet has invalid header
10/02/27 13:17:30 ii : inspecting ARP request ...
10/02/27 13:17:48 ii : inspecting ARP request ...
10/02/27 13:18:05 ii : inspecting ARP request ...

IKED.log:


10/02/27 13:16:47 ## : IKE Daemon, ver 2.1.6
10/02/27 13:16:47 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:47 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:47 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/02/27 13:16:47 ii : rebuilding vnet device list ...
10/02/27 13:16:47 ii : device ROOT\VNET\0000 disabled
10/02/27 13:16:47 ii : network process thread begin ...
10/02/27 13:16:47 ii : pfkey process thread begin ...
10/02/27 13:16:47 ii : ipc server process thread begin ...
10/02/27 13:16:52 !! : unable to connect to pfkey interface
10/02/27 13:17:15 ii : ipc client process thread begin ...
10/02/27 13:17:15 <A : peer config add message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : client config message
10/02/27 13:17:15 <A : xauth username message
10/02/27 13:17:15 <A : xauth password message
10/02/27 13:17:15 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:15 !! : 'D:\certifikaty gncs\gncs_new.pfx' load failed,
requesting password
10/02/27 13:17:30 <A : file password
10/02/27 13:17:30 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local key 'D:\certifikaty gncs\gncs_new.pfx' message
10/02/27 13:17:30 <A : peer tunnel enable message
10/02/27 13:17:30 ii : local supports XAUTH
10/02/27 13:17:30 ii : local supports nat-t ( draft v00 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v01 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v02 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v03 )
10/02/27 13:17:30 ii : local supports nat-t ( rfc )
10/02/27 13:17:30 ii : local supports DPDv1
10/02/27 13:17:30 ii : local is SHREW SOFT compatible
10/02/27 13:17:30 ii : local is NETSCREEN compatible
10/02/27 13:17:30 ii : local is SIDEWINDER compatible
10/02/27 13:17:30 ii : local is CISCO UNITY compatible
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:0000000000000000
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 128 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 ii : matched isakmp proposal #1 transform #68
10/02/27 13:17:30 ii : - transform = ike
10/02/27 13:17:30 ii : - cipher type = 3des
10/02/27 13:17:30 ii : - key length = default
10/02/27 13:17:30 ii : - hash type = sha1
10/02/27 13:17:30 ii : - dh group = modp-1536
10/02/27 13:17:30 ii : - auth type = xauth-initiator-rsa
10/02/27 13:17:30 ii : - life seconds = 86400
10/02/27 13:17:30 ii : - life kbytes = 0
10/02/27 13:17:30 ii : peer supports nat-t ( draft v02 )
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...



thanks in advance for any advice.

Libor Arndt
Stefan Bauer
2010-03-02 19:51:24 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
It looks like your certificate is broken. It should be 4096 big but
it is 42028? Try to replace that/reimport it.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Matthew Grooms
2010-03-04 04:59:35 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
...
Post by Libor Arndt
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028> 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...
Your certificate request size is 42k? That doesn't sound right. Please
forward me the decrypted IKE packet dump in a private email and I'll
take a look at it.

-Matthew
Stefan Bauer
2010-03-02 19:51:24 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
It looks like your certificate is broken. It should be 4096 big but
it is 42028? Try to replace that/reimport it.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Matthew Grooms
2010-03-04 04:59:35 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
...
Post by Libor Arndt
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028> 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...
Your certificate request size is 42k? That doesn't sound right. Please
forward me the decrypted IKE packet dump in a private email and I'll
take a look at it.

-Matthew
Stefan Bauer
2010-03-02 19:51:24 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
It looks like your certificate is broken. It should be 4096 big but
it is 42028? Try to replace that/reimport it.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Matthew Grooms
2010-03-04 04:59:35 UTC
Permalink
Post by Libor Arndt
Hello,
I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway
...
Post by Libor Arndt
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028> 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...
Your certificate request size is 42k? That doesn't sound right. Please
forward me the decrypted IKE packet dump in a private email and I'll
take a look at it.

-Matthew
Libor Arndt
2010-02-27 10:46:32 UTC
Permalink
Hello,

I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately this is all I got:


config loaded for site 'Remote access to T-Mobile VPN for GNCS'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon ...

No log in trace utility.

thanks in advance for any advice.

Libor Arndt
Libor Arndt
2010-02-27 12:30:17 UTC
Permalink
Hello,

I set debug level in registry and got the log output, so again:


I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway

IPSEC.log:

10/02/27 13:16:52 ## : IPSEC Daemon, ver 2.1.6
10/02/27 13:16:52 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:52 ## : This product linked zlib v1.2.3
10/02/27 13:16:52 ii : network send process thread begin ...
10/02/27 13:16:52 ii : network recv process thread begin ...
10/02/27 13:16:52 ii : pfkey server process thread begin ...
10/02/27 13:16:52 ii : vflt recv device attached
10/02/27 13:16:52 ii : vflt send device attached
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:56 ii : inspecting ARP request ...
10/02/27 13:16:56 !! : ARP packet has invalid header
10/02/27 13:17:30 ii : inspecting ARP request ...
10/02/27 13:17:48 ii : inspecting ARP request ...
10/02/27 13:18:05 ii : inspecting ARP request ...

IKED.log:


10/02/27 13:16:47 ## : IKE Daemon, ver 2.1.6
10/02/27 13:16:47 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:47 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:47 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/02/27 13:16:47 ii : rebuilding vnet device list ...
10/02/27 13:16:47 ii : device ROOT\VNET\0000 disabled
10/02/27 13:16:47 ii : network process thread begin ...
10/02/27 13:16:47 ii : pfkey process thread begin ...
10/02/27 13:16:47 ii : ipc server process thread begin ...
10/02/27 13:16:52 !! : unable to connect to pfkey interface
10/02/27 13:17:15 ii : ipc client process thread begin ...
10/02/27 13:17:15 <A : peer config add message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : client config message
10/02/27 13:17:15 <A : xauth username message
10/02/27 13:17:15 <A : xauth password message
10/02/27 13:17:15 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:15 !! : 'D:\certifikaty gncs\gncs_new.pfx' load failed,
requesting password
10/02/27 13:17:30 <A : file password
10/02/27 13:17:30 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local key 'D:\certifikaty gncs\gncs_new.pfx' message
10/02/27 13:17:30 <A : peer tunnel enable message
10/02/27 13:17:30 ii : local supports XAUTH
10/02/27 13:17:30 ii : local supports nat-t ( draft v00 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v01 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v02 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v03 )
10/02/27 13:17:30 ii : local supports nat-t ( rfc )
10/02/27 13:17:30 ii : local supports DPDv1
10/02/27 13:17:30 ii : local is SHREW SOFT compatible
10/02/27 13:17:30 ii : local is NETSCREEN compatible
10/02/27 13:17:30 ii : local is SIDEWINDER compatible
10/02/27 13:17:30 ii : local is CISCO UNITY compatible
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:0000000000000000
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 128 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 ii : matched isakmp proposal #1 transform #68
10/02/27 13:17:30 ii : - transform = ike
10/02/27 13:17:30 ii : - cipher type = 3des
10/02/27 13:17:30 ii : - key length = default
10/02/27 13:17:30 ii : - hash type = sha1
10/02/27 13:17:30 ii : - dh group = modp-1536
10/02/27 13:17:30 ii : - auth type = xauth-initiator-rsa
10/02/27 13:17:30 ii : - life seconds = 86400
10/02/27 13:17:30 ii : - life kbytes = 0
10/02/27 13:17:30 ii : peer supports nat-t ( draft v02 )
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...



thanks in advance for any advice.

Libor Arndt
Libor Arndt
2010-02-27 10:46:32 UTC
Permalink
Hello,

I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately this is all I got:


config loaded for site 'Remote access to T-Mobile VPN for GNCS'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon ...

No log in trace utility.

thanks in advance for any advice.

Libor Arndt
Libor Arndt
2010-02-27 12:30:17 UTC
Permalink
Hello,

I set debug level in registry and got the log output, so again:


I succesfully imported a pcf profile with 2.1.6 beta.
I imported certificate (the same pfx file for server, client and private
key, I hope it's ok).
Unfortunately I got invalid message from gateway

IPSEC.log:

10/02/27 13:16:52 ## : IPSEC Daemon, ver 2.1.6
10/02/27 13:16:52 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:52 ## : This product linked zlib v1.2.3
10/02/27 13:16:52 ii : network send process thread begin ...
10/02/27 13:16:52 ii : network recv process thread begin ...
10/02/27 13:16:52 ii : pfkey server process thread begin ...
10/02/27 13:16:52 ii : vflt recv device attached
10/02/27 13:16:52 ii : vflt send device attached
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:53 ii : pfkey client process thread begin ...
10/02/27 13:16:56 ii : inspecting ARP request ...
10/02/27 13:16:56 !! : ARP packet has invalid header
10/02/27 13:17:30 ii : inspecting ARP request ...
10/02/27 13:17:48 ii : inspecting ARP request ...
10/02/27 13:18:05 ii : inspecting ARP request ...

IKED.log:


10/02/27 13:16:47 ## : IKE Daemon, ver 2.1.6
10/02/27 13:16:47 ## : Copyright 2009 Shrew Soft Inc.
10/02/27 13:16:47 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/02/27 13:16:47 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/02/27 13:16:47 ii : rebuilding vnet device list ...
10/02/27 13:16:47 ii : device ROOT\VNET\0000 disabled
10/02/27 13:16:47 ii : network process thread begin ...
10/02/27 13:16:47 ii : pfkey process thread begin ...
10/02/27 13:16:47 ii : ipc server process thread begin ...
10/02/27 13:16:52 !! : unable to connect to pfkey interface
10/02/27 13:17:15 ii : ipc client process thread begin ...
10/02/27 13:17:15 <A : peer config add message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : proposal config message
10/02/27 13:17:15 <A : client config message
10/02/27 13:17:15 <A : xauth username message
10/02/27 13:17:15 <A : xauth password message
10/02/27 13:17:15 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:15 !! : 'D:\certifikaty gncs\gncs_new.pfx' load failed,
requesting password
10/02/27 13:17:30 <A : file password
10/02/27 13:17:30 <A : remote cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local cert 'D:\certifikaty gncs\gncs_new.pfx'
message
10/02/27 13:17:30 <A : local key 'D:\certifikaty gncs\gncs_new.pfx' message
10/02/27 13:17:30 <A : peer tunnel enable message
10/02/27 13:17:30 ii : local supports XAUTH
10/02/27 13:17:30 ii : local supports nat-t ( draft v00 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v01 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v02 )
10/02/27 13:17:30 ii : local supports nat-t ( draft v03 )
10/02/27 13:17:30 ii : local supports nat-t ( rfc )
10/02/27 13:17:30 ii : local supports DPDv1
10/02/27 13:17:30 ii : local is SHREW SOFT compatible
10/02/27 13:17:30 ii : local is NETSCREEN compatible
10/02/27 13:17:30 ii : local is SIDEWINDER compatible
10/02/27 13:17:30 ii : local is CISCO UNITY compatible
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:0000000000000000
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 128 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 ii : matched isakmp proposal #1 transform #68
10/02/27 13:17:30 ii : - transform = ike
10/02/27 13:17:30 ii : - cipher type = 3des
10/02/27 13:17:30 ii : - key length = default
10/02/27 13:17:30 ii : - hash type = sha1
10/02/27 13:17:30 ii : - dh group = modp-1536
10/02/27 13:17:30 ii : - auth type = xauth-initiator-rsa
10/02/27 13:17:30 ii : - life seconds = 86400
10/02/27 13:17:30 ii : - life kbytes = 0
10/02/27 13:17:30 ii : peer supports nat-t ( draft v02 )
10/02/27 13:17:30 >= : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 >= : message 00000000
10/02/27 13:17:30 ii : processing phase1 packet ( 1472 bytes )
10/02/27 13:17:30 =< : cookies dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 =< : message 00000000
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 !! : invalid certificate request size ( 42028 > 4096 )
10/02/27 13:17:30 !! : unprocessed payload data
10/02/27 13:17:30 ii : phase1 removal before expire time
10/02/27 13:17:30 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/02/27 13:17:30 ww : dd5895241fbc3554:d3aab0972360e1c8
10/02/27 13:17:30 DB : removing tunnel config references
10/02/27 13:17:30 DB : removing tunnel phase2 references
10/02/27 13:17:30 DB : removing tunnel phase1 references
10/02/27 13:17:30 DB : removing all peer tunnel refrences
10/02/27 13:17:30 ii : ipc client process thread exit ...



thanks in advance for any advice.

Libor Arndt
Libor Arndt
2010-03-04 07:59:37 UTC
Permalink
Hi Stefan,

many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.

I reimported the pcf file and invalid message problem persists, but log is
different:


10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
10/03/04 08:44:41 <A : file password
10/03/04 08:44:41 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local key 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : peer tunnel enable message
10/03/04 08:44:41 ii : local supports XAUTH
10/03/04 08:44:41 ii : local supports nat-t ( draft v00 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v01 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v02 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v03 )
10/03/04 08:44:41 ii : local supports nat-t ( rfc )
10/03/04 08:44:41 ii : local supports DPDv1
10/03/04 08:44:41 ii : local is SHREW SOFT compatible
10/03/04 08:44:41 ii : local is NETSCREEN compatible
10/03/04 08:44:41 ii : local is SIDEWINDER compatible
10/03/04 08:44:41 ii : local is CISCO UNITY compatible
10/03/04 08:44:41 >= : cookies c89db27fd0a150f4:0000000000000000
10/03/04 08:44:41 >= : message 00000000
10/03/04 08:44:41 ii : processing phase1 packet ( 1472 bytes )
10/03/04 08:44:41 =< : cookies c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 =< : message 00000000
10/03/04 08:44:41 ii : matched isakmp proposal #1 transform #13
10/03/04 08:44:41 ii : - transform = ike
10/03/04 08:44:41 ii : - cipher type = 3des
10/03/04 08:44:41 ii : - key length = default
10/03/04 08:44:41 ii : - hash type = md5
10/03/04 08:44:41 ii : - dh group = modp-1024
10/03/04 08:44:41 ii : - auth type = xauth-initiator-rsa
10/03/04 08:44:41 ii : - life seconds = 86400
10/03/04 08:44:41 ii : - life kbytes = 0
10/03/04 08:44:41 ii : phase1 id target is any
10/03/04 08:44:41 ii : phase1 id match
10/03/04 08:44:41 ii : received = asn1-dn C=CZ,ST=Czech
Republic,L=Prague,O=Radiomobil a.s.,OU=IT Security,CN=vpngw2.t-mobile.cz
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unhandled phase1 payload 'unknown' ( 48 )
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 ii : phase1 removal before expire time
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : 8201010058d64d45:bdff0578d7a2c435
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 DB : removing tunnel config references
10/03/04 08:44:41 DB : removing tunnel phase2 references
10/03/04 08:44:41 DB : removing tunnel phase1 references
10/03/04 08:44:41 DB : removing all peer tunnel refrences
10/03/04 08:44:41 ii : ipc client process thread exit ...

Thanks for any help.

Libor
(I'm inserting log wit INFORMATIONAL level to avoid long posts, if DEBUG
level is preferred, let me know, please )
Stefan Bauer
2010-03-04 08:44:46 UTC
Permalink
Post by Libor Arndt
Hi Stefan,
many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.
I reimported the pcf file and invalid message problem persists, but log is
10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Stefan Bauer
2010-03-04 08:44:46 UTC
Permalink
Post by Libor Arndt
Hi Stefan,
many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.
I reimported the pcf file and invalid message problem persists, but log is
10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Stefan Bauer
2010-03-04 08:44:46 UTC
Permalink
Post by Libor Arndt
Hi Stefan,
many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.
I reimported the pcf file and invalid message problem persists, but log is
10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Libor Arndt
2010-03-06 07:04:01 UTC
Permalink
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.

Am I supposed to alter the certificate in some way to be accepted by the
Shrew client or I should just give up with the Shrew client?

thanks in advance for the reply
Stefan Bauer
2010-03-06 10:55:01 UTC
Permalink
Post by Libor Arndt
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.
This .pcx file is most likely a PKCS#12 certificate container, with
the cert of the Root-CA, your client cert and your client key in it.
Obviously it is key-protected. I have no way to verify that, due to
lack of cisco hardware but it looks like that.

After importing your cert in the client and hitting connect, did you
get promted for a password to unlock the cert?

It's like "Password for "gncs_new.pfx - please enter the Password

If i enter at this time a wrong password, the error message is
ecactly like yours:

load failed, requesting password

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Stefan Bauer
2010-03-06 10:55:01 UTC
Permalink
Post by Libor Arndt
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.
This .pcx file is most likely a PKCS#12 certificate container, with
the cert of the Root-CA, your client cert and your client key in it.
Obviously it is key-protected. I have no way to verify that, due to
lack of cisco hardware but it looks like that.

After importing your cert in the client and hitting connect, did you
get promted for a password to unlock the cert?

It's like "Password for "gncs_new.pfx - please enter the Password

If i enter at this time a wrong password, the error message is
ecactly like yours:

load failed, requesting password

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Stefan Bauer
2010-03-06 10:55:01 UTC
Permalink
Post by Libor Arndt
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.
This .pcx file is most likely a PKCS#12 certificate container, with
the cert of the Root-CA, your client cert and your client key in it.
Obviously it is key-protected. I have no way to verify that, due to
lack of cisco hardware but it looks like that.

After importing your cert in the client and hitting connect, did you
get promted for a password to unlock the cert?

It's like "Password for "gncs_new.pfx - please enter the Password

If i enter at this time a wrong password, the error message is
ecactly like yours:

load failed, requesting password

Stefan
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
Libor Arndt
2010-03-04 07:59:37 UTC
Permalink
Hi Stefan,

many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.

I reimported the pcf file and invalid message problem persists, but log is
different:


10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
10/03/04 08:44:41 <A : file password
10/03/04 08:44:41 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local key 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : peer tunnel enable message
10/03/04 08:44:41 ii : local supports XAUTH
10/03/04 08:44:41 ii : local supports nat-t ( draft v00 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v01 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v02 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v03 )
10/03/04 08:44:41 ii : local supports nat-t ( rfc )
10/03/04 08:44:41 ii : local supports DPDv1
10/03/04 08:44:41 ii : local is SHREW SOFT compatible
10/03/04 08:44:41 ii : local is NETSCREEN compatible
10/03/04 08:44:41 ii : local is SIDEWINDER compatible
10/03/04 08:44:41 ii : local is CISCO UNITY compatible
10/03/04 08:44:41 >= : cookies c89db27fd0a150f4:0000000000000000
10/03/04 08:44:41 >= : message 00000000
10/03/04 08:44:41 ii : processing phase1 packet ( 1472 bytes )
10/03/04 08:44:41 =< : cookies c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 =< : message 00000000
10/03/04 08:44:41 ii : matched isakmp proposal #1 transform #13
10/03/04 08:44:41 ii : - transform = ike
10/03/04 08:44:41 ii : - cipher type = 3des
10/03/04 08:44:41 ii : - key length = default
10/03/04 08:44:41 ii : - hash type = md5
10/03/04 08:44:41 ii : - dh group = modp-1024
10/03/04 08:44:41 ii : - auth type = xauth-initiator-rsa
10/03/04 08:44:41 ii : - life seconds = 86400
10/03/04 08:44:41 ii : - life kbytes = 0
10/03/04 08:44:41 ii : phase1 id target is any
10/03/04 08:44:41 ii : phase1 id match
10/03/04 08:44:41 ii : received = asn1-dn C=CZ,ST=Czech
Republic,L=Prague,O=Radiomobil a.s.,OU=IT Security,CN=vpngw2.t-mobile.cz
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unhandled phase1 payload 'unknown' ( 48 )
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 ii : phase1 removal before expire time
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : 8201010058d64d45:bdff0578d7a2c435
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 DB : removing tunnel config references
10/03/04 08:44:41 DB : removing tunnel phase2 references
10/03/04 08:44:41 DB : removing tunnel phase1 references
10/03/04 08:44:41 DB : removing all peer tunnel refrences
10/03/04 08:44:41 ii : ipc client process thread exit ...

Thanks for any help.

Libor
(I'm inserting log wit INFORMATIONAL level to avoid long posts, if DEBUG
level is preferred, let me know, please )
Libor Arndt
2010-03-06 07:04:01 UTC
Permalink
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.

Am I supposed to alter the certificate in some way to be accepted by the
Shrew client or I should just give up with the Shrew client?

thanks in advance for the reply
Libor Arndt
2010-03-04 07:59:37 UTC
Permalink
Hi Stefan,

many thanks for the reply.
Certificate is definitely not broken. I use it with Cisco client on 32 bit
Vista.
Problem may be importing.
I don not understand why I have to import server certificate, client and
private key and if it's correct or not.
In npc client I imported the same certificate only once and it worked from
the start.

I reimported the pcf file and invalid message problem persists, but log is
different:


10/03/04 08:43:58 ## : IKE Daemon, ver 2.1.6
10/03/04 08:43:58 ## : Copyright 2009 Shrew Soft Inc.
10/03/04 08:43:58 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/04 08:43:58 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/04 08:43:58 ii : rebuilding vnet device list ...
10/03/04 08:43:58 ii : device ROOT\VNET\0000 disabled
10/03/04 08:43:58 ii : network process thread begin ...
10/03/04 08:43:58 ii : pfkey process thread begin ...
10/03/04 08:43:58 ii : ipc server process thread begin ...
10/03/04 08:44:33 ii : ipc client process thread begin ...
10/03/04 08:44:33 <A : peer config add message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : proposal config message
10/03/04 08:44:33 <A : client config message
10/03/04 08:44:33 <A : xauth username message
10/03/04 08:44:33 <A : xauth password message
10/03/04 08:44:33 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:33 !! : 'C:\Users\Libor Arndt\Documents\Shrew Soft
VPN\certs\gncs_new.pfx' load failed, requesting password
10/03/04 08:44:41 <A : file password
10/03/04 08:44:41 <A : remote cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local cert 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : local key 'C:\Users\Libor Arndt\Documents\Shrew
Soft VPN\certs\gncs_new.pfx' message
10/03/04 08:44:41 <A : peer tunnel enable message
10/03/04 08:44:41 ii : local supports XAUTH
10/03/04 08:44:41 ii : local supports nat-t ( draft v00 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v01 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v02 )
10/03/04 08:44:41 ii : local supports nat-t ( draft v03 )
10/03/04 08:44:41 ii : local supports nat-t ( rfc )
10/03/04 08:44:41 ii : local supports DPDv1
10/03/04 08:44:41 ii : local is SHREW SOFT compatible
10/03/04 08:44:41 ii : local is NETSCREEN compatible
10/03/04 08:44:41 ii : local is SIDEWINDER compatible
10/03/04 08:44:41 ii : local is CISCO UNITY compatible
10/03/04 08:44:41 >= : cookies c89db27fd0a150f4:0000000000000000
10/03/04 08:44:41 >= : message 00000000
10/03/04 08:44:41 ii : processing phase1 packet ( 1472 bytes )
10/03/04 08:44:41 =< : cookies c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 =< : message 00000000
10/03/04 08:44:41 ii : matched isakmp proposal #1 transform #13
10/03/04 08:44:41 ii : - transform = ike
10/03/04 08:44:41 ii : - cipher type = 3des
10/03/04 08:44:41 ii : - key length = default
10/03/04 08:44:41 ii : - hash type = md5
10/03/04 08:44:41 ii : - dh group = modp-1024
10/03/04 08:44:41 ii : - auth type = xauth-initiator-rsa
10/03/04 08:44:41 ii : - life seconds = 86400
10/03/04 08:44:41 ii : - life kbytes = 0
10/03/04 08:44:41 ii : phase1 id target is any
10/03/04 08:44:41 ii : phase1 id match
10/03/04 08:44:41 ii : received = asn1-dn C=CZ,ST=Czech
Republic,L=Prague,O=Radiomobil a.s.,OU=IT Security,CN=vpngw2.t-mobile.cz
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 !! : unhandled phase1 payload 'unknown' ( 48 )
10/03/04 08:44:41 !! : unprocessed payload data
10/03/04 08:44:41 ii : phase1 removal before expire time
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : 8201010058d64d45:bdff0578d7a2c435
10/03/04 08:44:41 ww : ike packet from 62.141.6.250 ignored, unknown
phase1 sa for peer
10/03/04 08:44:41 ww : c89db27fd0a150f4:d4fbd4db89f645e1
10/03/04 08:44:41 DB : removing tunnel config references
10/03/04 08:44:41 DB : removing tunnel phase2 references
10/03/04 08:44:41 DB : removing tunnel phase1 references
10/03/04 08:44:41 DB : removing all peer tunnel refrences
10/03/04 08:44:41 ii : ipc client process thread exit ...

Thanks for any help.

Libor
(I'm inserting log wit INFORMATIONAL level to avoid long posts, if DEBUG
level is preferred, let me know, please )
Libor Arndt
2010-03-06 07:04:01 UTC
Permalink
Post by Stefan Bauer
Here we go. The certificate is key protected. Unfortunately i'm not
familiar with the way cisco provides the certificates and howto
export different parts. In the best case it's just an openssl
generated cert and can be exported with openssl as well. Probably
that is what the shrew client is trying to achieve.
Thanks for the reply. But am I doing something wrong or there is some lack
of functionality in the Shrew client and nothing can be done about it?
I tried other non Cisco VPN client, NCP secure entry client which accepted
the same certificate and worked without any problems.
So the certificate can be used in non CISCO clients.
The difference is that I imported the certificate to the NCP client only
once, but I have to import the certificate three times to the Shrew client.
Server, client and private key certificate.

Am I supposed to alter the certificate in some way to be accepted by the
Shrew client or I should just give up with the Shrew client?

thanks in advance for the reply
Continue reading on narkive:
Loading...