<DIV>Paul, I have logged the Oakley logs... but cant understand them can u figure out...&nbsp; I dont get any errors in my VPN server logs..</DIV>
<DIV>&nbsp;</DIV>
<DIV>Logs are below</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;5-10: 09:11:24:762:554 Initialization OK<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 40db2282-11b8-4e85-b940c4f6beee4822 4<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6a0aebec-6b2c-4bd3-bcab9c22da4c46d2 4<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: ae561592-1846-4185-98c467319ae5b719 3<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 4855472b-c57f-40a8-aff10c3db39e6773 3<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: a6f53fb9-a60b-422d-9c099d1e73e355d8 1<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6c29f547-c022-4764-820245d8971bb05b 2<BR>&nbsp;5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: b204636c-949a-473a-9bb36197ce0225ca 2<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 3<BR>&nbsp;5-10:
 09:11:45:632:b08 entered kill_old_policy_sas 3<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 1<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2<BR>&nbsp;5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2<BR>&nbsp;5-10: 09:12:03:37:894 Acquire from driver: op=00000008 src=192.168.1.2.0 dst=192.168.2.234.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=202.149.x.x Inbound TunnelEndpt=192.168.1.2<BR>&nbsp;5-10: 09:12:03:37:b08 Filter to match: Src 202.149.x.x Dst 192.168.1.2<BR>&nbsp;5-10: 09:12:03:37:b08 MM PolicyName: 2<BR>&nbsp;5-10: 09:12:03:37:b08 MMPolicy dwFlags 2 SoftSAExpireTime 28800<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5<BR>&nbsp;5-10:
 09:12:03:37:b08 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[2] Encrypt: DES CBC Hash: SHA<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1<BR>&nbsp;5-10: 09:12:03:37:b08 MMOffer[3] Encrypt: DES CBC Hash: MD5<BR>&nbsp;5-10: 09:12:03:37:b08 Auth[0]:RSA Sig C=IN, S=Maharashtra, L=Mumbai, O=Net, OU=IT, CN=Deepak, <A href="mailto:E=deepak@company.com">E=deepak@company.com</A> AuthFlags 0<BR>&nbsp;5-10: 09:12:03:47:b08 QM PolicyName: Host-roadwarrior filter action dwFlags 1<BR>&nbsp;5-10: 09:12:03:47:b08 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600<BR>&nbsp;5-10: 09:12:03:47:b08 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp; Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5<BR>&nbsp;5-10: 09:12:03:47:b08 Starting Negotiation: src = 192.168.1.2.0500, dst = 202.149.x.x.0500, proto = 00, context = 00000008, ProxySrc = 192.168.1.2.0000, ProxyDst = 192.168.2.0.0000 SrcMa
 sk =
 255.255.255.255 DstMask = 255.255.255.0<BR>&nbsp;5-10: 09:12:03:47:b08 constructing ISAKMP Header<BR>&nbsp;5-10: 09:12:03:47:b08 constructing SA (ISAKMP)<BR>&nbsp;5-10: 09:12:03:47:b08 Constructing Vendor MS NT5 ISAKMPOAKLEY<BR>&nbsp;5-10: 09:12:03:47:b08 Constructing Vendor FRAGMENTATION<BR>&nbsp;5-10: 09:12:03:47:b08 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02<BR>&nbsp;5-10: 09:12:03:47:b08 Constructing Vendor Vid-Initial-Contact<BR>&nbsp;5-10: 09:12:03:47:b08 <BR>&nbsp;5-10: 09:12:03:47:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500<BR>&nbsp;5-10: 09:12:03:47:b08 ISAKMP Header: (V1.0), len = 276<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; R-COOKIE 0000000000000000<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; next payload: SA<BR>&nbsp;5-10: 09:12:03:47:b08&nbsp;&nbsp; messag
 e ID:
 00000000<BR>&nbsp;5-10: 09:12:03:47:b08 Ports S:f401 D:f401<BR>&nbsp;5-10: 09:12:03:107:b08 <BR>&nbsp;5-10: 09:12:03:107:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500<BR>&nbsp;5-10: 09:12:03:107:b08 ISAKMP Header: (V1.0), len = 140<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; next payload: SA<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp; message ID: 00000000<BR>&nbsp;5-10: 09:12:03:107:b08 processing payload SA<BR>&nbsp;5-10: 09:12:03:107:b08 Received Phase 1 Transform 1<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Encryption Alg Triple DES CBC(5)<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hash Alg SHA(2)<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Oakley 
 Group
 2<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Auth Method RSA Signature with Certificates(3)<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Life type in Seconds<BR>&nbsp;5-10: 09:12:03:107:b08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Life duration of 28800<BR>&nbsp;5-10: 09:12:03:107:b08 Phase 1 SA accepted: transform=1<BR>&nbsp;5-10: 09:12:03:107:b08 SA - Oakley proposal accepted<BR>&nbsp;5-10: 09:12:03:107:b08 processing payload VENDOR ID<BR>&nbsp;5-10: 09:12:03:107:b08 processing payload VENDOR ID<BR>&nbsp;5-10: 09:12:03:107:b08 processing payload VENDOR ID<BR>&nbsp;5-10: 09:12:03:107:b08 Received VendorId draft-ietf-ipsec-nat-t-ike-02<BR>&nbsp;5-10: 09:12:03:107:b08 ClearFragList<BR>&nbsp;5-10: 09:12:03:107:b08 constructing ISAKMP Header<BR>&nbsp;5-10: 09:12:03:167:b08 constructing KE<BR>&nbsp;5-10: 09:12:03:167:b08 constructing NONCE (ISAKMP)<BR>&nbsp;5-10: 09:12:03:167:b08 Constructing NatDisc<BR>&nbsp;5-10: 09:12:03:167:b08 <BR>&nbsp;5-10:
 09:12:03:167:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500<BR>&nbsp;5-10: 09:12:03:167:b08 ISAKMP Header: (V1.0), len = 232<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; next payload: KE<BR>&nbsp;5-10: 09:12:03:167:b08&nbsp;&nbsp; message ID: 00000000<BR>&nbsp;5-10: 09:12:03:167:b08 Ports S:f401 D:f401<BR>&nbsp;5-10: 09:12:03:248:b08 <BR>&nbsp;5-10: 09:12:03:248:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500<BR>&nbsp;5-10: 09:12:03:248:b08 ISAKMP Header: (V1.0), len = 228<BR>&nbsp;5-10: 09:12:03:248:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:03:248:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5-10: 09:12:03:248:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10:
 09:12:03:248:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:03:248:b08&nbsp;&nbsp; next payload: KE<BR>&nbsp;5-10: 09:12:03:248:b08&nbsp;&nbsp; message ID: 00000000<BR>&nbsp;5-10: 09:12:03:248:b08 processing payload KE<BR>&nbsp;5-10: 09:12:03:268:b08 processing payload NONCE<BR>&nbsp;5-10: 09:12:03:268:b08 processing payload NATDISC<BR>&nbsp;5-10: 09:12:03:268:b08 Processing NatHash<BR>&nbsp;5-10: 09:12:03:268:b08 Nat hash 923d1b992e53e76e6620d9ab298cfae6<BR>&nbsp;5-10: 09:12:03:268:b08 9c6f18d7<BR>&nbsp;5-10: 09:12:03:268:b08 SA StateMask2 1f<BR>&nbsp;5-10: 09:12:03:268:b08 processing payload NATDISC<BR>&nbsp;5-10: 09:12:03:268:b08 Processing NatHash<BR>&nbsp;5-10: 09:12:03:268:b08 Nat hash d8e12d6b3b0f4e3765e5d3c53303204b<BR>&nbsp;5-10: 09:12:03:268:b08 5780daf8<BR>&nbsp;5-10: 09:12:03:268:b08 SA StateMask2 5f<BR>&nbsp;5-10: 09:12:03:268:b08 ClearFragList<BR>&nbsp;5-10: 09:12:03:268:b08 Peer behind NAT<BR>&nbsp;5-10: 09:12:03:268:b08 Floated Ports Orig Me:f401
 Peer:f401<BR>&nbsp;5-10: 09:12:03:268:b08 Floated Ports Me:9411 Peer:9411<BR>&nbsp;5-10: 09:12:03:268:b08 constructing ISAKMP Header<BR>&nbsp;5-10: 09:12:03:268:b08 constructing ID<BR>&nbsp;5-10: 09:12:03:268:b08 Received no valid CRPs.&nbsp; Using all configured<BR>&nbsp;5-10: 09:12:03:268:b08 Looking for IPSec only cert<BR>&nbsp;5-10: 09:12:03:268:b08 failed to get chain 80092004<BR>&nbsp;5-10: 09:12:03:268:b08 Looking for any cert<BR>&nbsp;5-10: 09:12:03:268:b08 failed to get chain 80092004<BR>&nbsp;5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee<BR>&nbsp;5-10: 09:12:03:268:b08 isadb_set_status sa:000F0668 centry:00000000 status 35ee<BR>&nbsp;5-10: 09:12:03:268:b08 Key Exchange Mode (Main Mode)<BR>&nbsp;5-10: 09:12:03:268:b08 Source IP Address 192.168.1.2&nbsp; Source IP Address Mask 255.255.255.255&nbsp; Destination IP Address 202.149.x.x&nbsp; Destination IP Address Mask 255.255.255.255&nbsp; Protocol 0&nbsp; Source Port 0&nbsp; Destinatio
 n Port
 0&nbsp; IKE Local Addr 192.168.1.2&nbsp; IKE Peer Addr 202.149.x.x<BR>&nbsp;5-10: 09:12:03:268:b08 Certificate based Identity.&nbsp;&nbsp;&nbsp; Peer IP Address: 202.149.x.x<BR>&nbsp;5-10: 09:12:03:268:b08 Me<BR>&nbsp;5-10: 09:12:03:268:b08 IKE failed to find valid machine certificate<BR>&nbsp;5-10: 09:12:03:268:b08 0x80092004 0x0<BR>&nbsp;5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee<BR>&nbsp;5-10: 09:12:03:268:b08 constructing ISAKMP Header<BR>&nbsp;5-10: 09:12:03:268:b08 constructing HASH (null)<BR>&nbsp;5-10: 09:12:03:268:b08 constructing NOTIFY 28<BR>&nbsp;5-10: 09:12:03:268:b08 constructing HASH (Notify/Delete)<BR>&nbsp;5-10: 09:12:03:268:b08 <BR>&nbsp;5-10: 09:12:03:268:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 1.4500<BR>&nbsp;5-10: 09:12:03:268:b08 ISAKMP Header: (V1.0), len = 84<BR>&nbsp;5-10: 09:12:03:268:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:03:268:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5
 -10:
 09:12:03:268:b08&nbsp;&nbsp; exchange: ISAKMP Informational Exchange<BR>&nbsp;5-10: 09:12:03:268:b08&nbsp;&nbsp; flags: 1 ( encrypted )<BR>&nbsp;5-10: 09:12:03:268:b08&nbsp;&nbsp; next payload: HASH<BR>&nbsp;5-10: 09:12:03:268:b08&nbsp;&nbsp; message ID: 04eea425<BR>&nbsp;5-10: 09:12:03:268:b08 Ports S:9411 D:9411<BR>&nbsp;5-10: 09:12:13:322:b08 <BR>&nbsp;5-10: 09:12:13:332:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500<BR>&nbsp;5-10: 09:12:13:332:b08 ISAKMP Header: (V1.0), len = 228<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; next payload: KE<BR>&nbsp;5-10: 09:12:13:332:b08&nbsp;&nbsp; message ID: 00000000<BR>&nbsp;5-10: 09:12:13:332:b08 received an unencrypted packet when crypto active<BR>&nbsp;5-10:
 09:12:13:332:b08 GetPacket failed 35ec<BR>&nbsp;5-10: 09:12:33:321:b08 <BR>&nbsp;5-10: 09:12:33:321:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500<BR>&nbsp;5-10: 09:12:33:321:b08 ISAKMP Header: (V1.0), len = 228<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; I-COOKIE 5415e04dba12c029<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; R-COOKIE 23ebe6fb7bc0825f<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; exchange: Oakley Main Mode<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; flags: 0<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; next payload: KE<BR>&nbsp;5-10: 09:12:33:321:b08&nbsp;&nbsp; message ID: 00000000<BR>&nbsp;5-10: 09:12:33:321:b08 received an unencrypted packet when crypto active<BR>&nbsp;5-10: 09:12:33:321:b08 GetPacket failed 35ec<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>The logs are below<BR><BR><B><I>Paul Wouters &lt;paul@xelerance.com&gt;</I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">On Mon, 9 May 2005, Deepak Naidu wrote:<BR><BR>&gt; C:\ipsec&gt;ping 192.168.2.234<BR>&gt; Pinging 192.168.2.234 with 32 bytes of data:<BR>&gt; Negotiating IP Security.<BR>&gt; Request timed out.<BR>&gt; Request timed out.<BR>&gt; Request timed out.<BR>&gt; Ping statistics for 192.168.2.234:<BR>&gt; Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),<BR><BR>Check the oakley.log to see what Windows thinks is happening. And<BR>check the openswan logs to see what it is saying. Though likely,<BR>if this is a windows misconfiguration, openswan will just log<BR>"no response to....." entries.<BR><BR>See the wiki on how to enable oakley.log on windows.<BR><BR>Paul<BR><BR>&gt;<BR>&gt; Deepak Naidu <DEEPAK_NAI@YAHOO.COM>wrote:<BR>&gt; Hi,<BR>&gt;<BR>&gt; I am using Openswan 2.3.1 VPN server on FC3<BR>&gt; 2.6.9smp kernel. It is behind a NAT and I have natted<BR>&gt; ports 4500, and 5
 00. The
 issue is when using<BR>&gt; l2tpd+x509cert from Winxp with VPN dialer is working<BR>&gt; fine. But when using Mullers' ipsec.exe tool, with<BR>&gt; the below configs in the ipsec.conf of Winxp pc.... I<BR>&gt; am unable to ping my network.. It doesnt even give<BR>&gt; negotiating message, but host unreacheable....<BR>&gt;<BR>&gt; Should I have to write some more firewall rules to<BR>&gt; open the ports in my NAT.<BR>&gt;<BR>&gt; I have SP2 with support tools and ipseccmd.exe file..<BR>&gt;<BR>&gt; Winxp is a roadwarrior on dialup...<BR>&gt;<BR>&gt; Please advise me...<BR>&gt;<BR>&gt; Ipsec.conf on Winxp...<BR>&gt;<BR>&gt; conn roadwarrior<BR>&gt; pfs=yes<BR>&gt; left=%any<BR>&gt; right=202.x.x.x<BR>&gt; rightsubnet=192.168.2.0/24<BR>&gt; rightca="C=IN, S=state, L=location, O=company,<BR>&gt; OU=IT, CN=name, E=name@company.com"<BR>&gt; network=auto<BR>&gt; auto=start<BR>&gt;<BR>&gt;<BR>&gt; Regards,<BR>&gt; Deepak.<BR>&gt;<BR>&gt;<BR>&gt;<BR>&gt;
 ___________________________________________________________<BR>&gt; How much free photo storage do you get? Store your holiday<BR>&gt; snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com<BR>&gt; _______________________________________________<BR>&gt; Users mailing list<BR>&gt; Users@openswan.org<BR>&gt; http://lists.openswan.org/mailman/listinfo/users<BR>&gt;<BR>&gt;<BR>&gt; ---------------------------------<BR>&gt; How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos. Get Yahoo! Photos<BR></BLOCKQUOTE><p>
                <hr size=1> <font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a href="http://uk.messenger.yahoo.com"><strong><font face="Arial, Helvetica, sans-serif">Yahoo! Messenger</font></strong></a><font face="Arial, Helvetica, sans-serif"><strong> 
 - want a free & easy way to contact your friends online?</strong></font><strong><font color="#FF9900"> 
</font></strong></font>