<div>Hello again Paul, </div>
<div> </div>
<div>Yes, I have checked the IPSec service and it is runnig at the windows box. I also checked the linux box by </div>
<div> </div>
<div>#ipsec verify</div>
<div> </div>
<div> command and everything looks fine too. </div>
<div> </div>
<div>Here is my work and test LAN so that you can have a better understanding of my network;</div>
<div> </div>
<div> </div>
<div> </div>
<div> ++++++ ++++++ ++++++</div>
<div> ++++++192.168.1.68------------------------192.168.1.55++++++10.10.10.1-------------------10.10.10.10++++++</div>
<div> ++++++ ++++++ ++++++</div>
<div> ++++++ ++++++ ++++++</div>
<div>Windows XP SP2 Gateway router Suse Linux 2.6.13</div>
<div>Machine UDP 500 open Openswan 2.4.0</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>As you said, I have used <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a> and <a href="http://10.10.10.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0</a> at Private Address/Network Mask part in lsipsectool. Here are the log files from lsipsectool and Windows;
</div>
<div> </div>
<div> </div>
<div>>>>>>>>>>>>>>>>>>>>>>>>>>>><font size="1">A trial with <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a> as Remote Network Address</font>>>>>>>>>><<<<<<<<<<<<<<<<<
</div>
<div><font size="1">
<p><font size="2"><font size="2">ipsectool</font> log FILE IS;</font></p>
<p>11:18:05: Starting Tunnel</p>
<p>11:18:05: IKE Encryption: 3des</p>
<p>IKE Integrity: md5</p>
<p>Remote Gateway Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></p>
<p>Remote Monitor Address: <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a></p>
<p>Remote Network: <a href="http://10.10.10.10/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10/255.255.255.0</a></p>
<p>Local Address: <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></p>
<p>Local Network: <a href="http://192.168.1.68/255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68/255.255.255.255</a></p>
<p>11:18:46: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</p>
<p>11:19:28: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</p>
<p>11:19:29: Stoping Tunnel</p>
<p><font size="2">WINDOWS log FILE FOR THIS IS;</font></p><font size="1">
<p>IPSec Services: PAStore Engine failed to apply some rules of the active IPSec policy "x4 {30a70c2c-180f-46b6-9f33-46c26bb6c0de}" on the machine with error code: The parameter is incorrect.</p>
<p>. Please run IPSec monitor snap-in to further diagnose the problem.</p>
<p><font size="2">AND ANOTHER LOG FILE FOR THIS THAT WINDOWS CREATED IS;</font></p><font size="1">
<p>IPSec Services: PAStore Engine failed to apply local registry storage IPSec policy on the machine for "x4 {9f30c367-b7b3-44d2-9d8f-9bdab4c709ae}" with error code: The parameter is incorrect.</p></font></font>
<p>>>>>>>>>>>>>>>>>>>>>>>>>>>>Another trial with <a href="http://10.10.10.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0</a> as Remote Network Address>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
</p>
<p><font size="2">ipsectool log FILE IS;</font></p>
<p>11:24:22: Starting Tunnel</p>
<p>11:24:23: IKE Encryption: 3des</p>
<p>IKE Integrity: md5</p>
<p>Remote Gateway Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></p>
<p>Remote Monitor Address: <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a></p>
<p>Remote Network: <a href="http://10.10.10.0/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/255.255.255.0</a></p>
<p>Local Address: <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></p>
<p>Local Network: <a href="http://192.168.1.68/255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68/255.255.255.255</a></p>
<p>11:24:24: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</p>
<p>11:24:29: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</p>
<p>11:24:34: 45 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</p>
<p>11:24:36: Stoping Tunnel</p>
<p><font size="2">WINDOWS log FILE FOR THIS IS;</font></p><font size="1">
<p>IKE security association negotiation failed.</p>
<p>Mode: </p>
<p>Key Exchange Mode (Main Mode)</p>
<p>Filter: </p>
<p>Source IP Address <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></p>
<p>Source IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a></p>
<p>Destination IP Address <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></p>
<p>Destination IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a></p>
<p>Protocol 0</p>
<p>Source Port 0</p>
<p>Destination Port 0</p>
<p>IKE Local Addr <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></p>
<p>IKE Peer Addr <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></p>
<p>Peer Identity: </p>
<p>Certificate based Identity. </p>
<p>Peer Subject </p>
<p>Peer SHA Thumbprint 0000000000000000000000000000000000000000</p>
<p>Peer Issuing Certificate Authority </p>
<p>Root Certificate Authority </p>
<p>My Subject C=CA, S=Ontario, O=Springboard Retail Networks Inc., CN=laptop, E=<a href="mailto:laptop@springboardnetworks.com">laptop@springboardnetworks.com</a></p>
<p>My SHA Thumbprint 9f120fd256be49e28c1df547aef9a1256ebef09e</p>
<p>Peer IP Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></p>
<p>Failure Point: </p>
<p>Me</p>
<p>Failure Reason: </p>
<p>New policy invalidated SAs formed with old policy</p>
<p> </p>
<p><font size="2">And, how do I check the log file for openswan at the linux box? There is not a file called "securtiy" at /var/log at the linux box as I read somewhere.</font></p></font>
<p><font size="2"></font> </p>
<p></p></font><font size="2">Thank you</font><font size="1">
<p> </p></font></div>
<div>Can Akalin</div>
<div> </div>
<div> </div>
<div><br><br> </div>
<div><span class="gmail_quote">On 3/15/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Wed, 15 Mar 2006, Can Akalin wrote:<br><br>> I installed lsipsectool.exe and used it. The result was not a success. I am
<br>> gonna paste the log file below. Before that, I have a few questions;<br><br>Odd.<br><br>> 1. At the GUI of lsipsectool.exe, under the Remote Side of the Tunnel,<br>> I put the IP address of the gateway which is
<a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a>. But I am<br>> confused with Remote Internal IP and Private Address/Network Mask part. I<br>> put <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a> for both of them which is linux box's IP address
<br>> within that LAN behind the gateway. Is that correct?<br><br>Yes. The reason for that option is that Microsoft IPsec only initiates the<br>tunnel when there is traffic for it. Just like you need to "ping" first
<br>after the ipsec.exe command ran before you see "Negotiating IPsec security".<br>The lsipsectool uses that internal IP to sent a ping when you click on bringing<br>the connection up.<br><br>> 2. At the IPSec Options windows, I selected Certificate as an
<br>> Authentication Method and write the challange password below which I was<br>> asked when I created the certificate at CA in linux box.For the<br>> Proto/Encryption/Integrity part I did not change the default settings, which
<br>> are ESP/3DES/MD5. Should I change them? If so, to what values I should<br>> change them?<br><br>No you shouldn't need to.<br><br>> Remote Gateway Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a>
<br>> Remote Monitor Address: <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a><br>> Remote Network: <a href="http://10.10.10.10/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10/255.255.255.0</a><br><br>Can you try <a href="http://10.10.10.0/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
10.10.10.0/255.255.255.0</a> instead?<br><br>> IPSec Services: PAStore Engine failed to apply some rules of the active<br>> IPSec policy "x4 {0529745e-57f5-4c99-adc9-951d9c14a149}" on the machine with<br>> error code: The parameter is incorrect.
<br>><br>> . Please run IPSec monitor snap-in to further diagnose the problem<br><br>Check in the administration tools/services to see if the IPsec service is<br>running? Some other clients (I believe ncp/astaro) might turn it off when
<br>you install their software, but do not re-enable them.<br><br>Paul<br></blockquote></div><br>