<div>Hello,</div>
<div> </div>
<div>I am new in linux and Openswan and committed to learn Linux a lot and help a lot. :)</div>
<div> </div>
<div>I wrote here about my problem earlier regarding IPSec VPN connection using x509 certificates between a linux machine kernel 2.6.13 Openswan 2.4.0, and a Windows XP Pro SP2 client. Since then, I have enabled the oakley logging in the Windows machine and found where the log files are in linux machine. I want to give more details on my test environment at work so that someone can have a better understanding of my problem.
</div>
<div> </div>
<div>Our work place has <a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a> subnet for office use and I have another LAN for test purposes within this office network. My test LAN has <a href="http://10.10.10.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/24
</a> subnet and has a connection to the <a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a> office network through a router gateway. In my test LAN, I have a Linux machine (Suse 10.0) kernel 2.6.13. This linux machine is also a DHCP server for the test LAN.
</div>
<div> </div>
<div>By following Nate Carlson's instruction, I also installed Certificate Authority (CA) in the Linux Machine and created x509 certificates for the Linux machine and Windows client, transffered the certificates to appropriate places and to the Windows XP client. And then I installed Openswan
2.4.0 into the Linux machine, opened UDP 500 port in it's firewall. I also opened UDP 500 port on my router gateway machine as well.</div>
<div> </div>
<div>-- By using </div>
<div> </div>
<div>#ipsec verify </div>
<div> </div>
<div>command I get this from Linux Machine</div>
<div> </div>
<div>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]</div>
<div>Linux Openswan U2.4.0rc5/K2.6.13-15-smp (netkey)<br>Checking for IPsec support in kernel [OK]</div>
<div>Checking for RSA private key (/etc/ipsec.secrets) [OK] <br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]
<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]
<br>Checking for 'curl' command for CRL fetching [OK]</div>
<div>Checking for 'setkey' command for NETKEY IPsec stack support [OK]</div>
<div>Opportunistic Encryption Support [Disabled]<br><br>so everything seems OK here.<br><br>-- IPSec service is running well at the Windows Machine.</div>
<div> </div>
<div>-- I am using lsipsectool.exe at the Windows Machine. When I try to establish a VPN connection between the Windows client and LInux Machine, the connection has not been able to established. </div>
<div> </div>
<div> </div>
<div> </div>
<div>-- HERE IS THE LOG FILE FROM lsipsectool</div>
<div><font size="1">
<p><font size="2">16:51:13: Starting Tunnel</font></p>
<p><font size="2">16:51:13: IKE Encryption: 3des</font></p>
<p><font size="2">IKE Integrity: md5</font></p>
<p><font size="2">Remote Gateway Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></font></p>
<p><font size="2">Remote Monitor Address: <a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a></font></p>
<p><font size="2">Remote Network: <a href="http://10.10.10.0/255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/255.255.255.0</a></font></p>
<p><font size="2">Local Address: <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></font></p>
<p><font size="2">Local Network: <a href="http://192.168.1.68/255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68/255.255.255.255</a></font></p>
<p><font size="2">16:51:17: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</font></p>
<p><font size="2">16:51:22: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</font></p>
<p><font size="2">16:51:27: 45 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...</font></p>
<p><font size="2">16:51:28: Stoping Tunnel</font></p></font></div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>-- HERE IS THE LOG FILE FROM oakley.log</div>
<div> </div>
<div> </div>
<div><font size="2">3-16: 16:51:16:875:958 Acquire from driver: op=00000008 src=192.168.1.68.0 dst=10.10.10.10.0 proto = 0, SrcMask=<a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a>, DstMask=<a href="http://255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
255.255.255.0</a>, Tunnel 1, TunnelEndpt=<a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a> Inbound TunnelEndpt=<a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a><br> 3-16: 16:51:16:968:4b4 Filter to match: Src <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
192.168.1.55</a> Dst <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a><br> 3-16: 16:51:17:31:4b4 MM PolicyName: 3<br> 3-16: 16:51:17:31:4b4 MMPolicy dwFlags 2 SoftSAExpireTime 3500<br> 3-16: 16:51:17:31:4b4 MMOffer[0] LifetimeSec 3500 QMLimit 0 DHGroup 2
<br> 3-16: 16:51:17:46:4b4 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA<br> 3-16: 16:51:17:78:4b4 Auth[0]:RSA Sig C=CA, S=Ontario, L=Toronto, O=Springboard Retail Networks Inc., CN=OzgUN, </font><a href="mailto:E=ozgun@springboardnetworks.com"></font>
<font size="2">E=ozgun@springboardnetworks.com</a><font size="2"> AuthFlags 0<br> 3-16: 16:51:17:78:4b4 QM PolicyName: x4 {07b607f8-6ab7-44b4-b990-cb9cde8ffac8} dwFlags 1<br> 3-16: 16:51:17:78:4b4 QMOffer[0] LifetimeKBytes 0 LifetimeSec 0
<br> 3-16: 16:51:17:78:4b4 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648<br> 3-16: 16:51:17:78:4b4 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5<br> 3-16: 16:51:17:78:4b4 Starting Negotiation: src = 192.168.1.68.0500
, dst = 192.168.1.55.0500, proto = 00, context = 00000008, ProxySrc = 192.168.1.68.0000, ProxyDst = 10.10.10.0.0000 SrcMask = <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a> DstMask = <a href="http://255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.0
</a><br> 3-16: 16:51:17:78:4b4 constructing ISAKMP Header<br> 3-16: 16:51:17:78:4b4 constructing SA (ISAKMP)<br> 3-16: 16:51:17:78:4b4 Constructing Vendor MS NT5 ISAKMPOAKLEY<br> 3-16: 16:51:17:93:4b4 Constructing Vendor FRAGMENTATION
<br> 3-16: 16:51:17:93:4b4 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02<br> 3-16: 16:51:17:93:4b4 Constructing Vendor Vid-Initial-Contact<br> 3-16: 16:51:17:109:4b4 <br> 3-16: 16:51:17:109:4b4 Sending: SA = 0x00100670 to
192.168.1.55:Type 2.500<br> 3-16: 16:51:17:109:4b4 ISAKMP Header: (V1.0), len = 168<br> 3-16: 16:51:17:109:4b4 I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:17:109:4b4 R-COOKIE 0000000000000000<br> 3-16: 16:51:17:109:4b4 exchange: Oakley Main Mode
<br> 3-16: 16:51:17:109:4b4 flags: 0<br> 3-16: 16:51:17:109:4b4 next payload: SA<br> 3-16: 16:51:17:109:4b4 message ID: 00000000<br> 3-16: 16:51:17:109:4b4 Ports S:f401 D:f401<br> 3-16: 16:51:17:125:4b4 <br> 3-16: 16:51:17:125:4b4 Receive: (get) SA = 0x00100670 from
192.168.1.55.500<br> 3-16: 16:51:17:125:4b4 ISAKMP Header: (V1.0), len = 140<br> 3-16: 16:51:17:125:4b4 I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:17:125:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:17:125:4b4 exchange: Oakley Main Mode
<br> 3-16: 16:51:17:125:4b4 flags: 0<br> 3-16: 16:51:17:125:4b4 next payload: SA<br> 3-16: 16:51:17:125:4b4 message ID: 00000000<br> 3-16: 16:51:17:125:4b4 processing payload SA<br> 3-16: 16:51:17:125:4b4 Received Phase 1 Transform 1
<br> 3-16: 16:51:17:125:4b4 Encryption Alg Triple DES CBC(5)<br> 3-16: 16:51:17:125:4b4 Hash Alg SHA(2)<br> 3-16: 16:51:17:125:4b4 Oakley Group 2<br> 3-16: 16:51:17:125:4b4 Auth Method RSA Signature with Certificates(3)
<br> 3-16: 16:51:17:125:4b4 Life type in Seconds<br> 3-16: 16:51:17:125:4b4 Life duration of 3500<br> 3-16: 16:51:17:125:4b4 Phase 1 SA accepted: transform=1<br> 3-16: 16:51:17:125:4b4 SA - Oakley proposal accepted
<br> 3-16: 16:51:17:125:4b4 processing payload VENDOR ID<br> 3-16: 16:51:17:125:4b4 processing payload VENDOR ID<br> 3-16: 16:51:17:125:4b4 processing payload VENDOR ID<br> 3-16: 16:51:17:125:4b4 Received VendorId draft-ietf-ipsec-nat-t-ike-02
<br> 3-16: 16:51:17:125:4b4 ClearFragList<br> 3-16: 16:51:17:125:4b4 constructing ISAKMP Header<br> 3-16: 16:51:17:140:4b4 constructing KE<br> 3-16: 16:51:17:140:4b4 constructing NONCE (ISAKMP)<br> 3-16: 16:51:17:140:4b4 Constructing NatDisc
<br> 3-16: 16:51:17:140:4b4 <br> 3-16: 16:51:17:140:4b4 Sending: SA = 0x00100670 to 192.168.1.55:Type 2.500<br> 3-16: 16:51:17:140:4b4 ISAKMP Header: (V1.0), len = 232<br> 3-16: 16:51:17:140:4b4 I-COOKIE 43bb6858fc51edbb
<br> 3-16: 16:51:17:140:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:17:140:4b4 exchange: Oakley Main Mode<br> 3-16: 16:51:17:140:4b4 flags: 0<br> 3-16: 16:51:17:140:4b4 next payload: KE<br> 3-16: 16:51:17:140:4b4 message ID: 00000000
<br> 3-16: 16:51:17:140:4b4 Ports S:f401 D:f401<br> 3-16: 16:51:17:187:4b4 <br> 3-16: 16:51:17:187:4b4 Receive: (get) SA = 0x00100670 from 192.168.1.55.500<br> 3-16: 16:51:17:187:4b4 ISAKMP Header: (V1.0), len = 228<br> 3-16: 16:51:17:187:4b4 I-COOKIE 43bb6858fc51edbb
<br> 3-16: 16:51:17:203:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:17:203:4b4 exchange: Oakley Main Mode<br> 3-16: 16:51:17:203:4b4 flags: 0<br> 3-16: 16:51:17:203:4b4 next payload: KE<br> 3-16: 16:51:17:203:4b4 message ID: 00000000
<br> 3-16: 16:51:17:203:4b4 processing payload KE<br> 3-16: 16:51:17:203:4b4 processing payload NONCE<br> 3-16: 16:51:17:203:4b4 processing payload NATDISC<br> 3-16: 16:51:17:203:4b4 Processing NatHash<br> 3-16: 16:51:17:203:4b4 Nat hash 6b64b2dab3aedfb978ffda8a177a6764
<br> 3-16: 16:51:17:203:4b4 a1723a34<br> 3-16: 16:51:17:203:4b4 SA StateMask2 f<br> 3-16: 16:51:17:203:4b4 processing payload NATDISC<br> 3-16: 16:51:17:203:4b4 Processing NatHash<br> 3-16: 16:51:17:203:4b4 Nat hash 00a452b48caabe70ba770ab72766a69c
<br> 3-16: 16:51:17:203:4b4 9baa34dc<br> 3-16: 16:51:17:203:4b4 SA StateMask2 4f<br> 3-16: 16:51:17:203:4b4 ClearFragList<br> 3-16: 16:51:17:203:4b4 Peer behind NAT<br> 3-16: 16:51:17:203:4b4 Floated Ports Orig Me:f401 Peer:f401
<br> 3-16: 16:51:17:203:4b4 Floated Ports Me:9411 Peer:9411<br> 3-16: 16:51:17:203:4b4 constructing ISAKMP Header<br> 3-16: 16:51:17:203:4b4 constructing ID<br> 3-16: 16:51:17:203:4b4 Received no valid CRPs. Using all configured
<br> 3-16: 16:51:17:203:4b4 Looking for IPSec only cert<br> 3-16: 16:51:17:250:4b4 Cert Trustes. 0 100<br> 3-16: 16:51:17:250:4b4 Cert SHA Thumbprint 9f120fd256be49e28c1df547aef9a125<br> 3-16: 16:51:17:250:4b4 6ebef09e<br>
3-16: 16:51:17:250:4b4 CertFindExtenstion failed with 0<br> 3-16: 16:51:17:390:4b4 Entered CRL check<br> 3-16: 16:51:17:421:4b4 Left CRL check<br> 3-16: 16:51:17:421:4b4 Cert SHA Thumbprint 9f120fd256be49e28c1df547aef9a125
<br> 3-16: 16:51:17:421:4b4 6ebef09e<br> 3-16: 16:51:17:421:4b4 SubjectName: C=CA, S=Ontario, O=Springboard Retail Networks Inc., CN=laptop, </font><a href="mailto:E=laptop@springboardnetworks.com"></font><font size="2">E=laptop@springboardnetworks.com
</a><br><font size="2"> 3-16: 16:51:17:421:4b4 Cert Serialnumber 02<br> 3-16: 16:51:17:421:4b4 Cert SHA Thumbprint 9f120fd256be49e28c1df547aef9a125<br> 3-16: 16:51:17:421:4b4 6ebef09e<br> 3-16: 16:51:17:421:4b4 SubjectName: C=CA, S=Ontario, L=Toronto, O=Springboard Retail Networks Inc., CN=OzgUN,
</font><a href="mailto:E=ozgun@springboardnetworks.com"></font><font size="2">E=ozgun@springboardnetworks.com</a><br><font size="2"> 3-16: 16:51:17:421:4b4 Cert Serialnumber 7ce887a3f0e91dc800<br> 3-16: 16:51:17:421:4b4 Cert SHA Thumbprint f248c0125dda62bb3fa6c304e1784f8f
<br> 3-16: 16:51:17:421:4b4 0225315f<br> 3-16: 16:51:17:421:4b4 Not storing My cert chain in SA.<br> 3-16: 16:51:17:421:4b4 MM ID Type 9<br> 3-16: 16:51:17:421:4b4 MM ID 30818a310b3009060355040613024341<br> 3-16: 16:51:17:421:4b4 3110300e060355040813074f6e746172
<br> 3-16: 16:51:17:421:4b4 696f31293027060355040a1320537072<br> 3-16: 16:51:17:421:4b4 696e67626f6172642052657461696c20<br> 3-16: 16:51:17:421:4b4 4e6574776f726b7320496e632e310f30<br> 3-16: 16:51:17:421:4b4 0d060355040313066c6170746f70312d
<br> 3-16: 16:51:17:421:4b4 302b06092a864886f70d010901161e6c<br> 3-16: 16:51:17:421:4b4 6170746f7040737072696e67626f6172<br> 3-16: 16:51:17:421:4b4 646e6574776f726b732e636f6d<br> 3-16: 16:51:17:421:4b4 constructing CERT<br>
3-16: 16:51:17:437:4b4 Construct SIG<br> 3-16: 16:51:17:437:4b4 Constructing Cert Request<br> 3-16: 16:51:17:437:4b4 C=CA, S=Ontario, L=Toronto, O=Springboard Retail Networks Inc., CN=OzgUN, </font><a href="mailto:E=ozgun@springboardnetworks.com"></font>
<font size="2">E=ozgun@springboardnetworks.com</a><br><font size="2"> 3-16: 16:51:17:437:4b4 <br> 3-16: 16:51:17:437:4b4 Sending: SA = 0x00100670 to 192.168.1.55:Type 2.4500<br> 3-16: 16:51:17:437:4b4 ISAKMP Header: (
V1.0), len = 1452<br> 3-16: 16:51:17:437:4b4 I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:17:437:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:17:437:4b4 exchange: Oakley Main Mode<br> 3-16: 16:51:17:437:4b4 flags: 1 ( encrypted )
<br> 3-16: 16:51:17:437:4b4 next payload: ID<br> 3-16: 16:51:17:437:4b4 message ID: 00000000<br> 3-16: 16:51:17:437:4b4 Ports S:9411 D:9411<br> 3-16: 16:51:18:500:e5c retransmit: sa = 00100670 centry 00000000 , count = 1
<br> 3-16: 16:51:18:500:e5c <br> 3-16: 16:51:18:500:e5c Sending: SA = 0x00100670 to 192.168.1.55:Type 2.4500<br> 3-16: 16:51:18:500:e5c ISAKMP Header: (V1.0), len = 1452<br> 3-16: 16:51:18:500:e5c I-COOKIE 43bb6858fc51edbb
<br> 3-16: 16:51:18:500:e5c R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:18:500:e5c exchange: Oakley Main Mode<br> 3-16: 16:51:18:500:e5c flags: 1 ( encrypted )<br> 3-16: 16:51:18:500:e5c next payload: ID<br> 3-16: 16:51:18:500:e5c message ID: 00000000
<br> 3-16: 16:51:18:500:e5c Ports S:9411 D:9411<br> 3-16: 16:51:20:500:e5c retransmit: sa = 00100670 centry 00000000 , count = 2<br> 3-16: 16:51:20:500:e5c <br> 3-16: 16:51:20:500:e5c Sending: SA = 0x00100670 to 192.168.1.55:Type
2.4500<br> 3-16: 16:51:20:500:e5c ISAKMP Header: (V1.0), len = 1452<br> 3-16: 16:51:20:500:e5c I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:20:500:e5c R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:20:500:e5c exchange: Oakley Main Mode
<br> 3-16: 16:51:20:500:e5c flags: 1 ( encrypted )<br> 3-16: 16:51:20:500:e5c next payload: ID<br> 3-16: 16:51:20:500:e5c message ID: 00000000<br> 3-16: 16:51:20:500:e5c Ports S:9411 D:9411<br> 3-16: 16:51:24:500:e5c retransmit: sa = 00100670 centry 00000000 , count = 3
<br> 3-16: 16:51:24:500:e5c <br> 3-16: 16:51:24:500:e5c Sending: SA = 0x00100670 to 192.168.1.55:Type 2.4500<br> 3-16: 16:51:24:500:e5c ISAKMP Header: (V1.0), len = 1452<br> 3-16: 16:51:24:500:e5c I-COOKIE 43bb6858fc51edbb
<br> 3-16: 16:51:24:500:e5c R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:24:500:e5c exchange: Oakley Main Mode<br> 3-16: 16:51:24:500:e5c flags: 1 ( encrypted )<br> 3-16: 16:51:24:500:e5c next payload: ID<br> 3-16: 16:51:24:500:e5c message ID: 00000000
<br> 3-16: 16:51:24:500:e5c Ports S:9411 D:9411<br> 3-16: 16:51:27:187:4b4 <br> 3-16: 16:51:27:187:4b4 Receive: (get) SA = 0x00100670 from 192.168.1.55.500<br> 3-16: 16:51:27:187:4b4 ISAKMP Header: (V1.0), len = 228<br> 3-16: 16:51:27:187:4b4 I-COOKIE 43bb6858fc51edbb
<br> 3-16: 16:51:27:187:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:27:187:4b4 exchange: Oakley Main Mode<br> 3-16: 16:51:27:187:4b4 flags: 0<br> 3-16: 16:51:27:187:4b4 next payload: KE<br> 3-16: 16:51:27:187:4b4 message ID: 00000000
<br> 3-16: 16:51:27:187:4b4 received an unencrypted packet when crypto active<br> 3-16: 16:51:27:187:4b4 GetPacket failed 35ec<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: 09ac27ce-92bf-448c-acd93156372600a9 4
<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: 7eb795d1-cfdf-4cb1-9d031df3be0cca58 4<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: c1087638-95ed-4659-b8377676688f625d 3<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: e82e86b6-2d2d-4e40-85735376ab40cbca 3
<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: 4f69adbf-8118-4fcd-8eb6cc399740f924 1<br> 3-16: 16:51:32:234:8cc isadb_schedule_kill_oldPolicy_sas: 07b607f8-6ab7-44b4-b990cb9cde8ffac8 2<br> 3-16: 16:51:32:234:4b4 entered kill_old_policy_sas 4
<br> 3-16: 16:51:32:234:4b4 SA Dead. sa:00100670 status:3619<br> 3-16: 16:51:32:234:4b4 isadb_set_status sa:00100670 centry:00000000 status 3619<br> 3-16: 16:51:32:296:e48 entered kill_old_policy_sas 4<br> 3-16: 16:51:32:343:4b4 Key Exchange Mode (Main Mode)
<br> 3-16: 16:51:32:343:4b4 Source IP Address <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> Source IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a> Destination IP Address <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
192.168.1.55</a> Destination IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a> Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> IKE Peer Addr
<a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a><br> 3-16: 16:51:32:343:4b4 Certificate based Identity. Peer Subject Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer Issuing Certificate Authority Root Certificate Authority My Subject C=CA, S=Ontario, O=Springboard Retail Networks Inc., CN=laptop,
</font><a href="mailto:E=laptop@springboardnetworks.com"></font><font size="2">E=laptop@springboardnetworks.com</a><font size="2"> My SHA Thumbprint 9f120fd256be49e28c1df547aef9a1256ebef09e Peer IP Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
192.168.1.55</a><br> 3-16: 16:51:32:343:4b4 Me<br> 3-16: 16:51:32:343:4b4 New policy invalidated SAs formed with old policy<br> 3-16: 16:51:32:343:4b4 0x0 0x0<br> 3-16: 16:51:32:343:4b4 constructing ISAKMP Header<br> 3-16: 16:51:32:343:4b4 constructing HASH (null)
<br> 3-16: 16:51:32:343:4b4 constructing DELETE. MM 00100670<br> 3-16: 16:51:32:343:4b4 constructing HASH (Notify/Delete)<br> 3-16: 16:51:32:343:4b4 <br> 3-16: 16:51:32:343:4b4 Sending: SA = 0x00100670 to 192.168.1.55:Type
1.4500<br> 3-16: 16:51:32:343:4b4 ISAKMP Header: (V1.0), len = 84<br> 3-16: 16:51:32:343:4b4 I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:32:343:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:32:343:4b4 exchange: ISAKMP Informational Exchange
<br> 3-16: 16:51:32:343:4b4 flags: 1 ( encrypted )<br> 3-16: 16:51:32:343:4b4 next payload: HASH<br> 3-16: 16:51:32:343:4b4 message ID: a209e9cd<br> 3-16: 16:51:32:343:4b4 Ports S:9411 D:9411<br> 3-16: 16:51:32:343:4b4 entered kill_old_policy_sas 3
<br> 3-16: 16:51:32:343:4b4 entered kill_old_policy_sas 3<br> 3-16: 16:51:32:343:4b4 entered kill_old_policy_sas 1<br> 3-16: 16:51:32:343:4b4 entered kill_old_policy_sas 2<br> 3-16: 16:51:47:218:4b4 <br> 3-16: 16:51:47:218:4b4 Receive: (get) SA = 0x00000000 from
192.168.1.55.500<br> 3-16: 16:51:47:218:4b4 ISAKMP Header: (V1.0), len = 228<br> 3-16: 16:51:47:218:4b4 I-COOKIE 43bb6858fc51edbb<br> 3-16: 16:51:47:218:4b4 R-COOKIE 40e15c4e47162b21<br> 3-16: 16:51:47:218:4b4 exchange: Oakley Main Mode
<br> 3-16: 16:51:47:218:4b4 flags: 0<br> 3-16: 16:51:47:218:4b4 next payload: KE<br> 3-16: 16:51:47:218:4b4 message ID: 00000000<br> 3-16: 16:51:47:218:4b4 invalid cookie received<br> 3-16: 16:52:16:78:4b4 ClearFragList
<br></font></div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2"></font> </div>
<div><font size="2">--HERE IS THE LOG FILE FROM WINDOWS EVENT VIEWER</font></div>
<div><font size="2"></font> </div>
<div><font size="2"><font size="1">
<p><font size="2">IKE security association negotiation failed.</font></p>
<p><font size="2">Mode: </font></p>
<p><font size="2">Key Exchange Mode (Main Mode)</font></p>
<p><font size="2">Filter: </font></p>
<p><font size="2">Source IP Address <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></font></p>
<p><font size="2">Source IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a></font></p>
<p><font size="2">Destination IP Address <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></font></p>
<p><font size="2">Destination IP Address Mask <a href="http://255.255.255.255"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.255" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.255</a></font></p>
<p><font size="2">Protocol 0</font></p>
<p><font size="2">Source Port 0</font></p>
<p><font size="2">Destination Port 0</font></p>
<p><font size="2">IKE Local Addr <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a></font></p>
<p><font size="2">IKE Peer Addr <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></font></p>
<p><font size="2">Peer Identity: </font></p>
<p><font size="2">Certificate based Identity. </font></p>
<p><font size="2">Peer Subject </font></p>
<p><font size="2">Peer SHA Thumbprint 0000000000000000000000000000000000000000</font></p>
<p><font size="2">Peer Issuing Certificate Authority </font></p>
<p><font size="2">Root Certificate Authority </font></p>
<p><font size="2">My Subject C=CA, S=Ontario, O=Springboard Retail Networks Inc., CN=laptop, E=<a href="mailto:laptop@springboardnetworks.com">laptop@springboardnetworks.com</a></font></p>
<p><font size="2">My SHA Thumbprint 9f120fd256be49e28c1df547aef9a1256ebef09e</font></p>
<p><font size="2">Peer IP Address: <a href="http://192.168.1.55"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.55" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.55</a></font></p>
<p><font size="2">Failure Point: </font></p>
<p><font size="2">Me</font></p>
<p><font size="2">Failure Reason: </font></p>
<p><font size="2">New policy invalidated SAs formed with old policy</font></p>
<p><font size="2">Extra Status: </font></p>
<p><font size="2">0x0 0x0</font></p></font></font></div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>-- AND HERE IS THE LOG FILE FROM /var/log/messages at the Linux Machine</div>
<div> </div>
<div>Mar 16 16:51:33 linuxserver pluto[6114]: packet from <a href="http://192.168.1.68:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Mar 16 16:51:33 linuxserver pluto[6114]: packet from
<a href="http://192.168.1.68:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>Mar 16 16:51:33 linuxserver pluto[6114]: packet from <a href="http://192.168.1.68:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<br>Mar 16 16:51:33 linuxserver pluto[6114]: packet from <a href="http://192.168.1.68:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Mar 16 16:51:33 linuxserver pluto[6114]: "roadwarrior"[13]
<a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> #16: responding to Main Mode from unknown peer <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a><br>Mar 16 16:51:33 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
192.168.1.68</a> #16: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Mar 16 16:51:33 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> #16: STATE_MAIN_R1: sent MR1, expecting MI2
<br>Mar 16 16:51:34 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> #16: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<br>Mar 16 16:51:34 linuxserver pluto[6114]: "roadwarrior"[13]
<a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> #16: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Mar 16 16:51:34 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68
</a> #16: STATE_MAIN_R2: sent MR2, expecting MI3<br>Mar 16 16:52:44 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a> #16: max number of retransmissions (2) reached STATE_MAIN_R2
<br>Mar 16 16:52:44 linuxserver pluto[6114]: "roadwarrior"[13] <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68</a>: deleting connection "roadwarrior" instance with peer <a href="http://192.168.1.68"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.68" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.68
</a> {isakmp=#0/ipsec=#0}<br> </div>
<div> </div>
<div> </div>
<div>Could you please tell me what i am missing to make this IPSec VPN connection work?</div>
<div> </div>
<div> </div>
<div> </div>
<div>Thank you very much in advance for your time and effort.</div>
<div> </div>
<div> </div>
<div> </div>
<div>Can Akalin</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>