[Openswan Users]

[Robert W. Burgholzer]

LapTop Windows XP to freeswan 2.04

Laptop is using a wireless lan card, going through a router via a dynamic 
IP. The initial connection is reported by the gateway, but then radio 
silence in the freeswan logs. Meanwhile, the oakley.log reports two 
messages that seemn bad to me: "CertFindExtenstion failed with 0" and 
"received an unencrypted packet when crypto active". I saw some postings 
that suggested some packet fragmentation was occuring (which is beyond my 
knowledge), so I regenerated the client certificate with 1024 bits, as this 
was a solution that supposedly worked before. No luck for me however. I am 
using the same ipsec.conf setup on the WinXP side as I have used for other 
WinXP clients that have had no trouble. The only difference that I can see 
initially is that the other clients (the ones that work) are not wireless.

Below are my freeswan logs, and oakley logs, any help would be appreciated.

Thanks,
Robert

Linux side:
Aug 30 16:23:01 www2 pluto[2485]: packet from 66.207.89.15:500: received 
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug 30 16:23:01 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 #4623: 
responding to Main Mode from unknown peer 66.207.89.15
Aug 30 16:24:05 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 #4623: 
encrypted Informational Exchange message is invalid because it is for 
incomplete ISAKMP SA


Client oakley.log:
  8-30: 15:57:57:752:714 entered kill_old_policy_sas
  8-30: 15:58:18:301:b0 Acquire from driver: op=FFA6ADC0 src=192.168.0.100.0
dst=192.168.1.201.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0,
Tunnel 1, TunnelEndpt=a.b.c.d Inbound TunnelEndpt=192.168.0.100
  8-30: 15:58:18:331:714 Filter to match: Src a.b.c.d Dst 192.168.0.100
  8-30: 15:58:18:391:714 MM PolicyName: 3
  8-30: 15:58:18:391:714 MMPolicy dwFlags 2 SoftSAExpireTime 28800
  8-30: 15:58:18:391:714 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
  8-30: 15:58:18:421:714 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
  8-30: 15:58:18:421:714 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
  8-30: 15:58:18:421:714 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
  8-30: 15:58:18:421:714 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
  8-30: 15:58:18:421:714 MMOffer[2] Encrypt: DES CBC Hash: SHA
  8-30: 15:58:18:421:714 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
  8-30: 15:58:18:421:714 MMOffer[3] Encrypt: DES CBC Hash: MD5
  8-30: 15:58:18:421:714 Auth[0]:RSA Sig C=US, S=Virginia, L=Blacksburg,
O=MapTech Incorporated, OU=Network, CN=www2.maptech-inc.com,
E=rburgholzer at maptech-inc.com
  8-30: 15:58:18:421:714 QM PolicyName: Host-maptech-client filter action
dwFlags 1
  8-30: 15:58:18:421:714 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
  8-30: 15:58:18:421:714 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
  8-30: 15:58:18:421:714  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
  8-30: 15:58:18:421:714 Starting Negotiation: src = 192.168.0.100.0000, dst =
12.5.17.226.0500, proto = 00, context = FFA6ADC0, ProxySrc =
192.168.0.100.0000, ProxyDst = 192.168.1.0.0000 SrcMask = 255.255.255.255
DstMask = 255.255.255.0
  8-30: 15:58:18:421:714 constructing ISAKMP Header
  8-30: 15:58:18:421:714 constructing SA (ISAKMP)
  8-30: 15:58:18:421:714 Constructing Vendor
  8-30: 15:58:18:421:714
  8-30: 15:58:18:421:714 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:18:431:714 ISAKMP Header: (V1.0), len = 216
  8-30: 15:58:18:431:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:18:431:714   R-COOKIE 0000000000000000
  8-30: 15:58:18:431:714   exchange: Oakley Main Mode
  8-30: 15:58:18:431:714   flags: 0
  8-30: 15:58:18:431:714   next payload: SA
  8-30: 15:58:18:431:714   message ID: 00000000
  8-30: 15:58:18:542:714
  8-30: 15:58:18:542:714 Receive: (get) SA = 0x000fea00 from 12.5.17.226
  8-30: 15:58:18:542:714 ISAKMP Header: (V1.0), len = 84
  8-30: 15:58:18:542:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:18:542:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:18:542:714   exchange: Oakley Main Mode
  8-30: 15:58:18:542:714   flags: 0
  8-30: 15:58:18:542:714   next payload: SA
  8-30: 15:58:18:542:714   message ID: 00000000
  8-30: 15:58:18:542:714 processing payload SA
  8-30: 15:58:18:542:714 Received Phase 1 Transform 1
  8-30: 15:58:18:542:714      Encryption Alg Triple DES CBC(5)
  8-30: 15:58:18:542:714      Hash Alg SHA(2)
  8-30: 15:58:18:542:714      Oakley Group 2
  8-30: 15:58:18:542:714      Auth Method RSA Signature with Certificates(3)
  8-30: 15:58:18:542:714      Life type in Seconds
  8-30: 15:58:18:542:714      Life duration of 28800
  8-30: 15:58:18:542:714 Phase 1 SA accepted: transform=1
  8-30: 15:58:18:542:714 SA - Oakley proposal accepted
  8-30: 15:58:18:542:714 constructing ISAKMP Header
  8-30: 15:58:18:712:714 constructing KE
  8-30: 15:58:18:712:714 constructing NONCE (ISAKMP)
  8-30: 15:58:18:712:714
  8-30: 15:58:18:712:714 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:18:712:714 ISAKMP Header: (V1.0), len = 184
  8-30: 15:58:18:712:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:18:712:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:18:712:714   exchange: Oakley Main Mode
  8-30: 15:58:18:712:714   flags: 0
  8-30: 15:58:18:712:714   next payload: KE
  8-30: 15:58:18:712:714   message ID: 00000000
  8-30: 15:58:18:862:714
  8-30: 15:58:18:862:714 Receive: (get) SA = 0x000fea00 from 12.5.17.226
  8-30: 15:58:18:862:714 ISAKMP Header: (V1.0), len = 188
  8-30: 15:58:18:862:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:18:862:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:18:862:714   exchange: Oakley Main Mode
  8-30: 15:58:18:862:714   flags: 0
  8-30: 15:58:18:862:714   next payload: KE
  8-30: 15:58:18:862:714   message ID: 00000000
  8-30: 15:58:18:862:714 processing payload KE
  8-30: 15:58:18:922:714 processing payload NONCE
  8-30: 15:58:18:922:714 processing payload CRP
  8-30: 15:58:18:922:714 constructing ISAKMP Header
  8-30: 15:58:18:922:714 constructing ID
  8-30: 15:58:18:922:714 Received no valid CRPs.  Using all configured
  8-30: 15:58:18:922:714 Looking for IPSec only cert
  8-30: 15:58:18:972:714 Cert Trustes.  0 100
  8-30: 15:58:18:972:714 CertFindExtenstion failed with 0

  8-30: 15:58:19:12:714 Entered CRL check
  8-30: 15:58:19:42:714 Left CRL check
  8-30: 15:58:19:42:714 Cert SHA Thumbprint eda6d473e2ca6ccaa5229d81606cd2d8
  8-30: 15:58:19:42:714 e55134ec
  8-30: 15:58:19:42:714 SubjectName: C=US, S=Virginia, L=Christiansburg,
O=MapTech Incorporated, OU=fieldservices, CN=maptechfs2,
E=efitchett at maptech-inc.com
  8-30: 15:58:19:42:714 Cert Serialnumber 09
  8-30: 15:58:19:42:714 Cert SHA Thumbprint eda6d473e2ca6ccaa5229d81606cd2d8
  8-30: 15:58:19:42:714 e55134ec
  8-30: 15:58:19:42:714 SubjectName: C=US, S=Virginia, L=Blacksburg, O=MapTech
Incorporated, OU=Network, CN=www2.maptech-inc.com,
E=rburgholzer at maptech-inc.com
  8-30: 15:58:19:42:714 Cert Serialnumber 00
  8-30: 15:58:19:42:714 Cert SHA Thumbprint 17c99d27eb1ee0efd37f17b294558bf1
  8-30: 15:58:19:42:714 81e25bbb
  8-30: 15:58:19:52:714 constructing CERT
  8-30: 15:58:19:52:714 Construct SIG
  8-30: 15:58:19:162:714 Constructing Cert Request
  8-30: 15:58:19:172:714 C=US, S=Virginia, L=Blacksburg, O=MapTech
Incorporated, OU=Network, CN=www2.maptech-inc.com,
E=rburgholzer at maptech-inc.com
  8-30: 15:58:19:172:714
  8-30: 15:58:19:172:714 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:19:172:714 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:19:172:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:19:172:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:19:172:714   exchange: Oakley Main Mode
  8-30: 15:58:19:172:714   flags: 1 ( encrypted )
  8-30: 15:58:19:172:714   next payload: ID
  8-30: 15:58:19:172:714   message ID: 00000000
  8-30: 15:58:20:184:b8 retransmit: sa = 000FEA00 centry 00000000 , count = 1
  8-30: 15:58:20:184:b8
  8-30: 15:58:20:184:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:20:184:b8 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:20:184:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:20:184:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:20:184:b8   exchange: Oakley Main Mode
  8-30: 15:58:20:184:b8   flags: 1 ( encrypted )
  8-30: 15:58:20:184:b8   next payload: ID
  8-30: 15:58:20:184:b8   message ID: 00000000
  8-30: 15:58:22:187:b8 retransmit: sa = 000FEA00 centry 00000000 , count = 2
  8-30: 15:58:22:187:b8
  8-30: 15:58:22:187:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:22:187:b8 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:22:187:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:22:187:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:22:187:b8   exchange: Oakley Main Mode
  8-30: 15:58:22:187:b8   flags: 1 ( encrypted )
  8-30: 15:58:22:187:b8   next payload: ID
  8-30: 15:58:22:187:b8   message ID: 00000000
  8-30: 15:58:26:193:b8 retransmit: sa = 000FEA00 centry 00000000 , count = 3
  8-30: 15:58:26:193:b8
  8-30: 15:58:26:193:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:26:193:b8 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:26:193:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:26:193:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:26:193:b8   exchange: Oakley Main Mode
  8-30: 15:58:26:193:b8   flags: 1 ( encrypted )
  8-30: 15:58:26:193:b8   next payload: ID
  8-30: 15:58:26:193:b8   message ID: 00000000
  8-30: 15:58:28:856:714
  8-30: 15:58:28:856:714 Receive: (get) SA = 0x000fea00 from 12.5.17.226
  8-30: 15:58:28:856:714 ISAKMP Header: (V1.0), len = 188
  8-30: 15:58:28:856:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:28:856:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:28:856:714   exchange: Oakley Main Mode
  8-30: 15:58:28:856:714   flags: 0
  8-30: 15:58:28:856:714   next payload: KE
  8-30: 15:58:28:856:714   message ID: 00000000
  8-30: 15:58:28:856:714 received an unencrypted packet when crypto active
  8-30: 15:58:28:856:714 GetPacket failed 35ec
  8-30: 15:58:34:194:b8 retransmit: sa = 000FEA00 centry 00000000 , count = 4
  8-30: 15:58:34:194:b8
  8-30: 15:58:34:194:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:34:194:b8 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:34:194:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:34:194:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:34:194:b8   exchange: Oakley Main Mode
  8-30: 15:58:34:194:b8   flags: 1 ( encrypted )
  8-30: 15:58:34:194:b8   next payload: ID
  8-30: 15:58:34:194:b8   message ID: 00000000
  8-30: 15:58:48:865:714
  8-30: 15:58:48:865:714 Receive: (get) SA = 0x000fea00 from 12.5.17.226
  8-30: 15:58:48:865:714 ISAKMP Header: (V1.0), len = 188
  8-30: 15:58:48:865:714   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:48:865:714   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:48:865:714   exchange: Oakley Main Mode
  8-30: 15:58:48:865:714   flags: 0
  8-30: 15:58:48:865:714   next payload: KE
  8-30: 15:58:48:865:714   message ID: 00000000
  8-30: 15:58:48:865:714 received an unencrypted packet when crypto active
  8-30: 15:58:48:865:714 GetPacket failed 35ec
  8-30: 15:58:50:197:b8 retransmit: sa = 000FEA00 centry 00000000 , count = 5
  8-30: 15:58:50:197:b8
  8-30: 15:58:50:197:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 2
  8-30: 15:58:50:197:b8 ISAKMP Header: (V1.0), len = 1980
  8-30: 15:58:50:197:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:58:50:197:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:58:50:197:b8   exchange: Oakley Main Mode
  8-30: 15:58:50:197:b8   flags: 1 ( encrypted )
  8-30: 15:58:50:197:b8   next payload: ID
  8-30: 15:58:50:197:b8   message ID: 00000000
  8-30: 15:59:22:203:b8 retransmit exhausted: sa = 000FEA00 centry 00000000,
count = 6
  8-30: 15:59:22:203:b8 SA Dead. sa:000FEA00 status:35ed
  8-30: 15:59:22:203:b8 isadb_set_status sa:000FEA00 centry:00000000 status
35ed
  8-30: 15:59:22:574:b8 Key Exchange Mode (Main Mode)


  8-30: 15:59:22:584:b8 Source IP Address 192.168.0.100

Source IP Address Mask 255.255.255.255

Destination IP Address 12.5.17.226

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr

IKE Peer Addr


  8-30: 15:59:22:584:b8 Certificate based Identity.

Peer Subject

Peer SHA Thumbprint 0000000000000000000000000000000000000000

Peer Issuing Certificate Authority

Root Certificate Authority

My Subject C=US, S=Virginia, L=Christiansburg, O=MapTech Incorporated,
OU=fieldservices, CN=maptechfs2, E=efitchett at maptech-inc.com

My SHA Thumbprint eda6d473e2ca6ccaa5229d81606cd2d8e55134ec

Peer IP Address: 12.5.17.226


  8-30: 15:59:22:584:b8 Me


  8-30: 15:59:22:584:b8 Negotiation timed out


  8-30: 15:59:22:584:b8 0x0 0x0
  8-30: 15:59:22:584:b8 constructing ISAKMP Header
  8-30: 15:59:22:584:b8 constructing HASH (null)
  8-30: 15:59:22:584:b8 constructing DELETE. MM 000FEA00
  8-30: 15:59:22:584:b8 constructing HASH (Notify/Delete)
  8-30: 15:59:22:584:b8
  8-30: 15:59:22:584:b8 Sending: SA = 0x000FEA00 to 12.5.17.226:Type 1
  8-30: 15:59:22:584:b8 ISAKMP Header: (V1.0), len = 84
  8-30: 15:59:22:584:b8   I-COOKIE 72db281985c1bc2a
  8-30: 15:59:22:584:b8   R-COOKIE 1830a6b579ac5c77
  8-30: 15:59:22:584:b8   exchange: ISAKMP Informational Exchange
  8-30: 15:59:22:584:b8   flags: 1 ( encrypted )
  8-30: 15:59:22:584:b8   next payload: HASH
  8-30: 15:59:22:584:b8   message ID: 7c20d95d



Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/