Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Visual Guide to Configuring IPSec VPN using RSA + Xauth and iOS Roadwarriors

    Scheduled Pinned Locked Moved IPsec
    23 Posts 5 Posters 39.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      azzido
      last edited by

      Had to split this in two since the post was too large.

      
racoon: DEBUG: seen nptype=2(prop)
racoon: DEBUG: succeed.
racoon: DEBUG: proposal #1 len=172
racoon: DEBUG: begin.
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: succeed.
racoon: DEBUG: transform #1 len=28
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: transform #2 len=28
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: transform #3 len=28
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: transform #4 len=28
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: transform #5 len=24
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: transform #6 len=24
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: pair 1:
racoon: DEBUG:  0x28520760: next=0x0 tnext=0x28520770
racoon: DEBUG:   0x28520770: next=0x0 tnext=0x28520780
racoon: DEBUG:    0x28520780: next=0x0 tnext=0x28520790
racoon: DEBUG:     0x28520790: next=0x0 tnext=0x285207a0
racoon: DEBUG:      0x285207a0: next=0x0 tnext=0x285207b0
racoon: DEBUG:       0x285207b0: next=0x0 tnext=0x0
racoon: DEBUG: proposal #1: 6 transform
racoon: DEBUG: begin compare proposals.
racoon: DEBUG: pair[1]: 0x28520760
racoon: DEBUG:  0x28520760: next=0x0 tnext=0x28520770
racoon: DEBUG:   0x28520770: next=0x0 tnext=0x28520780
racoon: DEBUG:    0x28520780: next=0x0 tnext=0x28520790
racoon: DEBUG:     0x28520790: next=0x0 tnext=0x285207a0
racoon: DEBUG:      0x285207a0: next=0x0 tnext=0x285207b0
racoon: DEBUG:       0x285207b0: next=0x0 tnext=0x0
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=AES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=AES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=AES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=AES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=3DES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=3DES
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
racoon: DEBUG: peer's single bundle:
racoon: DEBUG:  (proto_id=ESP spisize=4 spi=048ff404 spi_p=00000000 encmode=Tunnel reqid=0:0)
racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-md5)
racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha)
racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-md5)
racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
racoon: DEBUG: my single bundle:
racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=048ff404 encmode=Tunnel reqid=1:1)
racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
racoon: DEBUG: matched
racoon: DEBUG: ===
racoon: DEBUG: call pfkey_send_getspi
racoon: DEBUG: pfkey GETSPI sent: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] 
racoon: DEBUG: pfkey getspi sent.
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey GETSPI message
racoon: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] spi=166958688(0x9f39660)
racoon: DEBUG: total SA len=48
racoon: DEBUG:  00000001 00000001 00000028 01030401 00000000 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002
racoon: DEBUG: begin.
racoon: DEBUG: seen nptype=2(prop)
racoon: DEBUG: succeed.
racoon: DEBUG: proposal #1 len=40
racoon: DEBUG: begin.
racoon: DEBUG: seen nptype=3(trns)
racoon: DEBUG: succeed.
racoon: DEBUG: transform #1 len=28
racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
racoon: DEBUG: life duration was in TLV.
racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
racoon: DEBUG: pair 1:
racoon: DEBUG:  0x28520760: next=0x0 tnext=0x0
racoon: DEBUG: proposal #1: 1 transform
racoon: DEBUG: add payload of len 48, next type 10
racoon: DEBUG: add payload of len 16, next type 5
racoon: DEBUG: add payload of len 8, next type 5
racoon: DEBUG: add payload of len 12, next type 0
racoon: DEBUG: HASH with:
racoon: DEBUG:  4d0703b8 6a31c229 33d3bd66 5c5108e7 760f77da 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: HASH computed:
racoon: DEBUG:  daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c
racoon: DEBUG: add payload of len 20, next type 1
racoon: DEBUG: begin encryption.
racoon: DEBUG: encryption(aes)
racoon: DEBUG: pad length = 4
racoon: DEBUG:  01000018 daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 85dabf03
racoon: DEBUG: encryption(aes)
racoon: DEBUG: with key:
racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
racoon: DEBUG: encrypted payload by IV:
racoon: DEBUG:  1e4cb008 aa346cd7 0e579812 85837c48
racoon: DEBUG: save IV for next:
racoon: DEBUG:  ae6a34bd baa55ef6 7795ccaa 62d95c09
racoon: DEBUG: encrypted.
racoon: DEBUG: 156 bytes from 192.168.100.207[500] to 192.168.100.140[500]
racoon: DEBUG: sockname 192.168.100.207[500]
racoon: DEBUG: send packet from 192.168.100.207[500]
racoon: DEBUG: send packet to 192.168.100.140[500]
racoon: DEBUG: 1 times of 156 bytes message will be sent to 192.168.100.140[500]
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000009c 35099f8e 319bc018 10aeb6da 5aaeca8f 384b7057 436e639e a67e565e b452334b dc4c5f76 931fdf75 5c4a6297 37c8a6b2 607359a9 ccb2f238 31b48a15 8b0f72ad 265d93cf 9131418b 454bb500 589c8382 fa472861 9894527f e8bd613b 09e33cd5 2cc551c5 fc608768 aade28b5 075e9a5b ae6a34bd baa55ef6 7795ccaa 62d95c09
racoon: DEBUG: resend phase2 packet 537c409a45c19353:f88c033e10dce8a6:00004d07
racoon: DEBUG: ===
racoon: DEBUG: 60 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c db1bb59b 33b7a58d 9c60ff6b 79711823 e59efbb6 f09316b7 f166bc47 b17c85c7
racoon: DEBUG: begin decryption.
racoon: DEBUG: encryption(aes)
racoon: DEBUG: IV was saved for next processing:
racoon: DEBUG:  e59efbb6 f09316b7 f166bc47 b17c85c7
racoon: DEBUG: encryption(aes)
racoon: DEBUG: with key:
racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
racoon: DEBUG: decrypted payload by IV:
racoon: DEBUG:  ae6a34bd baa55ef6 7795ccaa 62d95c09
racoon: DEBUG: decrypted payload, but not trimed.
racoon: DEBUG:  00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008
racoon: DEBUG: padding len=9
racoon: DEBUG: skip to trim padding.
racoon: DEBUG: decrypted.
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c 00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008
racoon: DEBUG: begin.
racoon: DEBUG: seen nptype=8(hash)
racoon: DEBUG: succeed.
racoon: DEBUG: HASH(3) validate:
racoon: DEBUG:  b1f68910 dea74feb ed694386 e18e5aee 1c7712f7
racoon: DEBUG: HASH with: 
racoon: DEBUG:  004d0703 b86a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: HASH computed:
racoon: DEBUG:  b1f68910 dea74feb ed694386 e18e5aee 1c7712f7
racoon: DEBUG: ===
racoon: DEBUG: KEYMAT compute with
racoon: DEBUG:  0309f396 606a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: encryption(aes)
racoon: DEBUG: hmac(sha1)
racoon: DEBUG: encklen=256 authklen=160
racoon: DEBUG: generating 640 bits of key (dupkeymat=4)
racoon: DEBUG: generating K1...K4 for KEYMAT.
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG:  ecccf0f4 53bf3288 3f5b60f8 be6712e4 95e7e3e8 09a43f42 064de661 bacec002 3c09009f a2bef76b 05afe1e0 70275a97 a8942e49 afd8d66b 538543f1 251e7294 237f6b86 ba2f16e3 c6a3ad9c 33516374
racoon: DEBUG: KEYMAT compute with
racoon: DEBUG:  03048ff4 046a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: encryption(aes)
racoon: DEBUG: hmac(sha1)
racoon: DEBUG: encklen=256 authklen=160
racoon: DEBUG: generating 640 bits of key (dupkeymat=4)
racoon: DEBUG: generating K1...K4 for KEYMAT.
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG:  39d7f4e3 5cc4bff8 6f98af36 10f00a35 36bf2d4d c8d2f945 ac6072b8 97172865 5e77e8fe 13a3f336 6431c4f9 9309909c c700a9c5 b8db7d0e 2d9592d2 598624c0 5678e504 e9d24581 3715b0c9 ae99f097
racoon: DEBUG: KEYMAT computed.
racoon: DEBUG: call pk_sendupdate
racoon: DEBUG: encryption(aes)
racoon: DEBUG: hmac(sha1)
racoon: DEBUG: call pfkey_send_update2
racoon: DEBUG: pfkey update sent.
racoon: DEBUG: encryption(aes)
racoon: DEBUG: hmac(sha1)
racoon: DEBUG: call pfkey_send_add2 (NAT flavor)
racoon: DEBUG: call pfkey_send_add2
racoon: DEBUG: pfkey add sent.
racoon: DEBUG: call pfkey_send_spdupdate2
racoon: DEBUG: pfkey spdupdate2(inbound) sent.
racoon: DEBUG: call pfkey_send_spdupdate2
racoon: DEBUG: pfkey spdupdate2(outbound) sent.
racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey UPDATE message
racoon: DEBUG: pfkey UPDATE succeeded: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660)
racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660)
racoon: DEBUG: ===
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey ADD message
racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=76542980(0x48ff404)
racoon: DEBUG: ===
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey X_SPDUPDATE message
racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
racoon: DEBUG: this policy did not exist for removal: "192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey X_SPDUPDATE message
racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: this policy did not exist for removal: "0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out"
racoon: DEBUG: pk_recv: retry[0] recv() 
racoon: DEBUG: got pfkey ACQUIRE message
racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out.
racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
racoon: DEBUG: suitable inbound SP found: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in.
racoon: DEBUG: new acquire 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
racoon: [192.168.100.140] DEBUG: configuration "anonymous" selected.
racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='192.168.200.1' peer='NULL' client='NULL' id=1
racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
racoon: DEBUG: in post_acquire
racoon: [192.168.100.140] DEBUG: no remote configuration found.
racoon: ERROR: no configuration found for 192.168.100.140.
racoon: ERROR: failed to begin ipsec sa negotication.
racoon: [192.168.100.140] DEBUG: DPD monitoring....
racoon: DEBUG: compute IV for phase2
racoon: DEBUG: phase1 last IV:
racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 e750ef7b
racoon: DEBUG: hash(sha1)
racoon: DEBUG: encryption(aes)
racoon: DEBUG: phase2 IV computed:
racoon: DEBUG:  16387c90 dd9908f4 60822939 d708793c
racoon: DEBUG: HASH with:
racoon: DEBUG:  e750ef7b 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: HASH computed:
racoon: DEBUG:  17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d
racoon: DEBUG: begin encryption.
racoon: DEBUG: encryption(aes)
racoon: DEBUG: pad length = 8
racoon: DEBUG:  0b000018 17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8 e8e1dda4 fde69807
racoon: DEBUG: encryption(aes)
racoon: DEBUG: with key:
racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
racoon: DEBUG: encrypted payload by IV:
racoon: DEBUG:  16387c90 dd9908f4 60822939 d708793c
racoon: DEBUG: save IV for next:
racoon: DEBUG:  0a6e8914 59b022ff d5c30169 b85841f5
racoon: DEBUG: encrypted.
racoon: DEBUG: 92 bytes from 192.168.100.207[500] to 192.168.100.140[500]
racoon: DEBUG: sockname 192.168.100.207[500]
racoon: DEBUG: send packet from 192.168.100.207[500]
racoon: DEBUG: send packet to 192.168.100.140[500]
racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.100.140[500]
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 e750ef7b 0000005c 496f8b54 86bc5ff0 3432bd87 781daff2 35a04181 0271f44f b8d2a50d c0c819f9 d7c8f93d 92b3e3f9 8115ce46 5c99febf 0a6e8914 59b022ff d5c30169 b85841f5
racoon: DEBUG: sendto Information notify.
racoon: DEBUG: IV freed
racoon: [192.168.100.140] DEBUG: DPD R-U-There sent (0)
racoon: [192.168.100.140] DEBUG: rescheduling send_r_u (5).
racoon: DEBUG: ===
racoon: DEBUG: 92 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c fd9a61d5 756cc088 e1953f57 bc6624b6 9ba81f12 ee3b514f e8c7691f 53185f30 0122c903 89cee7c3 7fce17cf 4fd4f6ab 306e58f1 eaebb734 24c69abd 3c447863
racoon: DEBUG: receive Information.
racoon: DEBUG: compute IV for phase2
racoon: DEBUG: phase1 last IV:
racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 6f5eec39
racoon: DEBUG: hash(sha1)
racoon: DEBUG: encryption(aes)
racoon: DEBUG: phase2 IV computed:
racoon: DEBUG:  d4cd0b00 128107ad 2fdf5523 e68e7e0b
racoon: DEBUG: begin decryption.
racoon: DEBUG: encryption(aes)
racoon: DEBUG: IV was saved for next processing:
racoon: DEBUG:  306e58f1 eaebb734 24c69abd 3c447863
racoon: DEBUG: encryption(aes)
racoon: DEBUG: with key:
racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
racoon: DEBUG: decrypted payload by IV:
racoon: DEBUG:  d4cd0b00 128107ad 2fdf5523 e68e7e0b
racoon: DEBUG: decrypted payload, but not trimed.
racoon: DEBUG:  0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008
racoon: DEBUG: padding len=9
racoon: DEBUG: skip to trim padding.
racoon: DEBUG: decrypted.
racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c 0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008
racoon: DEBUG: IV freed
racoon: DEBUG: HASH with:
racoon: DEBUG:  6f5eec39 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8
racoon: DEBUG: hmac(hmac_sha1)
racoon: DEBUG: HASH computed:
racoon: DEBUG:  70edd71b 168266eb 836bf003 8deeb800 37db19c5
racoon: DEBUG: hash validated.
racoon: DEBUG: begin.
racoon: DEBUG: seen nptype=8(hash)
racoon: DEBUG: seen nptype=11(notify)
racoon: DEBUG: succeed.
racoon: [192.168.100.140] DEBUG: DPD R-U-There-Ack received
racoon: DEBUG: received an R-U-THERE-ACK
      1 Reply Last reply Reply Quote 0
      • T
        twaldorf
        last edited by

        I can see one big difference to your logs:

        <30>Mar 13 09:05:07 racoon: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
        <30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #0 verified
        <30>Mar 13 09:05:07 racoon: [IPHONE-IP] INFO: Hashing IPHONE-IP**[129]** with algo #2
        <30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #1 doesn't match

        I triple checked ALL settings - they are exact the same as yours.

        Perhaps it makes a difference because I use two CAs and also have several other IPsec BOVPN tunnels?!?  ???

        Thanks again for your patience and help!

        1 Reply Last reply Reply Quote 0
        • T
          twaldorf
          last edited by

          OK - now I changed something on my data option. For 2 Euros per month I was able to get a "real" public IP address instead of a natted one! Looks better now in logs - but still I'm not able to finish phase1:

          Mar 13 11:35:32 	racoon: ERROR: phase1 negotiation failed due to time up. a95cd60e000c4680:7446a7a497024226
Mar 13 11:34:42 	racoon: INFO: Adding remote and local NAT-D payloads.
Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
Mar 13 11:34:42 	racoon: INFO: NAT not detected
Mar 13 11:34:42 	racoon: INFO: NAT-D payload #1 verified
Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
Mar 13 11:34:42 	racoon: INFO: NAT-D payload #0 verified
Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
Mar 13 11:34:41 	racoon: INFO: Adding xauth VID payload.
Mar 13 11:34:41 	racoon: [212.23.116.66] INFO: Selected NAT-T version: RFC 3947
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: DPD
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: RFC 3947
Mar 13 11:34:41 	racoon: INFO: begin Identity Protection mode.
Mar 13 11:34:41 	racoon: [Self]: INFO: respond new phase 1 negotiation: WAN-IP[500]<=>212.23.116.66[500]

          Now I can see also another problem (?) in system-logs:

          Mar 13 11:34:29 	php: /vpn_ipsec.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
Mar 13 11:34:05 	php: /vpn_ipsec_phase1.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
Mar 13 11:33:55 	php: /vpn_ipsec_phase1.php: Reload MUVPN (Apple iOS) tunnel(s)

          What means this error?

          EDIT: The error above is gone since I changed the server-certificate to use IP instead of domain name. I still run in phase1 timeout without any other error.

          1 Reply Last reply Reply Quote 0
          • A
            azzido
            last edited by

            Disable NAT traversal and check if that makes any difference.

            1 Reply Last reply Reply Quote 0
            • C
              catfish99
              last edited by

              Once the issues have been troubleshooted, I'd suggest adding these step-by-step docs to the PfSense wiki

              1 Reply Last reply Reply Quote 0
              • T
                twaldorf
                last edited by

                I suggest also adding these step-by-step docs to the PfSense wiki.

                Also there is no need to wait for my (I'm sure) special personal problems:

                I just tried it with another iPhone (same model / same iOS Version / same modem version) and there it works like a charm!
                On this second iPhone it works with 3G and also direct out of the company networks WLAN.
                On my iPhone WLAN and 3G doesn't work.

                So it must have something to do with my iPhone. But I have no idea what this can be!  ???

                1 Reply Last reply Reply Quote 0
                • T
                  twaldorf
                  last edited by

                  OK - I think I know the problem now.

                  I found other guys on the internet who have VPN problems like me (timeout) after untethered jailbreak of iOS 5.01 - and that's the big difference between my iPhone and the other one. Just to make clear: I have a neverlocked iPhone direct from Apple-Store and use the jailbreak for IT related software which is not available in AppStore (e.g. SSH). So i never hacked baseband or something like that. But it seems that the untethered jailbreak itself breaks VPN functions!

                  1 Reply Last reply Reply Quote 0
                  • A
                    azzido
                    last edited by

                    Glad to hear it is working.

                    1 Reply Last reply Reply Quote 0
                    • T
                      twaldorf
                      last edited by

                      There is only one last thing, which is a little bit annoying:

                      If I uncheck the box with "Provide login banner to clients", there comes an empty login banner up. Is there no possibility to completly disable the banner? I use VPN on demand and so I have to click all the time on "OK" on the iPhone…

                      1 Reply Last reply Reply Quote 0
                      • A
                        azzido
                        last edited by

                        If you are talking about the message 'VPN Connection' with buttons OK and disconnect that iOS shows after connection is established then I don't think there is a way to disable that.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hagak
                          last edited by

                          Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

                          Any ideas?

                          1 Reply Last reply Reply Quote 0
                          • T
                            twaldorf
                            last edited by

                            @hagak:

                            Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

                            Any ideas?

                            Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

                            <key>XAuthPassword</key> 
<string>Your Password</string>

                            Best regards,

                            Thorsten

                            1 Reply Last reply Reply Quote 0
                            • H
                              hagak
                              last edited by

                              Sweet will give that a shot this info.  Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

                              1 Reply Last reply Reply Quote 0
                              • T
                                twaldorf
                                last edited by

                                @hagak:

                                Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

                                I think it's just because everybody could read the password as clear text…

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hagak
                                  last edited by

                                  @twaldorf:

                                  @hagak:

                                  Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

                                  I think it's just because everybody could read the password as clear text…

                                  Well there are ways they could encrypt the password to at least make it more difficult to see.

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hagak
                                    last edited by

                                    @twaldorf:

                                    Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

                                    <key>XAuthPassword</key> 
<string>Your Password</string>

                                    Best regards,

                                    Thorsten

                                    This did not seem to work.  I assume after I edit the file I open the file with iphone configurator to load it on the iphone.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hagak
                                      last edited by

                                      If I export the conf back out the added lines are not there

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hagak
                                        last edited by

                                        I figured it out:)

                                        You need to email the mobileconfig file to your phone and install it via the email on the phone.  Success.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          seattle-it
                                          last edited by

                                          For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(

                                          My tech blog - seattleit.net/blog

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.