Visual Guide to Configuring IPSec VPN using RSA + Xauth and iOS Roadwarriors
-
Had to split this in two since the post was too large.
racoon: DEBUG: seen nptype=2(prop) racoon: DEBUG: succeed. racoon: DEBUG: proposal #1 len=172 racoon: DEBUG: begin. racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: succeed. racoon: DEBUG: transform #1 len=28 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: transform #2 len=28 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: transform #3 len=28 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: transform #4 len=28 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: transform #5 len=24 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: transform #6 len=24 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: pair 1: racoon: DEBUG: 0x28520760: next=0x0 tnext=0x28520770 racoon: DEBUG: 0x28520770: next=0x0 tnext=0x28520780 racoon: DEBUG: 0x28520780: next=0x0 tnext=0x28520790 racoon: DEBUG: 0x28520790: next=0x0 tnext=0x285207a0 racoon: DEBUG: 0x285207a0: next=0x0 tnext=0x285207b0 racoon: DEBUG: 0x285207b0: next=0x0 tnext=0x0 racoon: DEBUG: proposal #1: 6 transform racoon: DEBUG: begin compare proposals. racoon: DEBUG: pair[1]: 0x28520760 racoon: DEBUG: 0x28520760: next=0x0 tnext=0x28520770 racoon: DEBUG: 0x28520770: next=0x0 tnext=0x28520780 racoon: DEBUG: 0x28520780: next=0x0 tnext=0x28520790 racoon: DEBUG: 0x28520790: next=0x0 tnext=0x285207a0 racoon: DEBUG: 0x285207a0: next=0x0 tnext=0x285207b0 racoon: DEBUG: 0x285207b0: next=0x0 tnext=0x0 racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=AES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=AES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=AES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=AES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=3DES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=3DES racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 racoon: DEBUG: peer's single bundle: racoon: DEBUG: (proto_id=ESP spisize=4 spi=048ff404 spi_p=00000000 encmode=Tunnel reqid=0:0) racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha) racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-md5) racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha) racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-md5) racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5) racoon: DEBUG: my single bundle: racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=048ff404 encmode=Tunnel reqid=1:1) racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha) racoon: DEBUG: matched racoon: DEBUG: === racoon: DEBUG: call pfkey_send_getspi racoon: DEBUG: pfkey GETSPI sent: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] racoon: DEBUG: pfkey getspi sent. racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey GETSPI message racoon: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] spi=166958688(0x9f39660) racoon: DEBUG: total SA len=48 racoon: DEBUG: 00000001 00000001 00000028 01030401 00000000 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 racoon: DEBUG: begin. racoon: DEBUG: seen nptype=2(prop) racoon: DEBUG: succeed. racoon: DEBUG: proposal #1 len=40 racoon: DEBUG: begin. racoon: DEBUG: seen nptype=3(trns) racoon: DEBUG: succeed. racoon: DEBUG: transform #1 len=28 racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600 racoon: DEBUG: life duration was in TLV. racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256 racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha racoon: DEBUG: pair 1: racoon: DEBUG: 0x28520760: next=0x0 tnext=0x0 racoon: DEBUG: proposal #1: 1 transform racoon: DEBUG: add payload of len 48, next type 10 racoon: DEBUG: add payload of len 16, next type 5 racoon: DEBUG: add payload of len 8, next type 5 racoon: DEBUG: add payload of len 12, next type 0 racoon: DEBUG: HASH with: racoon: DEBUG: 4d0703b8 6a31c229 33d3bd66 5c5108e7 760f77da 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: HASH computed: racoon: DEBUG: daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c racoon: DEBUG: add payload of len 20, next type 1 racoon: DEBUG: begin encryption. racoon: DEBUG: encryption(aes) racoon: DEBUG: pad length = 4 racoon: DEBUG: 01000018 daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 85dabf03 racoon: DEBUG: encryption(aes) racoon: DEBUG: with key: racoon: DEBUG: e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb racoon: DEBUG: encrypted payload by IV: racoon: DEBUG: 1e4cb008 aa346cd7 0e579812 85837c48 racoon: DEBUG: save IV for next: racoon: DEBUG: ae6a34bd baa55ef6 7795ccaa 62d95c09 racoon: DEBUG: encrypted. racoon: DEBUG: 156 bytes from 192.168.100.207[500] to 192.168.100.140[500] racoon: DEBUG: sockname 192.168.100.207[500] racoon: DEBUG: send packet from 192.168.100.207[500] racoon: DEBUG: send packet to 192.168.100.140[500] racoon: DEBUG: 1 times of 156 bytes message will be sent to 192.168.100.140[500] racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000009c 35099f8e 319bc018 10aeb6da 5aaeca8f 384b7057 436e639e a67e565e b452334b dc4c5f76 931fdf75 5c4a6297 37c8a6b2 607359a9 ccb2f238 31b48a15 8b0f72ad 265d93cf 9131418b 454bb500 589c8382 fa472861 9894527f e8bd613b 09e33cd5 2cc551c5 fc608768 aade28b5 075e9a5b ae6a34bd baa55ef6 7795ccaa 62d95c09 racoon: DEBUG: resend phase2 packet 537c409a45c19353:f88c033e10dce8a6:00004d07 racoon: DEBUG: === racoon: DEBUG: 60 bytes message received from 192.168.100.140[500] to 192.168.100.207[500] racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c db1bb59b 33b7a58d 9c60ff6b 79711823 e59efbb6 f09316b7 f166bc47 b17c85c7 racoon: DEBUG: begin decryption. racoon: DEBUG: encryption(aes) racoon: DEBUG: IV was saved for next processing: racoon: DEBUG: e59efbb6 f09316b7 f166bc47 b17c85c7 racoon: DEBUG: encryption(aes) racoon: DEBUG: with key: racoon: DEBUG: e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb racoon: DEBUG: decrypted payload by IV: racoon: DEBUG: ae6a34bd baa55ef6 7795ccaa 62d95c09 racoon: DEBUG: decrypted payload, but not trimed. racoon: DEBUG: 00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008 racoon: DEBUG: padding len=9 racoon: DEBUG: skip to trim padding. racoon: DEBUG: decrypted. racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c 00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008 racoon: DEBUG: begin. racoon: DEBUG: seen nptype=8(hash) racoon: DEBUG: succeed. racoon: DEBUG: HASH(3) validate: racoon: DEBUG: b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 racoon: DEBUG: HASH with: racoon: DEBUG: 004d0703 b86a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: HASH computed: racoon: DEBUG: b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 racoon: DEBUG: === racoon: DEBUG: KEYMAT compute with racoon: DEBUG: 0309f396 606a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: encryption(aes) racoon: DEBUG: hmac(sha1) racoon: DEBUG: encklen=256 authklen=160 racoon: DEBUG: generating 640 bits of key (dupkeymat=4) racoon: DEBUG: generating K1...K4 for KEYMAT. racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: ecccf0f4 53bf3288 3f5b60f8 be6712e4 95e7e3e8 09a43f42 064de661 bacec002 3c09009f a2bef76b 05afe1e0 70275a97 a8942e49 afd8d66b 538543f1 251e7294 237f6b86 ba2f16e3 c6a3ad9c 33516374 racoon: DEBUG: KEYMAT compute with racoon: DEBUG: 03048ff4 046a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: encryption(aes) racoon: DEBUG: hmac(sha1) racoon: DEBUG: encklen=256 authklen=160 racoon: DEBUG: generating 640 bits of key (dupkeymat=4) racoon: DEBUG: generating K1...K4 for KEYMAT. racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: 39d7f4e3 5cc4bff8 6f98af36 10f00a35 36bf2d4d c8d2f945 ac6072b8 97172865 5e77e8fe 13a3f336 6431c4f9 9309909c c700a9c5 b8db7d0e 2d9592d2 598624c0 5678e504 e9d24581 3715b0c9 ae99f097 racoon: DEBUG: KEYMAT computed. racoon: DEBUG: call pk_sendupdate racoon: DEBUG: encryption(aes) racoon: DEBUG: hmac(sha1) racoon: DEBUG: call pfkey_send_update2 racoon: DEBUG: pfkey update sent. racoon: DEBUG: encryption(aes) racoon: DEBUG: hmac(sha1) racoon: DEBUG: call pfkey_send_add2 (NAT flavor) racoon: DEBUG: call pfkey_send_add2 racoon: DEBUG: pfkey add sent. racoon: DEBUG: call pfkey_send_spdupdate2 racoon: DEBUG: pfkey spdupdate2(inbound) sent. racoon: DEBUG: call pfkey_send_spdupdate2 racoon: DEBUG: pfkey spdupdate2(outbound) sent. racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey UPDATE message racoon: DEBUG: pfkey UPDATE succeeded: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660) racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660) racoon: DEBUG: === racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey ADD message racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=76542980(0x48ff404) racoon: DEBUG: === racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey X_SPDUPDATE message racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out racoon: DEBUG: this policy did not exist for removal: "192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in" racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey X_SPDUPDATE message racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: this policy did not exist for removal: "0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out" racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey ACQUIRE message racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out. racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in racoon: DEBUG: suitable inbound SP found: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in. racoon: DEBUG: new acquire 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out racoon: [192.168.100.140] DEBUG: configuration "anonymous" selected. racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='192.168.200.1' peer='NULL' client='NULL' id=1 racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1 racoon: DEBUG: check and compare ids : values matched (ANONYMOUS) racoon: DEBUG: check and compare ids : values matched (ANONYMOUS) racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1) racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha) racoon: DEBUG: in post_acquire racoon: [192.168.100.140] DEBUG: no remote configuration found. racoon: ERROR: no configuration found for 192.168.100.140. racoon: ERROR: failed to begin ipsec sa negotication. racoon: [192.168.100.140] DEBUG: DPD monitoring.... racoon: DEBUG: compute IV for phase2 racoon: DEBUG: phase1 last IV: racoon: DEBUG: 3e42b1bb 137a92a3 1cf42770 36f7cae5 e750ef7b racoon: DEBUG: hash(sha1) racoon: DEBUG: encryption(aes) racoon: DEBUG: phase2 IV computed: racoon: DEBUG: 16387c90 dd9908f4 60822939 d708793c racoon: DEBUG: HASH with: racoon: DEBUG: e750ef7b 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8 racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: HASH computed: racoon: DEBUG: 17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d racoon: DEBUG: begin encryption. racoon: DEBUG: encryption(aes) racoon: DEBUG: pad length = 8 racoon: DEBUG: 0b000018 17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8 e8e1dda4 fde69807 racoon: DEBUG: encryption(aes) racoon: DEBUG: with key: racoon: DEBUG: e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb racoon: DEBUG: encrypted payload by IV: racoon: DEBUG: 16387c90 dd9908f4 60822939 d708793c racoon: DEBUG: save IV for next: racoon: DEBUG: 0a6e8914 59b022ff d5c30169 b85841f5 racoon: DEBUG: encrypted. racoon: DEBUG: 92 bytes from 192.168.100.207[500] to 192.168.100.140[500] racoon: DEBUG: sockname 192.168.100.207[500] racoon: DEBUG: send packet from 192.168.100.207[500] racoon: DEBUG: send packet to 192.168.100.140[500] racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.100.140[500] racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08100501 e750ef7b 0000005c 496f8b54 86bc5ff0 3432bd87 781daff2 35a04181 0271f44f b8d2a50d c0c819f9 d7c8f93d 92b3e3f9 8115ce46 5c99febf 0a6e8914 59b022ff d5c30169 b85841f5 racoon: DEBUG: sendto Information notify. racoon: DEBUG: IV freed racoon: [192.168.100.140] DEBUG: DPD R-U-There sent (0) racoon: [192.168.100.140] DEBUG: rescheduling send_r_u (5). racoon: DEBUG: === racoon: DEBUG: 92 bytes message received from 192.168.100.140[500] to 192.168.100.207[500] racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c fd9a61d5 756cc088 e1953f57 bc6624b6 9ba81f12 ee3b514f e8c7691f 53185f30 0122c903 89cee7c3 7fce17cf 4fd4f6ab 306e58f1 eaebb734 24c69abd 3c447863 racoon: DEBUG: receive Information. racoon: DEBUG: compute IV for phase2 racoon: DEBUG: phase1 last IV: racoon: DEBUG: 3e42b1bb 137a92a3 1cf42770 36f7cae5 6f5eec39 racoon: DEBUG: hash(sha1) racoon: DEBUG: encryption(aes) racoon: DEBUG: phase2 IV computed: racoon: DEBUG: d4cd0b00 128107ad 2fdf5523 e68e7e0b racoon: DEBUG: begin decryption. racoon: DEBUG: encryption(aes) racoon: DEBUG: IV was saved for next processing: racoon: DEBUG: 306e58f1 eaebb734 24c69abd 3c447863 racoon: DEBUG: encryption(aes) racoon: DEBUG: with key: racoon: DEBUG: e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb racoon: DEBUG: decrypted payload by IV: racoon: DEBUG: d4cd0b00 128107ad 2fdf5523 e68e7e0b racoon: DEBUG: decrypted payload, but not trimed. racoon: DEBUG: 0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008 racoon: DEBUG: padding len=9 racoon: DEBUG: skip to trim padding. racoon: DEBUG: decrypted. racoon: DEBUG: 537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c 0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008 racoon: DEBUG: IV freed racoon: DEBUG: HASH with: racoon: DEBUG: 6f5eec39 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 racoon: DEBUG: hmac(hmac_sha1) racoon: DEBUG: HASH computed: racoon: DEBUG: 70edd71b 168266eb 836bf003 8deeb800 37db19c5 racoon: DEBUG: hash validated. racoon: DEBUG: begin. racoon: DEBUG: seen nptype=8(hash) racoon: DEBUG: seen nptype=11(notify) racoon: DEBUG: succeed. racoon: [192.168.100.140] DEBUG: DPD R-U-There-Ack received racoon: DEBUG: received an R-U-THERE-ACK
-
I can see one big difference to your logs:
<30>Mar 13 09:05:07 racoon: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
<30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #0 verified
<30>Mar 13 09:05:07 racoon: [IPHONE-IP] INFO: Hashing IPHONE-IP**[129]** with algo #2
<30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #1 doesn't matchI triple checked ALL settings - they are exact the same as yours.
Perhaps it makes a difference because I use two CAs and also have several other IPsec BOVPN tunnels?!? ???
Thanks again for your patience and help!
-
OK - now I changed something on my data option. For 2 Euros per month I was able to get a "real" public IP address instead of a natted one! Looks better now in logs - but still I'm not able to finish phase1:
Mar 13 11:35:32 racoon: ERROR: phase1 negotiation failed due to time up. a95cd60e000c4680:7446a7a497024226 Mar 13 11:34:42 racoon: INFO: Adding remote and local NAT-D payloads. Mar 13 11:34:42 racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2 Mar 13 11:34:42 racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2 Mar 13 11:34:42 racoon: INFO: NAT not detected Mar 13 11:34:42 racoon: INFO: NAT-D payload #1 verified Mar 13 11:34:42 racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2 Mar 13 11:34:42 racoon: INFO: NAT-D payload #0 verified Mar 13 11:34:42 racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2 Mar 13 11:34:41 racoon: INFO: Adding xauth VID payload. Mar 13 11:34:41 racoon: [212.23.116.66] INFO: Selected NAT-T version: RFC 3947 Mar 13 11:34:41 racoon: INFO: received Vendor ID: DPD Mar 13 11:34:41 racoon: INFO: received Vendor ID: CISCO-UNITY Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Mar 13 11:34:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Mar 13 11:34:41 racoon: INFO: received Vendor ID: RFC 3947 Mar 13 11:34:41 racoon: INFO: begin Identity Protection mode. Mar 13 11:34:41 racoon: [Self]: INFO: respond new phase 1 negotiation: WAN-IP[500]<=>212.23.116.66[500]
Now I can see also another problem (?) in system-logs:
Mar 13 11:34:29 php: /vpn_ipsec.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)' Mar 13 11:34:05 php: /vpn_ipsec_phase1.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)' Mar 13 11:33:55 php: /vpn_ipsec_phase1.php: Reload MUVPN (Apple iOS) tunnel(s)
What means this error?
EDIT: The error above is gone since I changed the server-certificate to use IP instead of domain name. I still run in phase1 timeout without any other error.
-
Disable NAT traversal and check if that makes any difference.
-
Once the issues have been troubleshooted, I'd suggest adding these step-by-step docs to the PfSense wiki
-
I suggest also adding these step-by-step docs to the PfSense wiki.
Also there is no need to wait for my (I'm sure) special personal problems:
I just tried it with another iPhone (same model / same iOS Version / same modem version) and there it works like a charm!
On this second iPhone it works with 3G and also direct out of the company networks WLAN.
On my iPhone WLAN and 3G doesn't work.So it must have something to do with my iPhone. But I have no idea what this can be! ???
-
OK - I think I know the problem now.
I found other guys on the internet who have VPN problems like me (timeout) after untethered jailbreak of iOS 5.01 - and that's the big difference between my iPhone and the other one. Just to make clear: I have a neverlocked iPhone direct from Apple-Store and use the jailbreak for IT related software which is not available in AppStore (e.g. SSH). So i never hacked baseband or something like that. But it seems that the untethered jailbreak itself breaks VPN functions!
-
Glad to hear it is working.
-
There is only one last thing, which is a little bit annoying:
If I uncheck the box with "Provide login banner to clients", there comes an empty login banner up. Is there no possibility to completly disable the banner? I use VPN on demand and so I have to click all the time on "OK" on the iPhone…
-
If you are talking about the message 'VPN Connection' with buttons OK and disconnect that iOS shows after connection is established then I don't think there is a way to disable that.
-
Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue. I can not figure out how to make it save my password. Everytime I connect to the VPN it prompts for the user password. It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.
Any ideas?
-
Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue. I can not figure out how to make it save my password. Everytime I connect to the VPN it prompts for the user password. It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.
Any ideas?
Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:
<key>XAuthPassword</key> <string>Your Password</string>
Best regards,
Thorsten
-
Sweet will give that a shot this info. Odd that if the configs support such a feature that the tool would not have the interface to use it. Course Apple is known for lack of options.
-
Odd that if the configs support such a feature that the tool would not have the interface to use it. Course Apple is known for lack of options.
I think it's just because everybody could read the password as clear text…
-
Odd that if the configs support such a feature that the tool would not have the interface to use it. Course Apple is known for lack of options.
I think it's just because everybody could read the password as clear text…
Well there are ways they could encrypt the password to at least make it more difficult to see.
-
Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:
<key>XAuthPassword</key> <string>Your Password</string>
Best regards,
Thorsten
This did not seem to work. I assume after I edit the file I open the file with iphone configurator to load it on the iphone.
-
If I export the conf back out the added lines are not there
-
I figured it out:)
You need to email the mobileconfig file to your phone and install it via the email on the phone. Success.
-
For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(