L2TP failure - IKE SA deleted

[Miguel Lamy]

Hi,

I'm trying a L2TP connection in a Windows 2000 server
with remote access installed but i only get "IKE SA
deleted before establisment completed".

I tried the connection in the intranet and everything
works fine but when i try a connection from outside it
doesn't work.

I am using a Cisco 1601 router with ACL in outside
interface with UDP ports 500, 1701 open and permissions
for protocol ESP.

My remote access machine (Windows 2000)has two network
cards (one for the intranet and one in internet). My
router performs NAT but have an ACL that denies the NAT
for the internet ip address configured in RAS. This
connection works fine with PPTP (i also open the port
tcp 1723 and protocol GRE for testing purposes). I
debuged the
nat translation during the nat connection and no
translation occurs in the router.


I don´t have any configuration in the inside interface
besides the deny of NAT for the internet address. The
router performs routing of the internet address to the
Ethernet interface.

I use certificates (configured with windows 2000) in my
configuration and radius server (also configured with
windows 2000)

Before the connection end I can see in ipsec monitor the
l2tp rule, but after sometime it is dropped.

In event viewer in RAS i can see the main mode and quick
mode established and after a while main mode and quick
mode ended with the correct address. After that I
received Ike security association failed in main mode
using as source address my intranet address in the RAS
and "IKE SA deleted before
establisment completed" as failure message

I tried a lot of configurations but nothings works.

Thanks in advance for any help

Miguel Lamy

 

[Sharoon Shetty K [MSFT]]

Hi Miguel,

This failure could happen if the preshared keys don't match or if the main
mode security methods don't match. Check both of these.

If this does not solve your problem having a look at the oakley log would
show where the failure is happening.

Can you give the oakley log? The steps to get this log are given below:

To Enable the logs execute the below command -
netsh ipsec dynamic>set config ikelogging 1

Log path:
\windows\debug\oakley.log

Thanks,
Sharoon

Hi,

I'm trying a L2TP connection in a Windows 2000 server
with remote access installed but i only get "IKE SA
deleted before establisment completed".

I tried the connection in the intranet and everything
works fine but when i try a connection from outside it
doesn't work.

I am using a Cisco 1601 router with ACL in outside
interface with UDP ports 500, 1701 open and permissions
for protocol ESP.

My remote access machine (Windows 2000)has two network
cards (one for the intranet and one in internet). My
router performs NAT but have an ACL that denies the NAT
for the internet ip address configured in RAS. This
connection works fine with PPTP (i also open the port
tcp 1723 and protocol GRE for testing purposes). I
debuged the
nat translation during the nat connection and no
translation occurs in the router.


I don´t have any configuration in the inside interface
besides the deny of NAT for the internet address. The
router performs routing of the internet address to the
Ethernet interface.

I use certificates (configured with windows 2000) in my
configuration and radius server (also configured with
windows 2000)

Before the connection end I can see in ipsec monitor the
l2tp rule, but after sometime it is dropped.

In event viewer in RAS i can see the main mode and quick
mode established and after a while main mode and quick
mode ended with the correct address. After that I
received Ike security association failed in main mode
using as source address my intranet address in the RAS
and "IKE SA deleted before
establisment completed" as failure message

I tried a lot of configurations but nothings works.

Thanks in advance for any help

Miguel Lamy

 

[Guest]

Hi Sharoon,

Thanks a lot for your reply.

I think you are right (main modes do not match (sha and md5)) but i don´t what can i do to correct the problem.

The oakley.log is too big to fit in this message. How can i send you the oakley log ?

Thanks again

Miguel Lamy

Oakley log:

12-12: 14:13:15:1ac
12-12: 14:13:15:1ac Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:15:1ac ISAKMP Header: (V1.0), len = 52
12-12: 14:13:15:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:15:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:15:1ac exchange: Oakley Quick Mode
12-12: 14:13:15:1ac flags: 3 ( encrypted commit )
12-12: 14:13:15:1ac next payload: HASH
12-12: 14:13:15:1ac message ID: 5375644d
12-12: 14:13:15:1ac Centry 0023D550
12-12: 14:13:15:1ac Doing tripleDES
12-12: 14:13:15:1ac Stopping RetransTimer sa:0023C0F8 centry:0023D550 handle:000E9BE0
12-12: 14:13:15:1ac Received QM with mess ID 1400202317
12-12: 14:13:15:1ac processing HASH (QM)
12-12: 14:13:15:1ac Verify QM Hash mess ID = 1298429267
12-12: 14:13:15:1ac Checking nodes
12-12: 14:13:15:1ac Checking node: spi=-234412449 other_spi=1467143850 accept=1 num=1
12-12: 14:13:15:1ac Found accepted node
12-12: 14:13:15:1ac HMAC Transform 1
12-12: 14:13:15:1ac Phase II Hash Length 16
12-12: 14:13:15:1ac Hash len 20
12-12: 14:13:15:1ac HMAC Transform 1
12-12: 14:13:15:1ac Phase II Hash Length 16
12-12: 14:13:15:1ac Hash len 20
12-12: 14:13:15:1ac Proxy src addr 9b0a3ad5

12-12: 14:13:15:1ac Proxy src port a506

12-12: 14:13:15:1ac Proxy dest addr dea1fb50

12-12: 14:13:15:1ac Proxy dest port 0

12-12: 14:13:15:1ac src addr 9b0a3ad5

12-12: 14:13:15:1ac src port f401

12-12: 14:13:15:1ac dst addr dea1fb50

12-12: 14:13:15:1ac dst port f401

12-12: 14:13:15:1ac Hmac algo 1
12-12: 14:13:15:1ac Transform 3
12-12: 14:13:15:1ac SRC PORT = 0 DST PORT=a506
12-12: 14:13:15:1ac HMAC algo 1
12-12: 14:13:15:1ac ESP Algo 3 ConKeyLen 24 KeyLen 40
12-12: 14:13:15:1ac Filter SRC port=0
12-12: 14:13:15:1ac Filter DST port=a506
12-12: 14:13:15:1ac LifetimeSec 3600
12-12: 14:13:15:1ac LifetimeKB 250000
12-12: 14:13:15:1ac NotifyLifetimeSec 0
12-12: 14:13:15:1ac NotifyLifetimeKB 0
12-12: 14:13:15:1ac Add: src = 80.251.161.222.0000, dst = 213.58.10.155.42246, proto = 17, context = 81951B28, tunnel endpt = 0.0.0.0, SrcMask = 255.255.255.255, DestMask = 255.255.255.255 SPI=1467143850 LifetimeTime= 3600 LifeTimeBytes= 250000
12-12: 14:13:15:1ac Elap time 0 AcquireTime 1071238395
12-12: 14:13:15:1ac Data Protection Mode (Quick Mode)


12-12: 14:13:15:1ac Certificate based Identity.

Subject siageuro.gedi-lisb.pt

Issuing Certificate Authority PT, Lisboa, Miraflores, "GEDI, SA", Organizacao, GEDI-ROOT

Root Certificate Authority PT, Lisboa, Miraflores, "GEDI, SA", Organizacao, GEDI-ROOT

Peer IP Address: 213.58.10.155


12-12: 14:13:15:1ac Source IP Address 80.251.161.222

Source IP Address Mask 255.255.255.255

Destination IP Address 213.58.10.155

Destination IP Address Mask 255.255.255.255

Protocol 17

Source Port 0

Destination Port 1701


12-12: 14:13:15:1ac ESP Algorithm Triple DES CBC

HMAC Algorithm MD5

AH Algorithm None

Encapsulation Transport Mode

InboundSpi -234412449

OutBoundSpi 1467143850

Lifetime (sec) 3600

Lifetime (kb) 250000


12-12: 14:13:15:1ac Proxy src addr 9b0a3ad5

12-12: 14:13:15:1ac Proxy src port a506

12-12: 14:13:15:1ac Proxy dest addr dea1fb50

12-12: 14:13:15:1ac Proxy dest port 0

12-12: 14:13:15:1ac src addr 9b0a3ad5

12-12: 14:13:15:1ac src port f401

12-12: 14:13:15:1ac dst addr dea1fb50

12-12: 14:13:15:1ac dst port f401

12-12: 14:13:15:1ac Hmac algo 1
12-12: 14:13:15:1ac Transform 3
12-12: 14:13:15:1ac SRC PORT = a506 DST PORT=0
12-12: 14:13:15:1ac HMAC algo 1
12-12: 14:13:15:1ac ESP Algo 3 ConKeyLen 24 KeyLen 40
12-12: 14:13:15:1ac Filter SRC port=a506
12-12: 14:13:15:1ac Filter DST port=0
12-12: 14:13:15:1ac LifetimeSec 3600
12-12: 14:13:15:1ac LifetimeKB 250000
12-12: 14:13:15:1ac NotifyLifetimeSec 0
12-12: 14:13:15:1ac NotifyLifetimeKB 0
12-12: 14:13:15:1ac Update: src = 213.58.10.155.42246, dst = 80.251.161.222.0000, proto = 17, context = 81951B28, tunnel endpt = 0.0.0.0, SrcMask = 255.255.255.255, DestMask = 255.255.255.255 SPI=-234412449 LifetimeTime= 3600 LifeTimeBytes= 250000
12-12: 14:13:15:1ac Adding SPI to SA: -234412449
12-12: 14:13:15:1ac Spi flags 2
12-12: 14:13:15:1ac isadb_set_status sa:0023C0F8 centry:0023D550 status 0
12-12: 14:13:15:1ac In state OAK_QM_IDLE
12-12: 14:13:15:1ac Constructing Commit Notify
12-12: 14:13:15:1ac constructing ISAKMP Header
12-12: 14:13:15:1ac constructing HASH (null)
12-12: 14:13:15:1ac constructing NOTIFY 16384
12-12: 14:13:15:1ac Copy messid 5375644d
12-12: 14:13:15:1ac constructing HASH (QM)
12-12: 14:13:15:1ac Construct QM Hash mess ID = 1298429267
12-12: 14:13:15:1ac Added Timeout 128900
12-12: 14:13:15:1ac Throw: State mask=34180
12-12: 14:13:15:1ac Doing tripleDES
12-12: 14:13:15:1ac
12-12: 14:13:15:1ac Sending: SA = 0x0023C0F8 to 213.58.10.155
12-12: 14:13:15:1ac ISAKMP Header: (V1.0), len = 84
12-12: 14:13:15:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:15:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:15:1ac exchange: Oakley Quick Mode
12-12: 14:13:15:1ac flags: 3 ( encrypted commit )
12-12: 14:13:15:1ac next payload: HASH
12-12: 14:13:15:1ac message ID: 5375644d
12-12: 14:13:16:31c Posting acquire: op=81951B28 src=192.168.1.65.0 dst=213.58.10.155.42246 proto = 17, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 0, TunnelEndpt=0.0.0.0 Inbound TunnelEndpt=0.0.0.0
12-12: 14:13:16:31c Acquire thread waiting
12-12: 14:13:16:1ac find(ipsec): ae147f6f-801f-4baa-a46b138c7306aa36
12-12: 14:13:16:1ac outstanding_kernel_req returned 0
12-12: 14:13:16:1ac Created new SA 239758
12-12: 14:13:16:1ac Setting proxy QM types
12-12: 14:13:16:1ac Acquire: src = 192.168.1.65.0000, dst = 213.58.10.155.62465, proto = 17, context = 81951B28, ProxySrc = 192.168.1.65.0000, ProxyDst = 213.58.10.155.a506 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
12-12: 14:13:16:1ac constructing ISAKMP Header
12-12: 14:13:16:1ac constructing SA (ISAKMP)
12-12: 14:13:16:1ac find(isakmp): ae147f6f-801f-4baa-a46b138c7306aa36
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Constructing Vendor
12-12: 14:13:16:1ac Throw: State mask=1
12-12: 14:13:16:1ac Added Timeout 11e910
12-12: 14:13:16:1ac Setting Retransmit: sa 239758 handle 11e910 context 23ff78
12-12: 14:13:16:1ac
12-12: 14:13:16:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:16:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:16:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:16:1ac R-COOKIE 0000000000000000
12-12: 14:13:16:1ac exchange: Oakley Main Mode
12-12: 14:13:16:1ac flags: 0
12-12: 14:13:16:1ac next payload: SA
12-12: 14:13:16:1ac message ID: 00000000
12-12: 14:13:17:1ac Handling Retransmit: sa 239758 handle 11e910 context 23ff78 arg 23ff78
12-12: 14:13:17:1ac retransmit: sa = 00239758 centry 00000000 , count = 0
12-12: 14:13:17:1ac
12-12: 14:13:17:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:17:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:17:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:17:1ac R-COOKIE 0000000000000000
12-12: 14:13:17:1ac exchange: Oakley Main Mode
12-12: 14:13:17:1ac flags: 0
12-12: 14:13:17:1ac next payload: SA
12-12: 14:13:17:1ac message ID: 00000000
12-12: 14:13:19:1ac Handling Retransmit: sa 239758 handle 11e910 context 23ff78 arg 23ff78
12-12: 14:13:19:1ac retransmit: sa = 00239758 centry 00000000 , count = 1
12-12: 14:13:19:1ac
12-12: 14:13:19:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:19:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:19:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:19:1ac R-COOKIE 0000000000000000
12-12: 14:13:19:1ac exchange: Oakley Main Mode
12-12: 14:13:19:1ac flags: 0
12-12: 14:13:19:1ac next payload: SA
12-12: 14:13:19:1ac message ID: 00000000
12-12: 14:13:23:1ac Handling Retransmit: sa 239758 handle 11e910 context 23ff78 arg 23ff78
12-12: 14:13:23:1ac retransmit: sa = 00239758 centry 00000000 , count = 2
12-12: 14:13:23:1ac
12-12: 14:13:23:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:23:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:23:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:23:1ac R-COOKIE 0000000000000000
12-12: 14:13:23:1ac exchange: Oakley Main Mode
12-12: 14:13:23:1ac flags: 0
12-12: 14:13:23:1ac next payload: SA
12-12: 14:13:23:1ac message ID: 00000000
12-12: 14:13:24:1ac ReapCentry centry 0023D550 Tick 1 Status 0 Event 00000000
12-12: 14:13:31:1ac Handling Retransmit: sa 239758 handle 11e910 context 23ff78 arg 23ff78
12-12: 14:13:31:1ac retransmit: sa = 00239758 centry 00000000 , count = 3
12-12: 14:13:31:1ac
12-12: 14:13:31:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:31:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:31:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:31:1ac R-COOKIE 0000000000000000
12-12: 14:13:31:1ac exchange: Oakley Main Mode
12-12: 14:13:31:1ac flags: 0
12-12: 14:13:31:1ac next payload: SA
12-12: 14:13:31:1ac message ID: 00000000
12-12: 14:13:47:1ac Handling Retransmit: sa 239758 handle 11e910 context 23ff78 arg 23ff78
12-12: 14:13:47:1ac retransmit: sa = 00239758 centry 00000000 , count = 4
12-12: 14:13:47:1ac
12-12: 14:13:47:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:47:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:47:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:47:1ac R-COOKIE 0000000000000000
12-12: 14:13:47:1ac exchange: Oakley Main Mode
12-12: 14:13:47:1ac flags: 0
12-12: 14:13:47:1ac next payload: SA
12-12: 14:13:47:1ac message ID: 00000000
12-12: 14:13:51:324 *****************Queueing work for worker. 180
12-12: 14:13:51:1ac
12-12: 14:13:51:1ac Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:51:1ac ISAKMP Header: (V1.0), len = 68
12-12: 14:13:51:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:1ac exchange: ISAKMP Informational Exchange
12-12: 14:13:51:1ac flags: 1 ( encrypted )
12-12: 14:13:51:1ac next payload: HASH
12-12: 14:13:51:1ac message ID: 628358af
12-12: 14:13:51:1ac Doing tripleDES
12-12: 14:13:51:1ac Received InfoExchange with mess ID 1652775087
12-12: 14:13:51:1ac processing HASH (ND)
12-12: 14:13:51:1ac ND Verify Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:1ac c4e1bc44
12-12: 14:13:51:1ac Verify ND Hash mess ID 628358af
12-12: 14:13:51:1ac Verify ND hash message len = 16 hdrlen=68 hashpl=24
12-12: 14:13:51:1ac ND Hash message 0000001000000001030400015772d6aa
12-12: 14:13:51:1ac
12-12: 14:13:51:1ac processing payload DELETE
12-12: 14:13:51:1ac Processing Delete
12-12: 14:13:51:1ac Expiring SPI -234412449 src 9b0a3ad5 dst dea1fb50
12-12: 14:13:51:31c Posting acquire: op=00000000 src=213.58.10.155.42246 dst=0.0.0.0.42246 proto = 17, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 0, TunnelEndpt=17.0.0.0 Inbound TunnelEndpt=0.0.6.165
12-12: 14:13:51:31c Acquire thread waiting
12-12: 14:13:51:55c Source IP Address 80.251.161.222

Source IP Address Mask 255.255.255.255

Destination IP Address 213.58.10.155

Destination IP Address Mask 255.255.255.255

Protocol 17

Source Port 0

Destination Port 1701


12-12: 14:13:51:55c -234412449
12-12: 14:13:51:55c 1467143850
12-12: 14:13:51:55c SA Notify from driver: Src dea1fb50 Dest 9b0a3ad5 InSPI -234412449 OutSpi 1467143850
Tunnel 0 TunnelFilter 17
12-12: 14:13:51:55c Removing SPI=-234412449 addr=9b0a3ad5
12-12: 14:13:51:55c Removing SPI from list: SPI=4060554847
12-12: 14:13:51:55c constructing ISAKMP Header
12-12: 14:13:51:55c constructing HASH (null)
12-12: 14:13:51:55c constructing HASH (ND)
12-12: 14:13:51:55c Construct ND hash message len = 16 pcklen=68 hashlen=20
12-12: 14:13:51:55c Construct ND Hash mess ID 2a529365
12-12: 14:13:51:55c ND Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:55c c4e1bc44
12-12: 14:13:51:55c ND Hash message 000000100000000103040001f207265f
12-12: 14:13:51:55c
12-12: 14:13:51:55c Throw: State mask=117f
12-12: 14:13:51:55c Doing tripleDES
12-12: 14:13:51:55c
12-12: 14:13:51:55c Sending: SA = 0x0023C0F8 to 213.58.10.155
12-12: 14:13:51:55c ISAKMP Header: (V1.0), len = 68
12-12: 14:13:51:55c I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:55c R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:55c exchange: ISAKMP Informational Exchange
12-12: 14:13:51:55c flags: 1 ( encrypted )
12-12: 14:13:51:55c next payload: HASH
12-12: 14:13:51:55c message ID: 2a529365
12-12: 14:13:51:324 *****************Queueing work for worker. 181
12-12: 14:13:51:55c
12-12: 14:13:51:55c Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:51:55c ISAKMP Header: (V1.0), len = 84
12-12: 14:13:51:55c I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:55c R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:55c exchange: ISAKMP Informational Exchange
12-12: 14:13:51:55c flags: 1 ( encrypted )
12-12: 14:13:51:55c next payload: HASH
12-12: 14:13:51:55c message ID: 84b162cc
12-12: 14:13:51:55c Doing tripleDES
12-12: 14:13:51:55c Received InfoExchange with mess ID 2226217676
12-12: 14:13:51:55c processing HASH (ND)
12-12: 14:13:51:55c ND Verify Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:55c c4e1bc44
12-12: 14:13:51:55c Verify ND Hash mess ID 84b162cc
12-12: 14:13:51:55c Verify ND hash message len = 28 hdrlen=80 hashpl=24
12-12: 14:13:51:55c ND Hash message 0000001c0000000101100001d4ff438b
12-12: 14:13:51:55c ad5f2998831cd778eaba3d2e
12-12: 14:13:51:55c processing payload DELETE
12-12: 14:13:51:55c Processing Delete
12-12: 14:13:51:55c SA Dead. sa:0023C0F8 status:cbad0327
12-12: 14:13:51:55c isadb_set_status sa:0023C0F8 centry:00000000 status cbad0327
12-12: 14:13:51:55c Source IP Address 213.58.10.155

Source IP Address Mask 255.255.255.255

Destination IP Address 80.251.161.222

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0


12-12: 14:14:09:55c SA Dead. sa:00239758 status:cbad0328
12-12: 14:14:09:55c isadb_set_status sa:00239758 centry:00000000 status cbad0328
12-12: 14:14:09:55c Stopping RetransTimer sa:00239758 centry:00000000 handle:0011E910
12-12: 14:14:09:55c Key Exchange Mode (Main Mode)


12-12: 14:14:09:55c Source IP Address 192.168.1.65

Source IP Address Mask 255.255.255.255

Destination IP Address 213.58.10.155

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0


12-12: 14:14:09:55c Me


12-12: 14:14:09:55c IKE SA deleted before establishment completed


12-12: 14:14:09:55c constructing ISAKMP Header
12-12: 14:14:09:55c constructing DELETE
12-12: 14:14:09:55c Throw: State mask=1
12-12: 14:14:09:55c
12-12: 14:14:09:55c Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:14:09:55c ISAKMP Header: (V1.0), len = 56
12-12: 14:14:09:55c I-COOKIE dd5e27393be37e5d
12-12: 14:14:09:55c R-COOKIE 0000000000000000
12-12: 14:14:09:55c exchange: ISAKMP Informational Exchange
12-12: 14:14:09:55c flags: 0
12-12: 14:14:09:55c next payload: DELETE
12-12: 14:14:09:55c message ID: 1bf386fc
12-12: 14:14:09:55c Deleting SA 00239758
12-12: 14:14:09:55c Cancelling Timeout 11e910
12-12: 14:14:09:55c Reaper deleting SA 23c0f8
12-12: 14:14:09:55c Deleting ConnEntry 0023D550
12-12: 14:14:09:55c Cancelling Timeout e9be0
12-12: 14:14:09:55c Cancelling Timeout 128900
12-12: 14:14:09:55c Deleting SA 0023C0F8
12-12: 14:14:09:55c Cancelling Timeout 1104f8
12-12: 14:14:09:55c Cancelling Timeout 125970

 

[Guest]

I'm having a similar problem.
(I posted on 12/30/2003 w/title "L2TP/IPSec problem with
Oakley")
Did you ever resolve this?
If so how?
Explain in detail please.

Thanks,

pjc

-----Original Message-----
Hi Sharoon,

Thanks a lot for your reply.

I think you are right (main modes do not match (sha and

md5)) but i don´t what can i do to correct the problem.

The oakley.log is too big to fit in this message. How can i send you the oakley log ?

Thanks again

Miguel Lamy

Oakley log:

12-12: 14:13:15:1ac
12-12: 14:13:15:1ac Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:15:1ac ISAKMP Header: (V1.0), len = 52
12-12: 14:13:15:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:15:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:15:1ac exchange: Oakley Quick Mode
12-12: 14:13:15:1ac flags: 3 ( encrypted commit )
12-12: 14:13:15:1ac next payload: HASH
12-12: 14:13:15:1ac message ID: 5375644d
12-12: 14:13:15:1ac Centry 0023D550
12-12: 14:13:15:1ac Doing tripleDES
12-12: 14:13:15:1ac Stopping RetransTimer sa:0023C0F8

centry:0023D550 handle:000E9BE0

12-12: 14:13:15:1ac Received QM with mess ID 1400202317
12-12: 14:13:15:1ac processing HASH (QM)
12-12: 14:13:15:1ac Verify QM Hash mess ID = 1298429267
12-12: 14:13:15:1ac Checking nodes
12-12: 14:13:15:1ac Checking node: spi=-234412449

other_spi=1467143850 accept=1 num=1

12-12: 14:13:15:1ac Found accepted node
12-12: 14:13:15:1ac HMAC Transform 1
12-12: 14:13:15:1ac Phase II Hash Length 16
12-12: 14:13:15:1ac Hash len 20
12-12: 14:13:15:1ac HMAC Transform 1
12-12: 14:13:15:1ac Phase II Hash Length 16
12-12: 14:13:15:1ac Hash len 20
12-12: 14:13:15:1ac Proxy src addr 9b0a3ad5

12-12: 14:13:15:1ac Proxy src port a506

12-12: 14:13:15:1ac Proxy dest addr dea1fb50

12-12: 14:13:15:1ac Proxy dest port 0

12-12: 14:13:15:1ac src addr 9b0a3ad5

12-12: 14:13:15:1ac src port f401

12-12: 14:13:15:1ac dst addr dea1fb50

12-12: 14:13:15:1ac dst port f401

12-12: 14:13:15:1ac Hmac algo 1
12-12: 14:13:15:1ac Transform 3
12-12: 14:13:15:1ac SRC PORT = 0 DST PORT=a506
12-12: 14:13:15:1ac HMAC algo 1
12-12: 14:13:15:1ac ESP Algo 3 ConKeyLen 24 KeyLen 40
12-12: 14:13:15:1ac Filter SRC port=0
12-12: 14:13:15:1ac Filter DST port=a506
12-12: 14:13:15:1ac LifetimeSec 3600
12-12: 14:13:15:1ac LifetimeKB 250000
12-12: 14:13:15:1ac NotifyLifetimeSec 0
12-12: 14:13:15:1ac NotifyLifetimeKB 0
12-12: 14:13:15:1ac Add: src = 80.251.161.222.0000, dst =

213.58.10.155.42246, proto = 17, context = 81951B28,
tunnel endpt = 0.0.0.0, SrcMask = 255.255.255.255,
DestMask = 255.255.255.255 SPI=1467143850 LifetimeTime=
3600 LifeTimeBytes= 250000

12-12: 14:13:15:1ac Elap time 0 AcquireTime 1071238395
12-12: 14:13:15:1ac Data Protection Mode (Quick Mode)


12-12: 14:13:15:1ac Certificate based Identity.

Subject siageuro.gedi-lisb.pt

Issuing Certificate Authority PT, Lisboa,

Miraflores, "GEDI, SA", Organizacao, GEDI-ROOT

Root Certificate Authority PT, Lisboa, Miraflores, "GEDI, SA", Organizacao, GEDI-ROOT

Peer IP Address: 213.58.10.155


12-12: 14:13:15:1ac Source IP Address 80.251.161.222

Source IP Address Mask 255.255.255.255

Destination IP Address 213.58.10.155

Destination IP Address Mask 255.255.255.255

Protocol 17

Source Port 0

Destination Port 1701


12-12: 14:13:15:1ac ESP Algorithm Triple DES CBC

HMAC Algorithm MD5

AH Algorithm None

Encapsulation Transport Mode

InboundSpi -234412449

OutBoundSpi 1467143850

Lifetime (sec) 3600

Lifetime (kb) 250000


12-12: 14:13:15:1ac Proxy src addr 9b0a3ad5

12-12: 14:13:15:1ac Proxy src port a506

12-12: 14:13:15:1ac Proxy dest addr dea1fb50

12-12: 14:13:15:1ac Proxy dest port 0

12-12: 14:13:15:1ac src addr 9b0a3ad5

12-12: 14:13:15:1ac src port f401

12-12: 14:13:15:1ac dst addr dea1fb50

12-12: 14:13:15:1ac dst port f401

12-12: 14:13:15:1ac Hmac algo 1
12-12: 14:13:15:1ac Transform 3
12-12: 14:13:15:1ac SRC PORT = a506 DST PORT=0
12-12: 14:13:15:1ac HMAC algo 1
12-12: 14:13:15:1ac ESP Algo 3 ConKeyLen 24 KeyLen 40
12-12: 14:13:15:1ac Filter SRC port=a506
12-12: 14:13:15:1ac Filter DST port=0
12-12: 14:13:15:1ac LifetimeSec 3600
12-12: 14:13:15:1ac LifetimeKB 250000
12-12: 14:13:15:1ac NotifyLifetimeSec 0
12-12: 14:13:15:1ac NotifyLifetimeKB 0
12-12: 14:13:15:1ac Update: src = 213.58.10.155.42246,

dst = 80.251.161.222.0000, proto = 17, context = 81951B28,
tunnel endpt = 0.0.0.0, SrcMask = 255.255.255.255,
DestMask = 255.255.255.255 SPI=-234412449 LifetimeTime=
3600 LifeTimeBytes= 250000

12-12: 14:13:15:1ac Adding SPI to SA: -234412449
12-12: 14:13:15:1ac Spi flags 2
12-12: 14:13:15:1ac isadb_set_status sa:0023C0F8 centry:0023D550 status 0
12-12: 14:13:15:1ac In state OAK_QM_IDLE
12-12: 14:13:15:1ac Constructing Commit Notify
12-12: 14:13:15:1ac constructing ISAKMP Header
12-12: 14:13:15:1ac constructing HASH (null)
12-12: 14:13:15:1ac constructing NOTIFY 16384
12-12: 14:13:15:1ac Copy messid 5375644d
12-12: 14:13:15:1ac constructing HASH (QM)
12-12: 14:13:15:1ac Construct QM Hash mess ID = 1298429267
12-12: 14:13:15:1ac Added Timeout 128900
12-12: 14:13:15:1ac Throw: State mask=34180
12-12: 14:13:15:1ac Doing tripleDES
12-12: 14:13:15:1ac
12-12: 14:13:15:1ac Sending: SA = 0x0023C0F8 to 213.58.10.155
12-12: 14:13:15:1ac ISAKMP Header: (V1.0), len = 84
12-12: 14:13:15:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:15:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:15:1ac exchange: Oakley Quick Mode
12-12: 14:13:15:1ac flags: 3 ( encrypted commit )
12-12: 14:13:15:1ac next payload: HASH
12-12: 14:13:15:1ac message ID: 5375644d
12-12: 14:13:16:31c Posting acquire: op=81951B28

src=192.168.1.65.0 dst=213.58.10.155.42246 proto = 17,
SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 0,
TunnelEndpt=0.0.0.0 Inbound TunnelEndpt=0.0.0.0

12-12: 14:13:16:31c Acquire thread waiting
12-12: 14:13:16:1ac find(ipsec): ae147f6f-801f-4baa- a46b138c7306aa36
12-12: 14:13:16:1ac outstanding_kernel_req returned 0
12-12: 14:13:16:1ac Created new SA 239758
12-12: 14:13:16:1ac Setting proxy QM types
12-12: 14:13:16:1ac Acquire: src = 192.168.1.65.0000, dst

= 213.58.10.155.62465, proto = 17, context = 81951B28,
ProxySrc = 192.168.1.65.0000, ProxyDst =
213.58.10.155.a506 SrcMask = 0.0.0.0 DstMask = 0.0.0.0

12-12: 14:13:16:1ac constructing ISAKMP Header
12-12: 14:13:16:1ac constructing SA (ISAKMP)
12-12: 14:13:16:1ac find(isakmp): ae147f6f-801f-4baa- a46b138c7306aa36
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Setting group desc
12-12: 14:13:16:1ac Constructing Vendor
12-12: 14:13:16:1ac Throw: State mask=1
12-12: 14:13:16:1ac Added Timeout 11e910
12-12: 14:13:16:1ac Setting Retransmit: sa 239758 handle 11e910 context 23ff78
12-12: 14:13:16:1ac
12-12: 14:13:16:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:16:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:16:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:16:1ac R-COOKIE 0000000000000000
12-12: 14:13:16:1ac exchange: Oakley Main Mode
12-12: 14:13:16:1ac flags: 0
12-12: 14:13:16:1ac next payload: SA
12-12: 14:13:16:1ac message ID: 00000000
12-12: 14:13:17:1ac Handling Retransmit: sa 239758 handle

11e910 context 23ff78 arg 23ff78

12-12: 14:13:17:1ac retransmit: sa = 00239758 centry 00000000 , count = 0
12-12: 14:13:17:1ac
12-12: 14:13:17:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:17:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:17:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:17:1ac R-COOKIE 0000000000000000
12-12: 14:13:17:1ac exchange: Oakley Main Mode
12-12: 14:13:17:1ac flags: 0
12-12: 14:13:17:1ac next payload: SA
12-12: 14:13:17:1ac message ID: 00000000
12-12: 14:13:19:1ac Handling Retransmit: sa 239758 handle

11e910 context 23ff78 arg 23ff78

12-12: 14:13:19:1ac retransmit: sa = 00239758 centry 00000000 , count = 1
12-12: 14:13:19:1ac
12-12: 14:13:19:1ac Sending: SA = 0x00239758 to 21.58.10.155
12-12: 14:13:19:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:19:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:19:1ac R-COOKIE 0000000000000000
12-12: 14:13:19:1ac exchange: Oakley Main Mode
12-12: 14:13:19:1ac flags: 0
12-12: 14:13:19:1ac next payload: SA
12-12: 14:13:19:1ac message ID: 00000000
12-12: 14:13:23:1ac Handling Retransmit: sa 239758 handle

11e910 context 23ff78 arg 23ff78

12-12: 14:13:23:1ac retransmit: sa = 00239758 centry 00000000 , count = 2
12-12: 14:13:23:1ac
12-12: 14:13:23:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:23:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:23:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:23:1ac R-COOKIE 0000000000000000
12-12: 14:13:23:1ac exchange: Oakley Main Mode
12-12: 14:13:23:1ac flags: 0
12-12: 14:13:23:1ac next payload: SA
12-12: 14:13:23:1ac message ID: 00000000
12-12: 14:13:24:1ac ReapCentry centry 0023D550 Tick 1 Status 0 Event 00000000
12-12: 14:13:31:1ac Handling Retransmit: sa 239758 handle

11e910 context 23ff78 arg 23ff78

12-12: 14:13:31:1ac retransmit: sa = 00239758 centry 00000000 , count = 3
12-12: 14:13:31:1ac
12-12: 14:13:31:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:31:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:31:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:31:1ac R-COOKIE 0000000000000000
12-12: 14:13:31:1ac exchange: Oakley Main Mode
12-12: 14:13:31:1ac flags: 0
12-12: 14:13:31:1ac next payload: SA
12-12: 14:13:31:1ac message ID: 00000000
12-12: 14:13:47:1ac Handling Retransmit: sa 239758 handle

11e910 context 23ff78 arg 23ff78

12-12: 14:13:47:1ac retransmit: sa = 00239758 centry 00000000 , count = 4
12-12: 14:13:47:1ac
12-12: 14:13:47:1ac Sending: SA = 0x00239758 to 213.58.10.155
12-12: 14:13:47:1ac ISAKMP Header: (V1.0), len = 216
12-12: 14:13:47:1ac I-COOKIE dd5e27393be37e5d
12-12: 14:13:47:1ac R-COOKIE 0000000000000000
12-12: 14:13:47:1ac exchange: Oakley Main Mode
12-12: 14:13:47:1ac flags: 0
12-12: 14:13:47:1ac next payload: SA
12-12: 14:13:47:1ac message ID: 00000000
12-12: 14:13:51:324 *****************Queueing work for worker. 180
12-12: 14:13:51:1ac
12-12: 14:13:51:1ac Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:51:1ac ISAKMP Header: (V1.0), len = 68
12-12: 14:13:51:1ac I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:1ac R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:1ac exchange: ISAKMP Informational Exchange
12-12: 14:13:51:1ac flags: 1 ( encrypted )
12-12: 14:13:51:1ac next payload: HASH
12-12: 14:13:51:1ac message ID: 628358af
12-12: 14:13:51:1ac Doing tripleDES
12-12: 14:13:51:1ac Received InfoExchange with mess ID 1652775087
12-12: 14:13:51:1ac processing HASH (ND)
12-12: 14:13:51:1ac ND Verify Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:1ac c4e1bc44
12-12: 14:13:51:1ac Verify ND Hash mess ID 628358af
12-12: 14:13:51:1ac Verify ND hash message len = 16 hdrlen=68 hashpl=24
12-12: 14:13:51:1ac ND Hash message 0000001000000001030400015772d6aa
12-12: 14:13:51:1ac
12-12: 14:13:51:1ac processing payload DELETE
12-12: 14:13:51:1ac Processing Delete
12-12: 14:13:51:1ac Expiring SPI -234412449 src 9b0a3ad5 dst dea1fb50
12-12: 14:13:51:31c Posting acquire: op=00000000

src=213.58.10.155.42246 dst=0.0.0.0.42246 proto = 17,
SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 0,
TunnelEndpt=17.0.0.0 Inbound TunnelEndpt=0.0.6.165

12-12: 14:13:51:31c Acquire thread waiting
12-12: 14:13:51:55c Source IP Address 80.251.161.222

Source IP Address Mask 255.255.255.255

Destination IP Address 213.58.10.155

Destination IP Address Mask 255.255.255.255

Protocol 17

Source Port 0

Destination Port 1701


12-12: 14:13:51:55c -234412449
12-12: 14:13:51:55c 1467143850
12-12: 14:13:51:55c SA Notify from driver: Src dea1fb50

Dest 9b0a3ad5 InSPI -234412449 OutSpi 1467143850

Tunnel 0 TunnelFilter 17
12-12: 14:13:51:55c Removing SPI=-234412449 addr=9b0a3ad5
12-12: 14:13:51:55c Removing SPI from list: SPI=4060554847
12-12: 14:13:51:55c constructing ISAKMP Header
12-12: 14:13:51:55c constructing HASH (null)
12-12: 14:13:51:55c constructing HASH (ND)
12-12: 14:13:51:55c Construct ND hash message len = 16 pcklen=68 hashlen=20
12-12: 14:13:51:55c Construct ND Hash mess ID 2a529365
12-12: 14:13:51:55c ND Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:55c c4e1bc44
12-12: 14:13:51:55c ND Hash message 000000100000000103040001f207265f
12-12: 14:13:51:55c
12-12: 14:13:51:55c Throw: State mask=117f
12-12: 14:13:51:55c Doing tripleDES
12-12: 14:13:51:55c
12-12: 14:13:51:55c Sending: SA = 0x0023C0F8 to 213.58.10.155
12-12: 14:13:51:55c ISAKMP Header: (V1.0), len = 68
12-12: 14:13:51:55c I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:55c R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:55c exchange: ISAKMP Informational Exchange
12-12: 14:13:51:55c flags: 1 ( encrypted )
12-12: 14:13:51:55c next payload: HASH
12-12: 14:13:51:55c message ID: 2a529365
12-12: 14:13:51:324 *****************Queueing work for worker. 181
12-12: 14:13:51:55c
12-12: 14:13:51:55c Resume: (get) SA = 0x0023c0f8 from 213.58.10.155
12-12: 14:13:51:55c ISAKMP Header: (V1.0), len = 84
12-12: 14:13:51:55c I-COOKIE d4ff438bad5f2998
12-12: 14:13:51:55c R-COOKIE 831cd778eaba3d2e
12-12: 14:13:51:55c exchange: ISAKMP Informational Exchange
12-12: 14:13:51:55c flags: 1 ( encrypted )
12-12: 14:13:51:55c next payload: HASH
12-12: 14:13:51:55c message ID: 84b162cc
12-12: 14:13:51:55c Doing tripleDES
12-12: 14:13:51:55c Received InfoExchange with mess ID 2226217676
12-12: 14:13:51:55c processing HASH (ND)
12-12: 14:13:51:55c ND Verify Hash skeyid_a 0ae29836d6351abff0f893b367c56d88
12-12: 14:13:51:55c c4e1bc44
12-12: 14:13:51:55c Verify ND Hash mess ID 84b162cc
12-12: 14:13:51:55c Verify ND hash message len = 28 hdrlen=80 hashpl=24
12-12: 14:13:51:55c ND Hash message 0000001c0000000101100001d4ff438b
12-12: 14:13:51:55c ad5f2998831cd778eaba3d2e
12-12: 14:13:51:55c processing payload DELETE
12-12: 14:13:51:55c Processing Delete
12-12: 14:13:51:55c SA Dead. sa:0023C0F8 status:cbad0327
12-12: 14:13:51:55c isadb_set_status sa:0023C0F8

centry:00000000 status cbad0327

12-12: 14:13:51:55c Source IP Address 213.58.10.155

Source IP Address Mask 255.255.255.255

Destination IP Address 80.251.161.222

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0


12-12: 14:14:09:55c SA Dead. sa:00239758 status:cbad0328
12-12: 14:14:09:55c isadb_set_status sa:00239758

centry:00000000 status cbad0328

12-12: 14:14:09:55c Stopping RetransTimer sa:00239758

centry:00000000 handle:0011E910