On Thu, Jul 2, 2015 at 12:46 AM, Michael Schler <[email protected]> wrote:
> Hello, > > I've set up a connection between a Windows 2012 R2 Server (40.40.40.40) > using Shrew VPN Client (version 2.2.2) and a SonicWALL (and for tests > also with a FortiGate) (50.50.50.50). > > The initial VPN tunnel comes up with either firewall. > When the softlimit timeout for the phase2 is reached the VPN Client > starts the renewal of phase2. With the SonicWALL this renewal shows two > errors (!!:) towards its end. While the tunnel as such seems to fire up > again it is not possible to reach the final destination server > (10.10.10.10) behind the SonicWALL for some time (using Test-Connection > i.e. pings). Only after the hardlimit timeout for phase2 is reached the > pings go through again. > > The identical setup (VPN Client wise) with a FortiGate does not have > this problem. Here the phase2 renewal produces no erros and the > destination server can be reached by pings all times. > > Shrew VPN Client setup > > n:version:4 > n:network-ike-port:500 > n:network-mtu-size:1380 > n:client-addr-auto:0 > n:network-natt-port:4500 > n:network-natt-rate:15 > n:network-frag-size:540 > n:network-dpd-enable:1 > n:client-banner-enable:0 > n:network-notify-enable:1 > n:client-dns-used:0 > n:client-dns-auto:0 > n:client-dns-suffix-auto:0 > n:client-splitdns-used:0 > n:client-splitdns-auto:0 > n:client-wins-used:0 > n:client-wins-auto:1 > n:phase1-dhgroup:5 > n:phase1-life-secs:28800 > n:phase1-life-kbytes:0 > n:vendor-chkpt-enable:0 > n:phase2-life-secs:1800 > n:phase2-life-kbytes:0 > n:policy-nailed:1 > n:policy-list-auto:0 > s:network-host:40.40.40.40 > s:client-auto-mode:disabled > s:client-iface:virtual > s:client-ip-addr:192.168.1.1 > s:client-ip-mask:255.255.255.255 > s:network-natt-mode:enable > s:network-frag-mode:enable > s:auth-method:mutual-psk > s:ident-client-type:address > s:ident-server-type:address > b:auth-mutual-psk:(secret) > s:phase1-exchange:aggressive > s:phase1-cipher:3des > s:phase1-hash:sha1 > s:phase2-transform:esp-3des > s:phase2-hmac:sha1 > s:ipcomp-transform:disabled > n:phase2-pfsgroup:5 > s:policy-level:require > s:policy-list-include:50.50.50.50 / 255.255.255.255,10.10.10.10 / > 255.255.255.255 > > Connection with the SonicWALL phase 2 renewal last part (VPN Client log) > <- : recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes ) > DB : phase1 found > ii : processing informational packet ( 76 bytes ) > == : new informational iv ( 8 bytes ) > =< : cookies 915d9ca44709a15b:e77b80b9c572d32d > =< : message 552fc103 > =< : decrypt iv ( 8 bytes ) > == : decrypt packet ( 76 bytes ) > <= : trimmed packet padding ( 4 bytes ) > <= : stored iv ( 8 bytes ) > << : hash payload > << : delete payload > !! : unprocessed payload data !!! > == : informational hash_i ( computed ) ( 20 bytes ) > == : informational hash_c ( received ) ( 20 bytes ) > !! : informational hash verification failed > ii : received peer DELETE message > ii : - 50.50.50.50:500 -> 40.40.40.40:500 > ii : - ipsec-esp spi = 0x5347bf9c > no further entries until a few minutes later > ii : phase2 sa is dead > ii : phase2 removal after expire time > DB : phase2 deleted ( obj count = 1 ) > > Connection with the SonicWALL phase 2 renewal last part (VPN Client log) > <- : recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes ) > DB : phase1 found > ii : processing informational packet ( 76 bytes ) > == : new informational iv ( 8 bytes ) > =< : cookies 30319e5309693dd8:33dfc550c179a81b > =< : message 2db6a00f > =< : decrypt iv ( 8 bytes ) > == : decrypt packet ( 76 bytes ) > <= : trimmed packet padding ( 8 bytes ) > <= : stored iv ( 8 bytes ) > << : hash payload > << : delete payload > == : informational hash_i ( computed ) ( 20 bytes ) > == : informational hash_c ( received ) ( 20 bytes ) > ii : informational hash verified > ii : received peer DELETE message > ii : - 50.50.50.50:500 -> 40.40.40.40:500 > ii : - ipsec-esp spi = 0xb9b142e9 > DB : phase2 found > DB : cleanup, marked phase2 0xb9b142e9 for removal > DB : phase2 hard event canceled ( ref count = 1 ) > K> : send pfkey DELETE ESP message > K< : recv pfkey DELETE ESP message > K> : send pfkey DELETE ESP message > K< : recv pfkey DELETE ESP message > ii : phase2 removal before expire time > DB : phase2 deleted ( obj count = 1 ) > > Has anyone an idea why the phase2 renewal with the SonicWALL produces the > !! : unprocessed payload data !!! > !! : informational hash verification failed > errors? > Even setting the log level to "loud" I could see nothing in the logs why > the pings don't go through for some minutes and afterwards go again > through. > > Thank You! > Hi Michael, Can you enable debug and attach on this mail https://www.shrew.net/support/VPN_Bug_Report_Windows Regards, > _______________________________________________ > vpn-help mailing list > [email protected] > https://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
