NS25, Netscreen Remote Main Mode Cert VPN



  • Hi,

    I am having major problems with Netscreen Remote and Certs in Main mode does anyone know if it actually works, the probelm is getting the VPN to recognise the DN from the client even tho I have a local user with the exact same DN. Any info will be appreciated, I can post debugs etc if you want to request any.

    Cheers

    Andy



  • Everything appears correct.  The only thing that looks incorrect is you should have nat-traversal set but not sure if that is the issue here.  Its worth enabling it though.

    set ike gateway “vpn-u7@DialUpCert” nat-traversal

    Other than that the received DN appears to match the user.  In addition to debug ike detail, also include debug pki all.  That may help to point to why this is failing to be recognized.



  • Sorry my config got messed up between my UI and CLI!

    I have reconfigured the VPN now (started from scratch) and got a new trial cert as the other ran out.

    Below is the debugs from the attempted VPN connection:

    2007-05-25 07:58:47 : IKE<10.10.10.10    >  hdr

    2007-05-25 07:58:47 : 7e 20 1f 96 46 bf e8 27  00 00 00 00 00 00 00 00

    2007-05-25 07:58:47 : 01 10 04 00 00 00 00 00  00 00 07 f0 04 00 00 2c

    2007-05-25 07:58:47 : IKE<10.10.10.10> ike packet, len 2060, action 1

    2007-05-25 07:58:47 : IKE<10.10.10.10> Catcher: received 2032 bytes from socket.

    2007-05-25 07:58:47 : IKE<10.10.10.10> ****** Recv packet if <ethernet3>of vsys <root>******

    2007-05-25 07:58:47 : IKE<10.10.10.10> Catcher: get 2032 bytes. src port 2103

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  ISAKMP msg: len 2032, nxp 1[SA], exch 4[AG], flag 00

    2007-05-25 07:58:47 : IKE<10.10.10.10    > Recv : [SA] [KE] [NONCE] [ID] [CERT-REQ] [CERT-REQ] [CERT-REQ]

    2007-05-25 07:58:47 : [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [VID] [VID] [VID]

    2007-05-25 07:58:47 : [VID] [VID] [VID]

    2007-05-25 07:58:47 : IKE<0.0.0.0        >    Validate (2004): SA/44 KE/132 NONCE/36 ID/197 CERT-REQ/203 CERT-REQ/194 CERT-REQ/192

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  CERT-REQ/137 CERT-REQ/99 CERT-REQ/121 CERT-REQ/212 CERT-REQ/203 CERT-REQ/102 VID/48

    2007-05-25 07:58:47 : IKE<10.10.10.10    > id payload

    2007-05-25 07:58:47 : 07 00 00 c5 09 11 01 f4  30 81 ba 31 1d 30 1b 06

    2007-05-25 07:58:47 : 03 55 04 0a 13 14 77 77  77 2e 76 69 72 74 75 61

    2007-05-25 07:58:47 : 6c 61 72 6d 6f 72 2e 63  6f 6d 31 19 30 17 06 03

    2007-05-25 07:58:47 : 55 04 0b 13 10 44 6f 6d  61 69 6e 20 56 61 6c 69

    2007-05-25 07:58:47 : 64 61 74 65 64 31 3b 30  39 06 03 55 04 0b 13 32

    2007-05-25 07:58:47 : 47 6f 20 74 6f 20 68 74  74 70 73 3a 2f 2f 77 77

    2007-05-25 07:58:47 : 77 2e 74 68 61 77 74 65  2e 63 6f 6d 2f 72 65 70

    2007-05-25 07:58:47 : 6f 73 69 74 6f 72 79 2f  69 6e 64 65 78 2e 68 74

    2007-05-25 07:58:47 : 6d 6c 31 22 30 20 06 03  55 04 0b 13 19 54 68 61

    2007-05-25 07:58:47 : 77 74 65 20 53 53 4c 31  32 33 20 63 65 72 74 69

    2007-05-25 07:58:47 : 66 69 63 61 74 65 31 1d  30 1b 06 03 55 04 03 13

    2007-05-25 07:58:47 : 14 77 77 77 2e 76 69 72  74 75 61 6c 61 72 6d 6f

    2007-05-25 07:58:47 : 72 2e 63 6f 6d

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  Receive Id (type=DN) in AG mode, retrieve DN=CN=www.mycompany.com,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated,O=www.mycompany.com

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-25 07:58:47 : IKE<0.0.0.0        > Failed to locate user or dynamic peer.

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  No peer_ent by peer ID <cn=www.mycompany.com,ou=thawte ssl123="" certificate,ou=“Go” to="" https:="" www.thawte.com="" repository="" index.html,ou=“Domain” validated,o=“www.mycompany.com”>/9 and local IP

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-25 07:58:47 : IKE<0.0.0.0        >  Failed to find user of dynamic peer.

    2007-05-25 07:58:47 : IKE<10.10.10.10> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

    2007-05-25 07:58:47 : IKE<10.10.10.10> Catcher: Error get ike packet from socket.

    get config | inc user
    set user “andydouth” uid 22
    set user “andydouth” ike-id asn1-dn wildcard “CN=www.mycompany.com,OU=Thawte SSL123 certificate,O=www.mycompany.com,L=,ST=,C=,Email=,DC=,” share-limit 1
    set user “andydouth” type  auth ike
    set user “andydouth” password "gt5EC2c2Nru0b0siN5CgMx/weVnt8/+Nzg=="
    set user “andydouth” "enable"
    set user-group “office_1” user “andydouth”

    get config | inc ike
    set user “andydouth” ike-id asn1-dn wildcard “CN=www.mycompany.com,OU=Thawte SSL123 certificate,O=www.mycompany.com,L=,ST=,C=,Email=,DC=,” share-limit 1
    set user “andydouth” type  auth ike
    set ike gateway “vpn-u7@DialUpCert” dialup “office_1” Aggr outgoing-interface “ethernet3”  proposal "rsa-g2-3des-md5"
    unset ike gateway “vpn-u7@DialUpCert” nat-traversal
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration

    get config | inc vpn
    set ike gateway “vpn-u7@DialUpCert” dialup “office_1” Aggr outgoing-interface “ethernet3”  proposal "rsa-g2-3des-md5"
    unset ike gateway “vpn-u7@DialUpCert” nat-traversal
    set vpn “vpn-u7@DialUpCert” gateway “vpn-u7@DialUpCert” replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
    set vpn “vpn-u7@DialUpCert” monitor
    set policy id 231677 from “Untrust” to “Trust”  “Dial-Up VPN” “192.168.27.0/24” “ANY” tunnel vpn “vpn-u7@DialUpCert” id 7

    Unfortunately looks like I have taken a step back! Any info is appreciated

    Cheers</cn=www.mycompany.com,ou=thawte></root></ethernet3>



  • It looks like you changed your configs.  Before you had user type asn1-dn and uid 55.  Now you have user type fqdn and uid 53.  You should definitely set your user type as asn1-dn and use wildcard.  Also you should put this user into a group and specify the group in your IKE configs.  Finally you have proposal  “dsa-g2-3des-md5”.  I usually see an “rsa” proposal and not a “dsa” proposal so double-check that as well.



  • Hi,

    The user andydouth is not a member of any group, is this a requirement?

    Heres the debugs :

    get config | inc user
    set user “andydouth” uid 53
    set user “andydouth” ike-id fqdn “CN=www.mycompany.com,OU=Thawte SSL123 certi                                                                                                                              ficate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated                                                                                                                              ,O=www.mycompany.com” share-limit 1
    set user “andydouth” type  auth ike
    set user “andydouth” password ""
    set user “andydouth” “enable"
    set user "andydouth@gmail.com” uid 8
    set user "andydouth@gmail.com" ike-id u-fqdn "andydouth@gmail.com" share-limit 1
    set user "andydouth@gmail.com" type  auth ike
    set user "andydouth@gmail.com" password "
    *“
    set user "andydouth@gmail.com” “enable”

    get config | inc ike
    set user “andydouth” ike-id fqdn “CN=www.mycompany.com,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated,O=www.mycompany.com” share-limit 1
    set user “andydouth” type  auth ike
    set user "andydouth@gmail.com" ike-id u-fqdn "andydouth@gmail.com" share-limit 1
    set user "andydouth@gmail.com" type  auth ike
    set ike gateway “vpn-u10@DialUPCert” dialup “andydouth” Aggr outgoing-interface “ethernet3”  proposal "dsa-g2-3des-md5"
    set ike gateway “vpn-u10@DialUPCert” cert peer-ca all
    unset ike gateway “vpn-u10@DialUPCert” nat-traversal
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration

    get config | inc vpn
    set ike gateway “vpn-u10@DialUPCert” dialup “andydouth” Aggr outgoing-interface “ethernet3”  proposal "dsa-g2-3des-md5"
    set ike gateway “vpn-u10@DialUPCert” cert peer-ca all
    unset ike gateway “vpn-u10@DialUPCert” nat-traversal
    set vpn “vpn-u10@DialUPCert” gateway “vpn-u10@DialUPCert” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
    set policy id 307518 from “Untrust” to “Trust”  “Dial-Up VPN” “192.168.27.0/24” “ANY” tunnel vpn “vpn-u10@DialUPCert” id 37

    Hope this helps



  • Your user config looks correct based on the debugs you sent.  How is the IKE gateway configured?  Also is user “andydouth” a member of a user group?  The following config details would be helpful.

    get config | inc user
    get config | inc ike
    get config | inc vpn



  • Anyone have any ideas?



  • ok now I am getting somewhere, I removed the second OU entry in the ASN1-DN and now I get this message in the debugs:

    2007-05-14 09:41:55 : IKE<10.10.10.10    >  hdr

    2007-05-14 09:41:55 : 14 59 6d eb 08 00 88 18  00 00 00 00 00 00 00 00

    2007-05-14 09:41:55 : 01 10 04 00 00 00 00 00  00 00 07 f0 04 00 00 2c

    2007-05-14 09:41:55 : IKE<10.10.10.10> ike packet, len 2060, action 1

    2007-05-14 09:41:55 : IKE<10.10.10.10> Catcher: received 2032 bytes from socket.

    2007-05-14 09:41:55 : IKE<10.10.10.10> ****** Recv packet if <ethernet3>of vsys <root>******

    2007-05-14 09:41:55 : IKE<10.10.10.10> Catcher: get 2032 bytes. src port 2580

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ISAKMP msg: len 2032, nxp 1[SA], exch 4[AG], flag 00

    2007-05-14 09:41:55 : IKE<10.10.10.10    > Recv : [SA] [KE] [NONCE] [ID] [CERT-REQ] [CERT-REQ] [CERT-REQ]

    2007-05-14 09:41:55 : [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [VID] [VID] [VID]

    2007-05-14 09:41:55 : [VID] [VID] [VID]

    2007-05-14 09:41:55 : IKE<0.0.0.0        >    Validate (2004): SA/44 KE/132 NONCE/36 ID/197 CERT-REQ/203 CERT-REQ/194 CERT-REQ/192

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  CERT-REQ/137 CERT-REQ/99 CERT-REQ/121 CERT-REQ/212 CERT-REQ/203 CERT-REQ/102 VID/48

    2007-05-14 09:41:55 : IKE<10.10.10.10    > id payload

    2007-05-14 09:41:55 : 07 00 00 c5 09 11 01 f4  30 81 ba 31 1d 30 1b 06

    2007-05-14 09:41:55 : 03 55 04 0a 13 14 77 77  77 2e 76 69 72 74 75 61

    2007-05-14 09:41:55 : 6c 61 72 6d 6f 72 2e 63  6f 6d 31 19 30 17 06 03

    2007-05-14 09:41:55 : 55 04 0b 13 10 44 6f 6d  61 69 6e 20 56 61 6c 69

    2007-05-14 09:41:55 : 64 61 74 65 64 31 3b 30  39 06 03 55 04 0b 13 32

    2007-05-14 09:41:55 : 47 6f 20 74 6f 20 68 74  74 70 73 3a 2f 2f 77 77

    2007-05-14 09:41:55 : 77 2e 74 68 61 77 74 65  2e 63 6f 6d 2f 72 65 70

    2007-05-14 09:41:55 : 6f 73 69 74 6f 72 79 2f  69 6e 64 65 78 2e 68 74

    2007-05-14 09:41:55 : 6d 6c 31 22 30 20 06 03  55 04 0b 13 19 54 68 61

    2007-05-14 09:41:55 : 77 74 65 20 53 53 4c 31  32 33 20 63 65 72 74 69

    2007-05-14 09:41:55 : 66 69 63 61 74 65 31 1d  30 1b 06 03 55 04 03 13

    2007-05-14 09:41:55 : 14 77 77 77 2e 76 69 72  74 75 61 6c 61 72 6d 6f

    2007-05-14 09:41:55 : 72 2e 63 6f 6d

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  Receive Id (type=DN) in AG mode, retrieve DN=CN=www.mycompany.com,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated,O=www.mycompany.com

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  compare user id<55>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: input <cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <0><cn=www.mycompany.com>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000001>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <0><40496418><cn=www.mycompany.com>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <1><ou=thawte ssl123="" certificate="">.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000002>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <1><40496430><ou=thawte ssl123="" certificate="">.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <2><o=www.mycompany.com>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000004>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <2><4049644d><o=www.mycompany.com>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <3><l=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: string len<2>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <3><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <4><st=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <st=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <4><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <5><c=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: string len<2>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <5><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <6><email=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <email=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <6><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <7><dc=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <dc=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <7><00000000><empty>.

    2007-05-14 09:41:55 : normalize_one_elem: input <cn=www.mycompany.com>## 2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : normalize_one_elem: content <www.mycompany.com>## 2007-05-14 09:41:55 : normalize_one: A temp <cn=www.mycompany.com,>in_len<20>

    2007-05-14 09:41:55 : normalize_one: temp <cn=www.mycompany.com,>len<24>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<0> elem<cn=www.mycompany.com,>len<24>

    2007-05-14 09:41:55 : normalize_one_elem: input <ou=thawte ssl123="" certificate="">## 2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : normalize_one_elem: content <thawte ssl123="" certificate="">## 2007-05-14 09:41:55 : normalize_one: A temp <ou=thawte ssl123="" certificate,="">in_len<25>

    2007-05-14 09:41:55 : normalize_one: temp <ou=thawte ssl123="" certificate,="">len<29>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,="">len<53>

    2007-05-14 09:41:55 : normalize_one_elem: input <o=www.mycompany.com>## 2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : normalize_one_elem: content <www.mycompany.com>## 2007-05-14 09:41:55 : normalize_one: A temp <o=www.mycompany.com,>in_len<20>

    2007-05-14 09:41:55 : normalize_one: temp <o=www.mycompany.com,>len<23>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<2> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,”>len<76>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,”>len<79>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,”>len<83>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,”>len<86>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,”>len<93>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>len<97>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: result<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>len<97>ret<0>

    2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:CN=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:O=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=L=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <l=>## 2007-05-14 09:41:55 : get_one_elem_content: in=ST=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : get_one_elem_content: in=C=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <c=>## 2007-05-14 09:41:55 : get_one_elem_content: in=Email=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<5> type<6>.

    2007-05-14 09:41:55 : get_one_elem_content: in=DC=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  count_num_required_elems: ret num elem<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >    no container identity requirement.

    2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=L=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <l=>## 2007-05-14 09:41:55 : get_one_elem_content: in=ST=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : get_one_elem_content: in=C=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <c=>## 2007-05-14 09:41:55 : get_one_elem_content: in=Email=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<5> type<6>.

    2007-05-14 09:41:55 : get_one_elem_content: in=DC=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  wild card identity matched<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > ID match found.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  user id found<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > Cannot locate group for user<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  compare user id<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > Failed to locate dynamic peer.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  No peer_ent by peer ID <cn=www.mycompany.com,ou=thawte ssl123="" certificate,ou=“Go” to="" https:="" www.thawte.com="" repository="" index.html,ou=“Domain” validated,o=“www.mycompany.com”>/9 and local IP

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  compare user id<55>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: input <cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <0><cn=www.mycompany.com>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000001>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <0><40496820><cn=www.mycompany.com>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <1><ou=thawte ssl123="" certificate="">.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000002>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <1><40496838><ou=thawte ssl123="" certificate="">.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <2><o=www.mycompany.com>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask<00000004>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <2><40496855><o=www.mycompany.com>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <3><l=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: string len<2>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <3><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <4><st=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <st=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <4><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <5><c=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: string len<2>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <5><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <6><email=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <email=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <6><00000000><empty>.

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: <7><dc=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: remaining after = bad for <dc=>.

    2007-05-14 09:41:55 : get_dn_element_type_mask: mask <ffffffff>## 2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: got <7><00000000><empty>.

    2007-05-14 09:41:55 : normalize_one_elem: input <cn=www.mycompany.com>## 2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : normalize_one_elem: content <www.mycompany.com>## 2007-05-14 09:41:55 : normalize_one: A temp <cn=www.mycompany.com,>in_len<20>

    2007-05-14 09:41:55 : normalize_one: temp <cn=www.mycompany.com,>len<24>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<0> elem<cn=www.mycompany.com,>len<24>

    2007-05-14 09:41:55 : normalize_one_elem: input <ou=thawte ssl123="" certificate="">## 2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : normalize_one_elem: content <thawte ssl123="" certificate="">## 2007-05-14 09:41:55 : normalize_one: A temp <ou=thawte ssl123="" certificate,="">in_len<25>

    2007-05-14 09:41:55 : normalize_one: temp <ou=thawte ssl123="" certificate,="">len<29>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,="">len<53>

    2007-05-14 09:41:55 : normalize_one_elem: input <o=www.mycompany.com>## 2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : normalize_one_elem: content <www.mycompany.com>## 2007-05-14 09:41:55 : normalize_one: A temp <o=www.mycompany.com,>in_len<20>

    2007-05-14 09:41:55 : normalize_one: temp <o=www.mycompany.com,>len<23>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<2> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,”>len<76>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,”>len<79>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,”>len<83>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,”>len<86>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,”>len<93>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: ind<-1> elem<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>len<97>

    2007-05-14 09:41:55 : normalize_user_wildcard_dn_id: result<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>len<97>ret<0>

    2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:CN=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  ct:O=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=L=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <l=>## 2007-05-14 09:41:55 : get_one_elem_content: in=ST=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : get_one_elem_content: in=C=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <c=>## 2007-05-14 09:41:55 : get_one_elem_content: in=Email=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<5> type<6>.

    2007-05-14 09:41:55 : get_one_elem_content: in=DC=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  count_num_required_elems: ret num elem<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >    no container identity requirement.

    2007-05-14 09:41:55 : get_one_elem_content: in=CN=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=OU=Thawte SSL123 certificate

    2007-05-14 09:41:55 : get_one_elem_content: in=O=www.mycompany.com

    2007-05-14 09:41:55 : get_one_elem_content: in=L=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <l=>## 2007-05-14 09:41:55 : get_one_elem_content: in=ST=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : get_one_elem_content: in=C=

    2007-05-14 09:41:55 : get_one_elem_content: empty string len<2>str <c=>## 2007-05-14 09:41:55 : get_one_elem_content: in=Email=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<5> type<6>.

    2007-05-14 09:41:55 : get_one_elem_content: in=DC=

    2007-05-14 09:41:55 : get_one_elem_content: err<-3> in<0> space<2> type<3>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  wild card identity matched<cn=www.mycompany.com,ou=thawte ssl123="" certificate,o=“www.mycompany.com,L=,ST=,C=,Email=,DC=,”>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > ID match found.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  user id found<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > Cannot locate group for user<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  Failed to locate combo_id<0x00000038>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-14 09:41:55 : IKE<0.0.0.0        >  compare user id<55>.

    2007-05-14 09:41:55 : IKE<0.0.0.0        > Failed to locate dynamic peer.

    2007-05-14 09:41:55 : IKE<82.19.89.88> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

    2007-05-14 09:41:55 : IKE<82.19.89.88> Catcher: Error get ike packet from socket.

    any ideas?

    I can post the other commands if you like.

    here is get config | inc user

    set user “andydouth” uid 55
    set user “andydouth” ike-id asn1-dn wildcard “CN=www.mycompany.com,OU=Thawte SSL123 certificate,O=www.mycompany.com,L=,ST=,C=,Email=,DC=,” share-limit 1
    set user “andydouth” type  auth ike
    set user “andydouth” password "11111"
    set user “andydouth” “enable”

    Cheers</cn=www.mycompany.com,ou=thawte></c=></l=></c=></l=></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></o=www.mycompany.com,></o=www.mycompany.com,></www.mycompany.com></o=www.mycompany.com></cn=www.mycompany.com,ou=thawte></ou=thawte></ou=thawte></thawte></ou=thawte></cn=www.mycompany.com,></cn=www.mycompany.com,></cn=www.mycompany.com,></www.mycompany.com></cn=www.mycompany.com></empty></ffffffff></dc=></dc=></empty></ffffffff></email=></email=></empty></c=></empty></ffffffff></st=></st=></empty></l=></o=www.mycompany.com></o=www.mycompany.com></ou=thawte></ou=thawte></cn=www.mycompany.com></cn=www.mycompany.com></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></c=></l=></c=></l=></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></cn=www.mycompany.com,ou=thawte></o=www.mycompany.com,></o=www.mycompany.com,></www.mycompany.com></o=www.mycompany.com></cn=www.mycompany.com,ou=thawte></ou=thawte></ou=thawte></thawte></ou=thawte></cn=www.mycompany.com,></cn=www.mycompany.com,></cn=www.mycompany.com,></www.mycompany.com></cn=www.mycompany.com></empty></ffffffff></dc=></dc=></empty></ffffffff></email=></email=></empty></c=></empty></ffffffff></st=></st=></empty></l=></o=www.mycompany.com></o=www.mycompany.com></ou=thawte></ou=thawte></cn=www.mycompany.com></cn=www.mycompany.com></cn=www.mycompany.com,ou=thawte></root></ethernet3>



  • First of all your DN looks very unusual.  Normally you only have one OU object in your DN.  Also are you certain you are using asn1 with wildcards in your IKE configs?  Could you post your relevant configs for your user and your vpn?

    get config | inc user
    get config | inc ike
    get config | inc vpn



  • Any ideas maxPipleline, anyone please?



  • ok got the debugs, debug ike and debug pki look the same tho:

    Debug pki -

    2007-04-27 09:55:19 : IKE<10.10.10.10    >  hdr

    2007-04-27 09:55:19 : d5 ef bd d2 21 84 8a ac  00 00 00 00 00 00 00 00

    2007-04-27 09:55:19 : 01 10 04 00 00 00 00 00  00 00 07 f0 04 00 00 2c

    2007-04-27 09:55:19 : IKE<10.10.10.10> ike packet, len 2060, action 1

    2007-04-27 09:55:19 : IKE<10.10.10.10> Catcher: received 2032 bytes from socket.

    2007-04-27 09:55:19 : IKE<10.10.10.10> ****** Recv packet if <ethernet3>of vsys <root>******

    2007-04-27 09:55:19 : IKE<10.10.10.10> Catcher: get 2032 bytes. src port 2405

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  ISAKMP msg: len 2032, nxp 1[SA],exch 4[AG], flag 00

    2007-04-27 09:55:19 : IKE<10.10.10.10    > Recv : [SA] [KE] [NONCE] [ID] [CERT-REQ] [CERT-REQ] [CERT-REQ]

    2007-04-27 09:55:19 : [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [VID] [VID] [VID]

    2007-04-27 09:55:19 : [VID] [VID] [VID]

    2007-04-27 09:55:19 : IKE<0.0.0.0        >    Validate (2004): SA/44 KE/132NONCE/36 ID/197 CERT-REQ/203 CERT-REQ/194 CERT-REQ/192

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  CERT-REQ/137 CERT-REQ/99 CERT-REQ/121 CERT-REQ/212 CERT-REQ/203 CERT-REQ/102 VID/48

    2007-04-27 09:55:19 : IKE<10.10.10.10    > id payload

    2007-04-27 09:55:19 : 07 00 00 c5 09 11 01 f4  30 81 ba 31 1d 30 1b 06

    2007-04-27 09:55:19 : 03 55 04 0a 13 14 77 77  77 2e 76 69 72 74 75 61

    2007-04-27 09:55:19 : 6c 61 72 6d 6f 72 2e 63  6f 6d 31 19 30 17 06 03

    2007-04-27 09:55:19 : 55 04 0b 13 10 44 6f 6d  61 69 6e 20 56 61 6c 69

    2007-04-27 09:55:19 : 64 61 74 65 64 31 3b 30  39 06 03 55 04 0b 13 32

    2007-04-27 09:55:19 : 47 6f 20 74 6f 20 68 74  74 70 73 3a 2f 2f 77 77

    2007-04-27 09:55:19 : 77 2e 74 68 61 77 74 65  2e 63 6f 6d 2f 72 65 70

    2007-04-27 09:55:19 : 6f 73 69 74 6f 72 79 2f  69 6e 64 65 78 2e 68 74

    2007-04-27 09:55:19 : 6d 6c 31 22 30 20 06 03  55 04 0b 13 19 54 68 61

    2007-04-27 09:55:19 : 77 74 65 20 53 53 4c 31  32 33 20 63 65 72 74 69

    2007-04-27 09:55:19 : 66 69 63 61 74 65 31 1d  30 1b 06 03 55 04 03 13

    2007-04-27 09:55:19 : 14 77 77 77 2e 76 69 72  74 75 61 6c 61 72 6d 6f

    2007-04-27 09:55:19 : 72 2e 63 6f 6d

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  Receive Id (type=DN) in AG mode, retrieve DN=CN=myname,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated,O=mycompany

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-04-27 09:55:19 : IKE<0.0.0.0        > Failed to locate user or dynamic peer.

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  No peer_ent by peer ID <cn=myname,ou=thawte ssl123="" certificate,ou=“Go” to="" https:="" www.thawte.com="" repository="" index.html,ou=“Domain” validated,o=“mycompany”>/9 and local IP

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-04-27 09:55:19 : IKE<0.0.0.0        >  Failed to find user of dynamic peer.

    2007-04-27 09:55:19 : IKE<10.10.10.10> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

    2007-04-27 09:55:19 : IKE<10.10.10.10> Catcher: Error get ike packet from socket.

    debug ike -
    IKE<10.10.10.10    >  hdr

    2007-05-07 05:00:44 : 7d d8 b3 57 bd ec 44 3e  00 00 00 00 00 00 00 00

    2007-05-07 05:00:44 : 01 10 04 00 00 00 00 00  00 00 07 f0 04 00 00 2c

    2007-05-07 05:00:44 : IKE<10.10.10.10> ike packet, len 2060, action 1

    2007-05-07 05:00:44 : IKE<10.10.10.10> Catcher: received 2032 bytes from socket.

    2007-05-07 05:00:44 : IKE<10.10.10.10> ****** Recv packet if <ethernet3>of vsys <root>******

    2007-05-07 05:00:44 : IKE<10.10.10.10> Catcher: get 2032 bytes. src port 2604

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  ISAKMP msg: len 2032, nxp 1[SA], exch 4[AG], flag 00

    2007-05-07 05:00:44 : IKE<10.10.10.10    > Recv : [SA] [KE] [NONCE] [ID] [CERT-REQ] [CERT-REQ] [CERT-REQ]

    2007-05-07 05:00:44 : [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [CERT-REQ] [VID] [VID] [VID]

    2007-05-07 05:00:44 : [VID] [VID] [VID]

    2007-05-07 05:00:44 : IKE<0.0.0.0        >    Validate (2004): SA/44 KE/132 NONCE/36 ID/197 CERT-REQ/203 CERT-REQ/194 CERT-REQ/192

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  CERT-REQ/137 CERT-REQ/99 CERT-REQ/121 CERT-REQ/212 CERT-REQ/203 CERT-REQ/102 VID/48

    2007-05-07 05:00:44 : IKE<10.10.10.10    > id payload

    2007-05-07 05:00:44 : 07 00 00 c5 09 11 01 f4  30 81 ba 31 1d 30 1b 06

    2007-05-07 05:00:44 : 03 55 04 0a 13 14 77 77  77 2e 76 69 72 74 75 61

    2007-05-07 05:00:44 : 6c 61 72 6d 6f 72 2e 63  6f 6d 31 19 30 17 06 03

    2007-05-07 05:00:44 : 55 04 0b 13 10 44 6f 6d  61 69 6e 20 56 61 6c 69

    2007-05-07 05:00:44 : 64 61 74 65 64 31 3b 30  39 06 03 55 04 0b 13 32

    2007-05-07 05:00:44 : 47 6f 20 74 6f 20 68 74  74 70 73 3a 2f 2f 77 77

    2007-05-07 05:00:44 : 77 2e 74 68 61 77 74 65  2e 63 6f 6d 2f 72 65 70

    2007-05-07 05:00:44 : 6f 73 69 74 6f 72 79 2f  69 6e 64 65 78 2e 68 74

    2007-05-07 05:00:44 : 6d 6c 31 22 30 20 06 03  55 04 0b 13 19 54 68 61

    2007-05-07 05:00:44 : 77 74 65 20 53 53 4c 31  32 33 20 63 65 72 74 69

    2007-05-07 05:00:44 : 66 69 63 61 74 65 31 1d  30 1b 06 03 55 04 03 13

    2007-05-07 05:00:44 : 14 77 77 77 2e 76 69 72  74 75 61 6c 61 72 6d 6f

    2007-05-07 05:00:44 : 72 2e 63 6f 6d

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  Receive Id (type=DN) in AG mode, retrieve DN=CN=myname,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,OU=Domain Validated,O=mycompany

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-07 05:00:44 : IKE<0.0.0.0        > Failed to locate user or dynamic peer.

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  No peer_ent by peer ID <cn=myname,ou=thawte ssl123="" certificate,ou=“Go” to="" https:="" www.thawte.com="" repository="" index.html,ou=“Domain” validated,o=“mycompany”>/9 and local IP

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  peer dn has 5 elements.

    2007-05-07 05:00:44 : IKE<0.0.0.0        >  Failed to find user of dynamic peer.

    2007-05-07 05:00:44 : IKE<10.10.10.10> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

    get user myname
    Id    User name      Enable  Type  ID-type Identity  Belongs to groups
    –— --------------- ------ ------- ------- ---------- -----------------
      46 myname     Yes    auth ike  ASN1-DN CN=myname,OU=Thawte SSL123 certificate,O=mycompany,L=,ST=,C=,Email=,DC=,
    user type<00000012>.
    Number login with this user id is 1. gw_use_cnt<1>
    identity type<9>.
    identity <cn=myname,ou=thawte ssl123="" certificate,o=“mycompany,L=,ST=,C=,Email=,DC=,”>.

    Hope this helps any more info needed give me a shout

    Cheers</cn=myname,ou=thawte></cn=myname,ou=thawte></root></ethernet3></cn=myname,ou=thawte></root></ethernet3>



  • I am away until the weekend so will post the debugs asap

    Cheers



  • Yes, debugs would be helpful here.  Particular debug ike and debug pki.


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts