Re: Hardware firewall blocking L2TP/IPSec VPN

Hi Roy,

Thankyou for the informative reply. As you suggested I have been using
ike-scan today, I queried the public IP of the VPN server and I
received the following information

Enc=3DES, Hash=SHA1, AUTH=PSK, Group=2, Modp=1024, LifeType-Seconds,
LifeDuration<4>0x00007080

I received a handshake back.

I then used WireShark to see what was happening when I was trying to
connect, from the packets captured it looks as though my clients are
trying to authorize using RSA (as I want) while my server is using
PSK, I cant seem to work out how to set it to use RSA though.

Below is a export of my wireshark data (public IP removed)

No. Time Source Destination
Protocol Info
162 6.206458 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 162 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:21:38.625842000
[Time delta from previous packet: 6.206458000 seconds]
[Time since reference or first frame: 6.206458000 seconds]
Frame Number: 162
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19cc (6604)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x348e [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
163 6.333779 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 163 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:21:38.753163000
[Time delta from previous packet: 0.127321000 seconds]
[Time since reference or first frame: 6.333779000 seconds]
Frame Number: 163
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0xbd15 (48405)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0x2116 [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
164 7.662331 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 164 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:21:40.081715000
[Time delta from previous packet: 1.328552000 seconds]
[Time since reference or first frame: 7.662331000 seconds]
Frame Number: 164
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19d1 (6609)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x3489 [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
165 7.758516 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 165 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:21:40.177900000
[Time delta from previous packet: 0.096185000 seconds]
[Time since reference or first frame: 7.758516000 seconds]
Frame Number: 165
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0xcd15 (52501)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0x1116 [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
166 9.662214 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 166 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:21:42.081598000
[Time delta from previous packet: 1.903698000 seconds]
[Time since reference or first frame: 9.662214000 seconds]
Frame Number: 166
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19d4 (6612)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x3486 [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
167 9.738999 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 167 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:21:42.158383000
[Time delta from previous packet: 0.076785000 seconds]
[Time since reference or first frame: 9.738999000 seconds]
Frame Number: 167
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0x8c11 (35857)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0x521a [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
180 13.661940 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 180 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:21:46.081324000
[Time delta from previous packet: 3.922941000 seconds]
[Time since reference or first frame: 13.661940000 seconds]
Frame Number: 180
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19da (6618)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x3480 [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
181 13.749030 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 181 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:21:46.168414000
[Time delta from previous packet: 0.087090000 seconds]
[Time since reference or first frame: 13.749030000 seconds]
Frame Number: 181
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0xc614 (50708)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0x1817 [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
188 21.661417 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 188 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:21:54.080801000
[Time delta from previous packet: 7.912387000 seconds]
[Time since reference or first frame: 21.661417000 seconds]
Frame Number: 188
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19db (6619)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x347f [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
189 21.781681 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 189 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:21:54.201065000
[Time delta from previous packet: 0.120264000 seconds]
[Time since reference or first frame: 21.781681000 seconds]
Frame Number: 189
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0xab14 (43796)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0x3317 [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
207 37.676004 192.168.33.66 *public IP* ISAKMP
Identity Protection (Main Mode)

Frame 207 (354 bytes on wire, 354 bytes captured)
Arrival Time: Mar 14, 2007 16:22:10.095388000
[Time delta from previous packet: 15.894323000 seconds]
[Time since reference or first frame: 37.676004000 seconds]
Frame Number: 207
Packet Length: 354 bytes
Capture Length: 354 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x19dd (6621)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x347d [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 320
Checksum: 0xd8ad [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 312
Security Association payload
Next payload: Vendor ID (13)
Payload length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: NONE (0)
Payload length: 20
Vendor ID: unknown vendor ID:
0x26244D38EDDB61B3172A36E3D0CFB819

No. Time Source Destination
Protocol Info
208 37.791529 *public IP* 192.168.33.66 ISAKMP
Informational

Frame 208 (144 bytes on wire, 144 bytes captured)
Arrival Time: Mar 14, 2007 16:22:10.210913000
[Time delta from previous packet: 0.115525000 seconds]
[Time since reference or first frame: 37.791529000 seconds]
Frame Number: 208
Packet Length: 144 bytes
Capture Length: 144 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_2f:cf:d3 (00:14:22:2f:cf:d3), Dst: Intel_aa:
30:b6 (00:11:11:aa:30:b6)
Destination: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: *public IP* (*public IP*), Dst: 192.168.33.66
(192.168.33.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0x3610 (13840)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 241
Protocol: UDP (0x11)
Header checksum: 0xa81b [correct]
[Good: True]
[Bad : False]
Source: *public IP* (*public IP*)
Destination: 192.168.33.66 (192.168.33.66)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 110
Checksum: 0xadd1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 9A261BCCD48A8415
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x950d9fb2
Length: 102
Notification payload
Next payload: NONE (0)
Payload length: 74
Domain of interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Message type: NO-PROPOSAL-CHOSEN (14)
SPI: 0x6569F1BFEE75E44B9A261BCCD48A8415
Notification Data

No. Time Source Destination
Protocol Info
242 69.728963 192.168.33.66 *public IP* ISAKMP
Informational

Frame 242 (98 bytes on wire, 98 bytes captured)
Arrival Time: Mar 14, 2007 16:22:42.148347000
[Time delta from previous packet: 31.937434000 seconds]
[Time since reference or first frame: 69.728963000 seconds]
Frame Number: 242
Packet Length: 98 bytes
Capture Length: 98 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_aa:30:b6 (00:11:11:aa:30:b6), Dst:
Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Destination: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
Address: Dell_2f:cf:d3 (00:14:22:2f:cf:d3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: Intel_aa:30:b6 (00:11:11:aa:30:b6)
Address: Intel_aa:30:b6 (00:11:11:aa:30:b6)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.33.66 (192.168.33.66), Dst: *public
IP* (*public IP*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x19de (6622)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x357c [correct]
[Good: True]
[Bad : False]
Source: 192.168.33.66 (192.168.33.66)
Destination: *public IP* (*public IP*)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 64
Checksum: 0xcbd0 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 6569F1BFEE75E44B
Responder cookie: 0000000000000000
Next payload: Delete (12)
Version: 1.0
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x7d7b60ae
Length: 56
Delete payload
Next payload: NONE (0)
Payload length: 28
Domain of Interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI Size: 16
Port: 1
SPI: 0x6569F1BFEE75E44B0000000000000000


If you could point me in the right direction on what i need to
configure it would be a big help, im pretty sure that its server
settings though looking at the captured packets

Regards

Ian

On 14 Mar, 09:34, Roy Hills <royhi...@xxxxxxxxxxx> wrote:
On 13 Mar 2007 08:37:04 -0700, IanGsi...@xxxxxxxxx wrote:

We are using ISA 2000 at the office I am trying to VPN into, I have
setup the relevent packet filters for UDP 500, 4500 and 1701 aswell as
forwarding the relevent traffic on my external firewall (D-Link
DFL-700). I have pretty much followed the guides in the ISA Server
2000 VPN Delpoyment kit on isaserver.org.

Don't forget to allow IP protocol 50 (ESP) through as well. You'll need
that once you get the VPN negotiation working, but it's not an issue at the
moment.

When I try to connect to the ISA Server I get a Error 792 message, my
syslogger shows the messege - No proposal chosen. I have tried this
using both certificates and pre-shared keys.

"No Proposal Chosen" is a message from IKE, which is the bit of
IPsec that does encryption negotiation, key exchange and authentication.

IKE has two Phases: Phase-1, which establishes a secure channel for
future negotiations and authenticates the peers, and Phase-2 which uses
this secure channel to negotiate the parameters for the ESP tunnel that
will carry the VPN data. I suspect that your problem is with IKE Phase-1.

IKE Phase-1 negotiates four transform attributes:

Encryption Algorithm (E.g. 3DES)
Hash Algorithm (e.g. SHA1)
Authentication Method (e.g. RSA Signatures)
Diffie Hellman Group (e.g. group 2)

If the client doesn't support a set of these that the server supports, then
you'll likely get a "No Proposal Chosen" message.

"Certificate" authentication generally means "RSA Siganture"
authentication.

Note that Windows often uses "Kerberos" authentication for IPsec VPNs,
which is a non-standard authentication method that uses GSS-API (an IETF
draft, not a formal RFC).

We currently have a site-site VPN tunnel setup via our hardware
firewalls, this allows me to VPN from the main office to the Remote
office (ISA 2000) Server using the external interface IP
(192.168.2.2), when i try this I can connect using L2TP with
certificates no problem, this leads me to believe that it is a problem
with the configuration of the external firewalls.

Any help would be greatly appreciated as I have been through every
guide and webpage I can find but I cant seem to get to the bottom of
this.

You might find ike-scan useful, as it can determine what transform
attributes your VPN server supports.

A sniffer like wireshark (nee Ethereal) can also be useful, as the point
at which you appear to be failing is before things start getting encrypted.

Take a look at the ike-scan wiki at:http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation
Especially the "User Guide" and "Implementation Analysis" sections. This
contains details on how IKE Phase-1 works, and how various implementations
handle Phase-1 negotiaitions.

If all else fails, get a packet capture showing the communications between
the client and the server (including all the packet data in hex) and post
it. If it's failing in Phase-1 as I expect, this should only be two
packets:

Client -> Server: IKE Phase-1 Main Mode (or Aggressive Mode) Request
Server -> Client: IKE Phase-1 Informational - No Proposal Chosen

Both will be UDP using either port 500 or 4500 (If NAT Traversal is being
used).

Roy Hills


.

Relevant Pages