We are have a four servers connected via BMEE3.8SP2 VPN tunnel. Some time
ago we are fixed ipflt31.nlm (thanx 2 Craig). Tunned our file.
And after that we are have a ideal networking via VPN tunnel. But
yesterday are got a problem with only one of slaves VPN servers.
Quote from ike.log:
~~~~~~~~~~~~~~~~~~~
11-17-2004 3:45:06 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:45:06 pm I-COOKIE=7680491152E40C95,R-
COOKIE=89ACDC86294FB2AD,MsgID=ECCC191E,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:45:06 pm Start IPSEC SA 8BD2D5A0 - Responder****totSA=1
11-17-2004 3:45:06 pm ****DH private exponent size is 1016****
11-17-2004 3:45:06 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:45:06 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:45:06 pm Error: PFS Enabled or Requested by Peer but key
payload not recieved message id : 3972798750 dst : 195.56.172.104 src :
195.56.172.111 cookies[his :mine] 89ACDC86294FB2AD : 7680491100000000
11-17-2004 3:45:06 pm Failed to create protoSA - No PFS Key for quick
mode 195.56.172.104
11-17-2004 3:45:51 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:45:51 pm I-COOKIE=7680491152E40C95,R-
COOKIE=89ACDC86294FB2AD,MsgID=ECCC191E,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:45:51 pm Start IPSEC SA 8BD2D5A0 - Responder****totSA=1
11-17-2004 3:45:51 pm ****DH private exponent size is 1016****
11-17-2004 3:45:51 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:45:51 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:45:51 pm Error: PFS Enabled or Requested by Peer but key
payload not recieved message id : 3972798750 dst : 195.56.172.104 src :
195.56.172.111 cookies[his :mine] 89ACDC86294FB2AD : 7680491100000000
11-17-2004 3:45:51 pm Failed to create protoSA - No PFS Key for quick
mode 195.56.172.104
11-17-2004 3:47:17 pm ***Receive Main Mode message from 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1946500532
11-17-2004 3:47:17 pm
IKEMarkNoRekey:CurrtimerEvent=REPLACE,RemainingTim e=28619,dst=195.56.172.10
4 Rekey count 0
11-17-2004 3:47:17 pm Start IKE-SA 8C1C4A80 -
Responder,src=195.56.172.111,dst=195.56.172.104,To tSA=4
11-17-2004 3:47:17 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800
11-17-2004 3:47:17 pm ****DH private exponent size is 1016****
11-17-2004 3:47:17 pm Local server's interfaces : 192.168.97.2
11-17-2004 3:47:17 pm Local server's interfaces : 195.56.172.111
11-17-2004 3:47:17 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-
ike-03 from 195.56.172.104
11-17-2004 3:47:17 pm ***Send Main Mode message to 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=0,1stPL=SA-PAYLOAD,state=-1946500532
11-17-2004 3:47:17 pm ***Receive Main Mode message from 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=0,1stPL=KEY-PAYLOAD,state=-1946500480
11-17-2004 3:47:17 pm No NAT detected
11-17-2004 3:47:17 pm info: sending certificate request payload is
disabled
11-17-2004 3:47:17 pm ***Send Main Mode message to 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=0,1stPL=KEY-PAYLOAD,state=-1946500480
11-17-2004 3:47:17 pm ***Receive Main Mode message from 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=0,1stPL=ID-PAYLOAD,state=-1946500468
11-17-2004 3:47:17 pm Recieved MM ID payload type 9 protocol 0 portnum 0
length 40
11-17-2004 3:47:17 pm Recieved notify message type 24578 from
195.56.172.104
11-17-2004 3:47:17 pm Recieved INITIAL_CONTACT notify deleting all old
SA's with 195.56.172.104 address
11-17-2004 3:47:17 pm INITIAL_CONTACT : This SA is marked dead
Dst:195.56.172.104 Cookie my:his[89ACDC86294FB2AD : 7680491152E40C95]
11-17-2004 3:47:17 pm *Sending MM id payload Type 9 - subject name :9
subject alternative name :2,3
11-17-2004 3:47:17 pm *protocol 0 portnum 0 length 48
11-17-2004 3:47:17 pm ***Send Main Mode message to 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=0,1stPL=ID-PAYLOAD,state=-1946500468
11-17-2004 3:47:17 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:47:17 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=D5C2A145,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:47:17 pm Start IPSEC SA 8BD2D5A0 - Responder****totSA=1
11-17-2004 3:47:17 pm ****DH private exponent size is 1016****
11-17-2004 3:47:17 pm Final IKE (phase 1) SA lifetime is 28800 secs
11-17-2004 3:47:17 pm IKE-SA is created. rekey time = 21600
encr=5,hash=2,auth=3,lifesec=28800
11-17-2004 3:47:17 pm dst=195.56.172.104,time=18940309
11-17-2004 3:47:17 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:47:17 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:47:17 pm Error: PFS Enabled or Requested by Peer but key
payload not recieved message id : 3586302277 dst : 195.56.172.104 src :
195.56.172.111 cookies[his :mine] 89ACDC86294FB2AD : 3838672900000000
11-17-2004 3:47:17 pm Failed to create protoSA - No PFS Key for quick
mode 195.56.172.104
11-17-2004 3:47:18 pm IKE-SA 8C1C4540 is Deleted,I-COOKIE=76804911,R-
COOKIE=89ACDC86,dst=195.56.172.104
11-17-2004 3:47:18 pm State:3 Cond:4 TimerEvent:4
11-17-2004 3:47:18 pm lifetime :28800 sec Rekey Time :21600 sec
11-17-2004 3:47:18 pm Created at :1052057 sec Remaining life
time :28617 sec Current time 1052240
11-17-2004 3:47:18 pm ESP-SA is deleted :algorID=esp
3des,mySPI=1DCE3473,peerSPI=890B8877,time=1052240, dst=195.56.172.104
11-17-2004 3:47:19 pm Start IPSEC SA 8BD2D900 - Initiator****totSA=1
11-17-2004 3:47:19 pm src from IPsec
11-17-2004 3:47:19 pm 10020000 C257B6AB
11-17-2004 3:47:19 pm dst from IPsec
11-17-2004 3:47:19 pm 10020000 C257B6A4
11-17-2004 3:47:19 pm ****DH private exponent size is 1016****
11-17-2004 3:47:19 pm Sending DH params in QM - PFS Configured or
Requested by Peer
11-17-2004 3:47:19 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
11-17-2004 3:47:19 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
11-17-2004 3:47:19 pm ***Send Quick Mode message to 195.56.172.104
11-17-2004 3:47:19 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=9A42B009,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:47:19 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:47:19 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=9A42B009,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:47:19 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:47:19 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:47:19 pm ***Send Quick Mode message to 195.56.172.104
11-17-2004 3:47:19 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=9A42B009,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:47:19 pm ESP-SA is created:algorID=esp
3des,mySPI=325D75EA,peerSPI=454FC845,time=1052241 ,dst=195.56.172.104
11-17-2004 3:47:36 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:47:36 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=D5C2A145,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:47:36 pm Start IPSEC SA 8BD2D900 - Responder****totSA=1
11-17-2004 3:47:36 pm ****DH private exponent size is 1016****
11-17-2004 3:47:36 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:47:36 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:47:36 pm Error: PFS Enabled or Requested by Peer but key
payload not recieved message id : 3586302277 dst : 195.56.172.104 src :
195.56.172.111 cookies[his :mine] 89ACDC86294FB2AD : 3838672900000000
11-17-2004 3:47:36 pm Failed to create protoSA - No PFS Key for quick
mode 195.56.172.104
11-17-2004 3:48:06 pm ***Receive Quick Mode message from 195.56.172.104
11-17-2004 3:48:06 pm I-COOKIE=38386729DCD67A80,R-
COOKIE=89ACDC86294FB2AD,MsgID=D5C2A145,1stPL=HASH-PAYLOAD,state=-1946500420
11-17-2004 3:48:06 pm Start IPSEC SA 8BD2D900 - Responder****totSA=1
11-17-2004 3:48:06 pm ****DH private exponent size is 1016****
11-17-2004 3:48:06 pm IPSE SA NEGOTIATION: Peer lifetime = 7200 My
lifetime=7200
11-17-2004 3:48:06 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
11-17-2004 3:48:06 pm Error: PFS Enabled or Requested by Peer but key
payload not recieved message id : 3586302277 dst : 195.56.172.104 src :
195.56.172.111 cookies[his :mine] 89ACDC86294FB2AD : 3838672900000000
11-17-2004 3:48:06 pm Failed to create protoSA - No PFS Key for quick
mode 195.56.172.104
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So,
Master VPN Server IP 195.56.172.111
Slave VPN server IP 195.56.172.104


Internal IP addres of Master 192.168.97.2


What is it means - PFS? Pings working, but ~23% pings losted... :(