Hi, all. I've posted a note on the Astaro forum about this, but figured
I might look here, too, considering the client I'm using. Here's the issue:

I have a RoadWarrior profile configured in the server per the
recommendations of
http://www.novell.com/coolsolutions/appnote/16889.html. The AppNote
itself is in conflict, however. In one place, Gaurav lists the Phase 1
encryption algorithm as MD5, and in the screenshot of the policy
configuration page, he shows this as SHA1. Also, if this is a
RoadWarrior configuration, on an assumed dynamic link (well, dynamic by
nature of the fact that the remote endopoint is never known beforehand),
why then is the profile to be configured in Main Mode and not Aggressive?

Anyway, I cannot get this to connect. Here are a couple snippets from
the logs (I am using PSK for the time being):

ikelog.txt (server IP address has been replaced with "sss.sss.sss.sss;"
client IP has been replaced with "ccc.ccc.ccc.ccc"):

8<-------------------------- snip -------------------------->8

11-05-2006 10:28:08 AM Created thread for SendKeepAlivePacketProcess
11-05-2006 10:28:08 AM Start IPSEC SA 00a25618 - Initiator****totSA=1

11-05-2006 10:28:08 AM src from IPsec

11-05-2006 10:28:08 AM 00000000 00000000
11-05-2006 10:28:08 AM dst from IPsec

11-05-2006 10:28:08 AM 00000000 18698d65
11-05-2006 10:28:08 AM Start IKE-SA 00a28730 -
Initiator,src=ccc.ccc.ccc.ccc,dst=sss.sss.sss.sss, TotSA=1

11-05-2006 10:28:08 AM AUTH ALG IS 1
11-05-2006 10:28:08 AM Negotiating for an NMAS user sss.sss.sss.sss

11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=23132932

11-05-2006 10:28:08 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=SA-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800

11-05-2006 10:28:08 AM ****DH private exponent size is 1016****
11-05-2006 10:28:08 AM Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from sss.sss.sss.sss
11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=KEY-PAYLOAD,state=22084208

11-05-2006 10:28:08 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=KEY-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM There is NAT in between server and client

11-05-2006 10:28:08 AM ****SKEYID***secret***

11-05-2006 10:28:08 AM 73686162 617a7a74 75626d61 6e202020

11-05-2006 10:28:08 AM *Sending MM id payload IPSEC_ID_IPV4_ADDR
ccc.ccc.ccc.ccc

11-05-2006 10:28:08 AM *protocol 0 portnum 0 length 8

11-05-2006 10:28:08 AM Sending INITIAL_CONTACT notify to sss.sss.sss.sss
11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=ID-PAYLOAD,state=22084236

11-05-2006 10:28:08 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=ID-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM Recieved MM ID payload type 1 protocol 0 portnum
0 length 8

11-05-2006 10:28:08 AM *Received MM ID ID_IPV4_ADDR sss.sss.sss.sss

11-05-2006 10:28:08 AM Final IKE (phase 1) SA lifetime is 28800 secs
11-05-2006 10:28:08 AM IKE-SA is created. rekey time = 21600
encr=5,hash=2,auth=1,lifesec=28800
11-05-2006 10:28:08 AM dst=sss.sss.sss.sss,time=249281

8<-------------------------- snip -------------------------->8

I am at first concerned about the "packet length 25600 recieved is too
high" (the spelling error is in the log...sheesh...). I have no idea
where this may be adjusted or indeed what packet is oversized. I see
nothing on NSM to configure super packets or anything of the sort.

BTW, the above was with Phase 1 auth set to MD5. However, I get similar
results with SHA1 (Phase 1 does connect). I have also adjusted the Phase
1 SA lifetime to 28800 from the stated 14400 in the AppNote (same
results, either way).

More from ikelog.txt:

8<-------------------------- snip -------------------------->8

11-05-2006 10:28:08 AM ****DH private exponent size is 1016****
11-05-2006 10:28:08 AM Rule id is NULL. So, not constructing the rule id
payload

11-05-2006 10:28:08 AM Sending DH params in QM - PFS Configured or
Requested by Peer

11-05-2006 10:28:08 AM *Sending proxy ID type 1 ccc.ccc.ccc.ccc

11-05-2006 10:28:08 AM *Sending proxy ID type 4 0.0.0.0/0.0.0.0

11-05-2006 10:28:08 AM ***Send Quick Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=e0cc01c2,1stPL=HASH-PAYLOAD,state=22084160

11-05-2006 10:28:08 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Unacknowledge Informational message
from sss.sss.sss.sss

11-05-2006 10:28:08 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=13580a16,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM Recieved notify message type 18 from sss.sss.sss.sss
11-05-2006 10:28:08 AM Error :Unkown notify message type 18 recieved
from server
11-05-2006 10:28:08 AM Notify Recvd :Packet could have corrupted on the
way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:13 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:13 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:13 AM ***Receive Unacknowledge Informational message
from sss.sss.sss.sss

11-05-2006 10:28:13 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=23f06da4,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:13 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:13 AM Error :Unkown notify message type 9 recieved from
server
11-05-2006 10:28:13 AM Notify Recvd :Packet could have corrupted on the
way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:20 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:20 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:20 AM ***Receive Unacknowledge Informational message
from sss.sss.sss.sss

11-05-2006 10:28:20 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=770d3c7d,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:20 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:20 AM Error :Unkown notify message type 9 recieved from
server
11-05-2006 10:28:20 AM Notify Recvd :Packet could have corrupted on the
way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:30 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

11-05-2006 10:28:30 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:30 AM ***Receive Unacknowledge Informational message
from sss.sss.sss.sss

11-05-2006 10:28:30 AM
I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=c7ad45d5,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:30 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:30 AM Error :Unkown notify message type 9 recieved from
server
11-05-2006 10:28:30 AM Notify Recvd :Packet could have corrupted on the
way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:30 AM IKE-SA is deleted- packet retransmit exceeded the
limit, dst=sss.sss.sss.sss

11-05-2006 10:28:32 AM IKE-SA a28730 is
Deleted,I-COOKIE=96a59710,R-COOKIE=e02e9414,dst=sss.sss.sss.sss

8<-------------------------- snip -------------------------->8

I could post the whole log, but I believe the problems are here at the
beginning.

From the server side, I show the following (client side public IP has
been replaced with "ppp.ppp.ppp.ppp"):

8<-------------------------- snip -------------------------->8

000 "S_NBM38_Client_0": 0.0.0.0/0===sss.sss.sss.sss...%any; unrouted;
eroute owner: #0
000 "S_NBM38_Client_0": srcip=unset; dstip=unset;
srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_NBM38_Client_0": ike_life: 28800s; ipsec_life: 14400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_NBM38_Client_0": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 0,32;
interface: eth1;
000 "S_NBM38_Client_0": dpd: action:restart; delay:30; timeout:120;
000 "S_NBM38_Client_0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "S_NBM38_Client_0": IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_NBM38_Client_0": IKE algorithms found: 5_192-1_128-2,
000 "S_NBM38_Client_0": ESP algorithms wanted: 2_000-1, ; pfsgroup=2;
flags=-strict
000 "S_NBM38_Client_0": ESP algorithms loaded: 2_000-1, ; pfsgroup=2;
flags=-strict
000 "S_NBM38_Client_0"[2]:
0.0.0.0/0===sss.sss.sss.sss...ppp.ppp.ppp.ppp[ccc.ccc.ccc.ccc];
unrouted; eroute owner: #0
000 "S_NBM38_Client_0"[2]: srcip=unset; dstip=unset;
srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_NBM38_Client_0"[2]: ike_life: 28800s; ipsec_life: 14400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_NBM38_Client_0"[2]: policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 0,32;
interface: eth1;
000 "S_NBM38_Client_0"[2]: dpd: action:restart; delay:30; timeout:120;
000 "S_NBM38_Client_0"[2]: newest ISAKMP SA: #10; newest IPsec SA: #0;
000 "S_NBM38_Client_0"[2]: IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_NBM38_Client_0"[2]: IKE algorithms found: 5_192-1_128-2,
000 "S_NBM38_Client_0"[2]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "S_NBM38_Client_0"[2]: ESP algorithms wanted: 2_000-1, ; pfsgroup=2;
flags=-strict
000 "S_NBM38_Client_0"[2]: ESP algorithms loaded: 2_000-1, ; pfsgroup=2;
flags=-strict

000 #8: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28398s; nodpd
000 #9: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28424s; nodpd
000 #10: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28449s; newest ISAKMP;
nodpd
000 #6: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28348s; nodpd
000 #5: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28324s; nodpd
000 #7: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28373s; nodpd

8<-------------------------- snip -------------------------->8

For testing purposes, the client is behind a LinkSys WRT54GL v5 router
with LinkSys firmware rev 4.30.7. IPSec passthrough has been enabled.
The client is running XP SP2 with post-SP2 fixes applied, and the
Windows firewall (such as it is) is turned off.

Any ideas as to what I'm missing?


--
Lewis
------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Accountants / Network Consultants
New York / Northern Virginia www.2rosenthals.com
eComStation Consultants www.ecomstation.com
Novell Users Int'l www.novell.com/openenterpriseserver
Need a managed Wi-Fi hotspot? www.hautspot.com
------------------------------------------------------------