Application Note 10. IPSec Over Cellular using Digi Transport Routers Pre-shared keys. UK Support February 2010

Application Note 10 IPSec Over Cellular using Digi Transport Routers Pre-shared keys UK Support February 2010

Contents 1 Introduction... 4 1.1 Outline... 4 1.2 Assumptions... 5 1.3 Corrections... 5 1.4 Version... 5 2 Digi WR41 VPN INItiator Configuration... 6 2.1 Inside Ethernet Interface... 6 2.2 Outside Cellular PPP Interface... 6 2.3 WR41 Wireless WAN (W-WAN) Module... 7 2.4 WR41 Phase 1 IKE... 8 2.5 WR41 Phase 2 IPSec... 9 2.6 WR41 Initiator Pre-shared Key... 12 2.7 WR41 Configure Packet Analyser for Debugging... 13 3 DR6410 VPN Responder Configuration... 14 3.1 Inside LAN Ethernet Interface... 14 3.2 Outside ADSL PPP Interface... 14 3.3 DR6410 Phase 1 IKE... 15 3.4 DR6410 Phase 2 IPSEC... 16 3.5 DR6410 Initiator Pre-shared Key... 18 4 TESTING... 20 4.1 Successful connection from the initiator point of view:... 20 4.1.1 Eventlog... 20 4.1.2 IPSEC Security Associations... 21 5 Debugging... 23 5.1 Debug Failed Connection: Phase 2 - No Matching Eroute... 23 5.2 Debug Failed Connection: Phase 1 - Aggressive mode off... 25 5.3 Debug Failed Connection: Phase 1 - Preshared Key Incorrect... 25 5.4 Debug Failed Connection: Phase 1 - Algorithm unsupported... 25

5.5 IPSec Debug for Successful Connection... 26 6 Configuration Files... 44 6.1 Sarian DR6410 Responder Configuration... 44 6.2 Sarian WR41 Initiator Configuration... 46 6.3 Sarian Firmware Versions... 48 Figures Figure 1-1: Overview Diagram... 4 Figure 2-1: WR41 Ethernet 0 configuration... 6 Figure 2-2: WR41 PPP 1 Configuration... 7 Figure 2-3: WR41 W-WAN Module configuration... 8 Figure 2-4: WR41 Phase 1 IKE... 9 Figure 2-5: WR41 Phase 2 IPSec... 11 Figure 2-6: WR41 Initiator Pre-shared Key... 12 Figure 2-7: WR41 Packet Analyser for Debugging... 13 Figure 3-1: DR6410 Ethernet 0 configuration... 14 Figure 3-2: DR6410 ADSL Interface... 15 Figure 3-3: DR6410 Phase 1 IKE... 15 Figure 3-4: DR6410 Phase 2 IPSEC... 17 Figure 3-5: DR6410 Pre-Shared Key... 18 Figure 3-6: WR41 Packet Analyser for Debugging... 19 Figure 4-1: WR41 Eventlog... 20 Figure 4-2: DR6410 IPSec SA s... 21 Figure 4-3: WR41 IPSec SA s... 21

1 INTRODUCTION 1.1 Outline This application note aims to enable the reader to easily configure an IPSec VPN tunnel between two local area networks using a Sarian at both ends of the tunnel. The diagram below details the IP number scheme and architecture of this example configuration. Figure 1-1: Overview Diagram Page 4

1.2 Assumptions This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application. Configuration: This application note assumes that the WR41 will be connecting to a cellular network (i.e. GPRS, EDGE, 3G, HSDPA or HSUPA). Routers connecting to cellular networks are usually allocated a private IP address which would translate to a routable internet external IP at the border of the mobile internet network. In this case, the mode of IPSec needs to be aggressive mode with NAT-Traversal. The IPSec responders IP address needs to be in the public address range and is either fixed or dynamic. In the case of the latter, a type of dynamic DNS hostname will be required because the IPSec initiator always needs to know where to connect. This application note applies to; Models shown: Digi Transport WR41 and DR6410 Mk2 Other Compatible Models: Digi Transport VC7400 VPN Concentrator, WR, SR or DR. Firmware versions: All Versions Configuration: This Application Note assumes the devices are set to their factory default configurations. Most configuration commands are only shown if they differ from the factory default. For the purpose of this application note the following applies: The IPSec responder router s IP address must be in the public address range and fully routable. 1.3 Corrections Requests for corrections or amendments to this application note are welcome and should be addressed to: uksupport@digi.com Requests for new application notes can be sent to the same address. 1.4 Version Version Number: 3.0 Status: Published Page 5

2 DIGI WR41 VPN INITIATOR CONFIGURATION As with all Digi Transport routers you have the option of configuring the IPSec parameters either via the web interface or by writing a new configuration file. We will show the web configuration in this application note. Only the parts of the configuration files that specifically relate to the configuration of this example will be explained in detail. (The configuration files used for this application note can be found in their entirety at the end of this document). 2.1 Inside Ethernet Interface CONFIGURATION INTERFACES ETHERNET ETH 0 CONFIGURE First, configure the Ethernet interface with an IP and set up monitoring: Parameter Setting Description IP analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IP address: 10.1.63.254 Enter the IP address of the LAN interface for the router Figure 2-1: WR41 Ethernet 0 configuration 2.2 Outside Cellular PPP Interface CONFIGURATION INTERFACES PPP PPP 0-4 PPP 1 STANDARD Page 6

IPSec is enabled on the outgoing interface; in this example the outgoing interface is the cellular interface PPP 1. IP analysis is also enabled on this interface for use during the testing phase. Parameter Setting Description IP analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IPSec: On-Remove SAs when link down Turn on IPSec on the interface Figure 2-2: WR41 PPP 1 Configuration 2.3 WR41 Wireless WAN (W-WAN) Module CONFIGURATION INTERFACES MOBILE W-WAN MODULE SIM n Parameter Setting Description APN Your APN Enter the APN of your mobile provider PIN/Confirm PIN Your PIN code Enter the SIM PIN if required Page 7

Figure 2-3: WR41 W-WAN Module configuration 2.4 WR41 Phase 1 IKE IKE is the first stage in establishing a secure link between two endpoints and has to be configured to match the settings on the VPN host Sarian. In this example 3Des and MD5 are used to encrypt and authenticate. Aggressive mode is enabled. MODP group 2 is used, meaning we use a 1024 bit key for the IKE Diffie-Hellman exchange. Set the IKE SAs to be removed when the IPSec SAs are removed. Set debug to very high as this will help to see that everything has completed correctly when the two units build the VPN tunnel. CONFIGURATION VPN IPSEC IKE IKE 0 Parameter Setting Description Encryption algorithm: 3DES The encryption algorithm to be used for IKE exchanges over the IP connection Authentication algorithm: MD5 The algorithm used to authenticate the IKE session Aggressive mode: ON Aggressive mode is used in this example IKE MODP group: 2(1024) The key length used in the IKE Diffie-Hellman exchange SA removal mode: Choose option Remove IKE SA when last IPSEC SA removed Debug Level: Very High This will allow for detailed debugging and can be turned off once you are happy that this is working Page 8

2.5 WR41 Phase 2 IPSec Figure 2-4: WR41 Phase 1 IKE Next configure the eroute (encrypted route). This will determine what traffic is routed to the remote network over the VPN. Most of the phase two IPSec configuration is done within this area. NB: In Aggressive mode the Peer ID and the Our ID can be any alpha-numeric value as long as they correspond with the remote VPN router. They are also case sensitive. CONFIGURATION VPN IPSEC IPSEC EROUTES EROUTE 0 Parameter Setting Description Peer IP/hostname: 213.152.58.85 IP address of the vpn host machine Peer ID: Hostsarian The ID of the VPN responder router (remote router) Our ID: Clientsarian The ID of the VPN initiator router (this router) Local subnet IP address: 10.1.63.0 Packets will be directed through this tunnel if the source and destination IP matches Local subnet mask: 255.255.255.0 Subnet mask for the network Remote subnet IP Packets will be directed through this tunnel if the 10.1.89.0 address: source and destination IP matches: Remote subnet mask: 255.255.255.0 Subnet mask for the network ESP authentication MD5 The IPSEC ESP authentication algorithm is MD5: Page 9

algorithm: ESP encryption algorithm: 3DES Duration (kb): 0 The IPSEC encryption algorithm to use is 3DES This can be used to exchange keys more quickly if a certain amount of data is exchanged No SA action: Use IKE We want to route matching packets over the VPN Create SAs Yes, route with The router will try to setup the VPN automatically automatically: matching interface Authentication Preshared Keys Preshared keys will be used for authentication method: Display IKE lookup This will provide Error message detail in the Yes debug info: analyser trace for debug and testing Page 10

Figure 2-5: WR41 Phase 2 IPSec Page 11

2.6 WR41 Initiator Pre-shared Key CONFIGURATION SECURITY USERS USERS 10-14 User 10 In this section the preshared key is set up. The preshared key is enabled by creating a username with the name of the remote peer (Peer ID from the eroute) and the password is the preshared key. Parameter Setting Description Name: responder Name should match the Peer ID: value from Eroute 0 Password: Test Enter the password in a production environment you will want to choose a more secure shared key than this Confirm Password: Test Re-enter the password in a production environment you will want to choose a more secure shared key than this Access Level: None This user will not be granted any admin access as only used as a preshared key Figure 2-6: WR41 Initiator Pre-shared Key Page 12

2.7 WR41 Configure Packet Analyser for Debugging This is just to double check that the analyser is setup correctly. Remove any settings that do not match here. DIAGNOSTICS ANALYSER SETTINGS Parameter Setting Description Analyser ON Enable logging to the analyser trace IKE: IKE Debug When this is ticked we will see IKE debug in the analyser trace I-PAK: Max I-PAK size: 1500 We will then be able to collect most full sized packets IP Source: ETH 0 Enable logging for this interface IP source: PPP 1 Enable logging for this interface IP filters: Ports: ~500,4500 Restrict the ports logged to only show IKE and IPSec Figure 2-7: WR41 Packet Analyser for Debugging Page 13

3 DR6410 VPN RESPONDER CONFIGURATION 3.1 Inside LAN Ethernet Interface First, configure the Ethernet interface with an IP and set up monitoring: CONFIGURATION INTERFACES ETHERNET ETH 0 CONFIGURE Parameter Setting Description IP Analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IP Address Enter Interface IP Enter the IP address of the Lan interface for the router 3.2 Outside ADSL PPP Interface Figure 3-1: DR6410 Ethernet 0 configuration In this example a DSL link is used, this link provided a static IP for the host Sarian. IPSec is enabled on this interface. CONFIGURATION INTERFACES PPP PPP 0 4 PPP 1 STANDARD Parameter Setting Description IP Analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup Username: Username ADSL access username Password (Assigned): Password ADSL access password Confirm Password Password Confirm ADSL access password. IPSec On-Keep SA s when link down Enable IPSec on the ADSL interface Page 14

Figure 3-2: DR6410 ADSL Interface 3.3 DR6410 Phase 1 IKE CONFIGURATION VPN IPSEC IKE RESPONDER Next configure the debug level and also check that the IKE 0 initiators config. I.e. By default the responder IKE values are not restricted and should cover the values assigned in the initiators IKE 0 config. Parameter Setting Description Debug Level: Very High This will allow for detailed debugging and can be turned off once you are happy that this is working Figure 3-3: DR6410 Phase 1 IKE Page 15

3.4 DR6410 Phase 2 IPSEC As this is the responder unit and the client doesn t have a static IP due to connecting over a Cellular network we do not initiate the IPSec tunnel from this end so there are 3 less items to configure here than on the initiator Sarian. CONFIGURATION IPSEC IPSEC EROUTES EROUTE 0 9 EROUTE 0 Parameter Setting Description Peer ID: Initiator Id of the VPN Client machine Our ID: responder ID of our machine Local subnet IP address: Local network address Packets will be directed through this tunnel if the source and destination IP matches Local subnet mask: Local subnet address Subnet mask for the network Remote subnet IP address: Remote network address Packets will be directed through this tunnel if the source and destination IP matches: Remote subnet Remote subnet mask: address Subnet mask for the network ESP authentication The IPSEC ESP authentication algorithm is MD5: MD5 algorithm: ESP encryption algorithm: 3DES The IPSEC encryption algorithm to use is 3DES Duration (kb): 0 This can be used to exchange keys more quickly if a certain amount of data is exchanged Authentication method: Preshared Keys Preshared keys will be used Display IKE lookup This will provide Error message detail in the Yes debug info: analyser trace for debug and testing Page 16

Figure 3-4: DR6410 Phase 2 IPSEC Page 17

3.5 DR6410 Initiator Pre-shared Key In this section the preshared key is set up, the preshared key is set up by creating a username with the name of the remote peer (responder) vpn id and the password is the preshared key. CONFIGURATION SECURITY USERS USER 10 19 USER 10 Parameter Setting Description Name: initiator Name should match the Peer ID: value from Eroute 0 Password: Test Enter the password in a production environment you will want to choose a more secure shared key than this Re-enter the password in a production Confirm Password: Test environment you will want to choose a more secure shared key than this Access Level: None This user will not be granted any admin access as only used as a preshared key Figure 3-5: DR6410 Pre-Shared Key Page 18

Configure Analyser This is just to double check that the analyser is setup correctly. Remove any settings that do not match here. Parameter Setting Description Analyser ON Enable logging to the analyser trace IKE: IKE Debug When this is ticked we will see IKE debug in the analyser trace I-PAK: Max I-PAK We will then be able to collect most full sized 1500 size: packets IP Source: ETH 0 Enable logging for this interface IP source: PPP 1 Enable logging for this interface IP filters: Ports: ~4500,500 Restrict the ports logged to only show IKE and IPSec Figure 3-6: WR41 Packet Analyser for Debugging Page 19

4 TESTING 4.1 Successful connection from the initiator point of view: 4.1.1 Eventlog The eventlog shows the events occuring within the operating system. Here you can see the cellular interface (PPP 1) establishing followed by the VPN. DIAGNOSTICS EVENTLOG Figure 4-1: WR41 Eventlog Page 20

4.1.2 IPSEC Security Associations On successful connection you will see the IPSec SAs in both the Initiator and the Responder IPSec SAs list. Here you can see the peer IP the remote and local networks, the authentication algorithm and time left until keys are again exchanged. DR6410: DIAGNOSTICS STATUS IPSEC IPSEC SAs EROUTE 0 9 EROUTE 0 WR41: Figure 4-2: DR6410 IPSec SA s DIAGNOSTICS STATUS IPSEC IPSEC SAs Figure 4-3: WR41 IPSec SA s Page 21

If the event log and the IPSec output show as above then you should be able to ping the LAN interface or a node on the remote network: C:\Documents and Settings\XP>ping 10.1.89.254 -t Pinging 10.1.89.254 with 32 bytes of data: Reply from 10.1.89.254: bytes=32 time=2170ms TTL=249 Reply from 10.1.89.254: bytes=32 time=159ms TTL=249 Reply from 10.1.89.254: bytes=32 time=162ms TTL=249 Reply from 10.1.89.254: bytes=32 time=156ms TTL=249 Reply from 10.1.89.254: bytes=32 time=165ms TTL=249 Reply from 10.1.89.254: bytes=32 time=164ms TTL=249 Reply from 10.1.89.254: bytes=32 time=152ms TTL=249 Reply from 10.1.89.254: bytes=32 time=149ms TTL=249 Reply from 10.1.89.254: bytes=32 time=158ms TTL=249 Reply from 10.1.89.254: bytes=32 time=157ms TTL=249 Reply from 10.1.89.254: bytes=32 time=159ms TTL=249 Reply from 10.1.89.254: bytes=32 time=159ms TTL=249 Reply from 10.1.89.254: bytes=32 time=158ms TTL=249 Ping statistics for 10.1.89.254: Packets: Sent = 13, Received = 13, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 149ms, Maximum = 2170ms, Average = 312ms The first ping may result in a longer turn around time if you need to bring up the vpn when the first packet arrives. Page 22

5 DEBUGGING 5.1 Debug Failed Connection: Phase 2 - No Matching Eroute When the Sarian attempts to bring up the eroute there can be a number of reasons for failure. Below you will see the IPSec debug for a successful connection here. We have changed the config given in this example with the following change on the initiator: eroute 0 locip "10.1.64.0" The corresponding line from the responder is: eroute 0 remip "10.1.63.0" When the connection fails the following error will be seen in the event log of both ends of the connection: 08:14:03, 22 Apr 2008,IKE SA Removed. Peer: responder,rx Delete Notification 08:14:03, 22 Apr 2008,IKE SA Removed. Peer: responder,rx Delete Notification 08:14:03, 22 Apr 2008,IKE Notification: No Proposal Chosen,RX 08:14:03, 22 Apr 2008,IKE Notification: Responder Lifetime,RX 08:14:03, 22 Apr 2008,New Phase 2 IKE Session 213.152.58.85,Initiator 08:14:02, 22 Apr 2008,IKE Keys Negotiated. Peer: responder 08:14:02, 22 Apr 2008,New Phase 1 IKE Session 213.152.58.85,Initiator 08:14:02, 22 Apr 2008,IKE Request Received From Eroute 0 Above is the connection from the initiators end and below is the event log from the responder: 08:14:10, 22 Apr 2008,IKE SA Removed. Peer: initiator,successful Negotiation 08:14:10, 22 Apr 2008,IKE Notification: No Proposal Chosen,TX 08:14:10, 22 Apr 2008,IKE Notification: Initial Contact,RX 08:14:10, 22 Apr 2008,New Phase 2 IKE Session 212.183.136.195,Responder 08:14:09, 22 Apr 2008,IKE Keys Negotiated. Peer: initiator 08:14:09, 22 Apr 2008,New Phase 1 IKE Session 212.183.136.195,Responder Note that in both you will see the message No Proposal Chosen, RX to indicate received and TX to indicate sent. In other words if you only see this line: 08:14:10, 22 Apr 2008,IKE Notification: No Proposal Chosen,TX It will be clear that you are looking at the responder. To find out why the responder rejected this communication the analyser trace needs to be set up. If you have followed the instructions above you will have the analyser trace already configured. Please note that the communication, in this example, fails at phase 2, the keys are clearly indicated as having been negotiated and this message can be seen in both event logs: Page 23

08:14:10, 22 Apr 2008,New Phase 2 IKE Session 213.152.58.85,Initiator 08:14:03, 22 Apr 2008,New Phase 2 IKE Session 212.183.136.195,Responder To find out why phase 2 is failing we will need to look at the analyser logs search for the line that includes the error code :ER <number>:. In this example we have the error: ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):ER 0: remote IP outside traffic selector range The line below this provides a better explanation of the error: ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):Unable to locate eroute matching this negotiation As can be seen from the config change there is now an eroute mismatch at the initiator and responder routers and the IPSec tunnel will not succeed until this is changed. Please note that the number in brackets after IKE DEBUG in this case (21016) will be found against all the logging entries for that particular event within the analyser trace, When there is more than one IPSec tunnel trying to start being able to isolate the conversation using this sequence number is very handy indeed. The relevant excerpt from the log is below showing the responder trying to match the eroute and then failing to do so: ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):Locating eroute matching this negotiation ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):ER 0: remote IP outside traffic selector range ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):Unable to locate eroute matching this negotiation ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):No proposal chosen ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):Sending IKE phase 2 notification ----- 22-4-2008 08:14:03.490 ------ IKE DEBUG (21016):Notification type (14) No Proposal Chosen Page 24

5.2 Debug Failed Connection: Phase 1 - Aggressive mode off Because the responder cannot in this example initiate a tunnel due to the network limitations of the GPRS network being natted behind an internet gateway and thus preventing us from initiating communication to the initiator we have to use aggressive mode. When aggressive mode is off you will see an error as per below on the initiator: 08:56:06, 22 Apr 2008,IKE SA Removed. Peer:,Negotiation Failure 08:56:06, 22 Apr 2008,IKE Negotiation Failed. Peer:,No Password Available 08:56:06, 22 Apr 2008,IKE Request Received From Eroute 0 5.3 Debug Failed Connection: Phase 1 - Preshared Key Incorrect Below is the event log from the initiator showing the response when the shared secret is wrong on one end: 09:11:42, 22 Apr 2008,IKE SA Removed. Peer: responder,negotiation Failure 09:11:42, 22 Apr 2008,IKE Negotiation Failed. Peer: responder,authorisation Failed 09:11:42, 22 Apr 2008,IKE Negotiation Failed. Peer:,Bad Packet 09:11:42, 22 Apr 2008,New Phase 1 IKE Session 213.152.58.85,Initiator 09:11:42, 22 Apr 2008,IKE Request Received From Eroute 0 To rectify this problem ensure that the password is the same on both ends the responder needs a password for the initiators id in our example this is set up on user 10. 5.4 Debug Failed Connection: Phase 1 - Algorithm unsupported If any settings are removed from CONFIGURATION VPN IPSEC IKE RESPONDER then the initiator will need to use the right IKE encryption & authentication algorithm and IKE MODP group. For the purpose of this test the following change was made on the responder s config: ike 0 rencalgs "AES,DES" As the initiator is configured to use 3DES then the following will be seen in the initiator debug: 09:26:50, 22 Apr 2008,IKE Negotiation Failed. Peer:,Bad Packet 09:26:49, 22 Apr 2008,IKE Request Received From Eroute 0 In the responder analyser trace you will see the following after the initial IKE packet has been received: ----- 22-4-2008 09:28:40.020 ------ IKE DEBUG (21842): Checking attribute 1: Encryption algorithm Enc Alg: 1: 3DES Requested Alg. not supported Page 25

To resolve this at the initiator end change the Ike encryption algorithm or at the responder end add the encryption algorithm. Please note that the settings in the responder CONFIGURATION VPN IPSEC IKE RESPONDER and the initiator CONFIGURATION VPN IPSEC IKE IKE 0 should match. If they do not you will see errors on Phase 1 negotiation as above. 5.5 IPSec Debug for Successful Connection Below is a successful negotiation between the two test Sarians. This log is taken from the responder. Key elements are outlined below in bold to make it easier to see the steps in the communication. IKE DEBUG: Handling IKE packet IKE DEBUG: Locating IKE context IKE DEBUG: Packet for new phase 1 session IKE DEBUG: Preparing for new Phase 1 negotiation IKE DEBUG (504):IKE context located. Local session ID: 0x504 IKE DEBUG (504):Checking packet IKE DEBUG (504):Validating payloads IKE DEBUG (504):Checking payload (1) SA IKE DEBUG (504):Checking payload (4) Key Ex IKE DEBUG (504):Checking payload (10) Nonce IKE DEBUG (504):Checking payload (5) ID IKE DEBUG (504):Checking payload (13) Vendor ID Page 26

IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Packet payloads check out OK IKE DEBUG (504):Packet type (4) Agressive mode IKE DEBUG (504):IKE role Responder IKE DEBUG (504):Handling aggressive mode packet and SA state is (0) IDLE IKE DEBUG (504):Processing SA message IKE DEBUG (504):Processing Vendor ID payloads af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 Peer supports our version of DPD IKE DEBUG (504): 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Peer supports our version of NAT traversal IKE DEBUG (504): 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Peer supports our version of NAT traversal IKE DEBUG (504): 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 IKE DEBUG (504):DH g_x length: 128 IKE DEBUG (504):Processing ID payload IKE DEBUG: Decoding ID type 11 Key ID IKE DEBUG: Decoded ID is initiator Page 27

IKE DEBUG (504):Checking next SA payload IKE DEBUG (504):Checking SA proposals IKE DEBUG (504):Checking proposal number 1 IKE DEBUG (504):Checking transform payloads. Expecting 1 transforms IKE DEBUG (504):Transforms payloads OK IKE DEBUG (504):Proposal payload OK IKE DEBUG (504):SA payload valid IKE DEBUG (504): Transform attributes Attribute 1: Encryption algorithm Enc Alg: 5: 3DES Attribute 2: Hash algorithm HASH alg: 1: MD5 Attribute 3: Authentication method Auth Method: 1: PRESHARED Attribute 4: DH group description Maths group: 2: DH group 2 Attribute 11: Life type Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration Life duration value 1260 IKE DEBUG (504):Selecting transform from proposal 1 Checking transform attributes IKE DEBUG (504): Checking attribute 1: Encryption algorithm Enc Alg: 5: 3DES Alg. is supported IKE DEBUG (504): Checking attribute 2: Hash algorithm HASH alg: 1: MD5 Alg. is supported Page 28

IKE DEBUG (504): Checking attribute 3: Authentication method Auth Method: 1: PRESHARED Method is supported IKE DEBUG (504): Checking attribute 4: DH group description Maths group: 2: DH group 2 Group is supported IKE DEBUG (504): Checking attribute 11: Life type Life type (1) secs. Expecting life duration attribute next IKE DEBUG (504): Checking attribute 12: Life duration Life duration value 1260 IKE DEBUG (504):Transform 1 has all required attributes IKE DEBUG (504):Selected transform IKE DEBUG (504):Retrieving password IKE DEBUG: Decoding ID type 11 Key ID IKE DEBUG: Decoded ID is initiator IKE DEBUG (504):Password retrieved for ID initiator IKE DEBUG (504):Requesting DH KE data from DH task IKE DEBUG (504):Waiting on data from DH task IKE DEBUG (504):IKE aggressive mode result 1 IKE DEBUG: IKE got data from DH task IKE DEBUG (504):DH data for IKE ctx 0 in state IDLE Page 29

IKE DEBUG (504):Requesting DH shared secret from DH task IKE DEBUG (504):Changing IKE SA state from IDLE to Awaiting DH data ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG: IKE got data from DH task ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):DH data for IKE ctx 0 in state Awaiting DH data ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Generating SKEYID ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Generating SKEYID_d ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Generating SKEYID_a ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Generating SKEYID_e ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Generating key material ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):IKE key material generated ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG (504):Sending aggressive mode SA message ----- 21-4-2008 15:51:01.320 ------ IKE DEBUG: Adding proposal nb: 1, protocol ID: 1, spi size: 0, nb_transforms: 1 ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504): Transform attributes Attribute 1: Encryption algorithm Enc Alg: 5: 3DES Attribute 2: Hash algorithm HASH alg: 1: MD5 Attribute 3: Authentication method Auth Method: 1: PRESHARED Attribute 4: DH group description Maths group: 2: DH group 2 Attribute 11: Life type Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration Life duration value 1260 ----- 21-4-2008 15:51:01.330 ------ Page 30

IKE DEBUG: Adding SA payload header doi: 1, situation 1 ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):ID generated ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):Create HASH using password 0 ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG: Adding Vendor ID payloads for use with DPD ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG: Adding Vendor ID payloads for use with NAT traversal ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):Adding NATD payloads ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG: Adding CISCO UNITY Vendor ID payload ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):Transmit IKE packet ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):Transmit to peer 212.183.134.66 ----- 21-4-2008 15:51:01.330 ------ 45 00 01 A1 01 D5 00 00 FA 11 32 26 58 60 D7 F6 E...Õ...2.X. ö D4 B7 86 42 01 F4 A8 89 01 8D 77 F8 DA 9B D0 78 Ô. B.ô..wøÚ Ðx EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F 01 10 04 00.Bö..ò..ö... 00 00 00 00 00 00 01 85 04 00 00 34 00 00 00 01......4... 00 00 00 01 00 00 00 28 01 01 00 01 00 00 00 20... 01 01 00 00 80 01 00 05 80 02 00 01 80 03 00 01............ 80 04 00 02 80 0B 00 01 80 0C 04 EC 0A 00 00 84......... BE 3B 81 93 4F 66 9A 29 3C E4 84 E9 3B 8C BB 31.. Ofš..ä é.œ.1 DB 60 24 53 37 CA 7D F1 31 25 75 35 2F 68 FE 3A Û..S7..ñ1.u5.hþ. AC 87 46 0A 8C 40 D7 02 51 46 B5 94 FD 23 42 BF. F.Œ..QFµ ý.b. 8A 26 48 03 54 CA 8F D6 CF E9 07 96 6D 73 EB 35 Š.H.T.ÖÏé. msë5 C0 A8 3A 5E 79 FD 84 DE 14 F8 B5 0C EF 75 CA 54...yý Þ.øµ..u.T DE D8 C4 D1 A1 41 C5 73 33 75 EB 7B 74 52 26 CD ÞØ.Ñ.A.s3uë.tR.. 70 0F 77 D9 BB 6E 8A B3 50 E4 9E 60 1F EC E5 A5 p.wù.nš³päž...å 19 DA BA 14 91 3B 5F 85 24 C6 BB A6 27 51 D8 64.Ú....Æ...QØd 05 00 00 14 85 7B CA 4B F2 D4 DD 80 37 09 27 31.....KòÔÝ 7..1 38 80 B2 C9 08 00 00 11 0B 11 01 F4 72 65 73 70 8...ôresp 6F 6E 64 65 72 0D 00 00 14 3D 23 80 6B A6 38 D0 onder... k.8ð 5B C4 67 05 F9 C7 F4 DF 05 0D 00 00 14 AF CA D7..g.ù.ôß.... 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 0D 00 00.h.ñ.k üww... 14 7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D....S..o...R 56 82 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 V......in.c B5 EC 42 7B 1F 82 00 00 14 DB F7 B1 68 11 DA 92 µ.b...û ±h.ú 2B F8 CC 88 7C FD D9 4F 15 0D 00 00 14 92 DD D3.ø.ˆ.ýÙO... ÝÓ 6F 09 D1 32 8C 57 DB 16 CB C9 FD FA D3 00 00 00 o.ñ2œwû...ý.ó... 14 12 F5 F2 8C 45 71 68 A9 70 2D 9F E2 74 CC 01...òŒEqh.p..ât.. 00. Page 31

IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 01 A1 Length: 417 01 D5 ID: 469 00 00 Frag Offset: 0 Congestion: Normal May Fragment Last Fragment FA TTL: 250 11 Proto: UDP 32 26 Checksum: 12838 58 60 D7 F6 Src IP: 213.152.58.85 D4 B7 86 42 Dst IP: 212.183.134.66 UDP: 01 F4 SRC Port: IKE (500) A8 89 DST Port:??? (43145) 01 8D Length: 397 77 F8 Checksum: 30712 IKE: DA 9B D0 78 EF 42 F6 85 I_CKY F0 2F F2 B4 A6 23 F6 1F R_CKY 01 Next Payload: SA (1) 10 Ver: 1.0 04 Type: 4 00 Flags: 00 00 00 00 ID: 0 00 00 01 85 Len: 389 04 Next Header: Key Ex (4) 0A Next Header: Nonce (10) 05 Next Header: ID (5) 08 Next Header: Hash (8) 0D Next Header: Vendor ID (13) 0D Next Header: Vendor ID (13) 0D Next Header: Vendor ID (13) 82 Next Header: NATD (130) 82 Next Header: NATD (130) 0D Next Header: Vendor ID (13) 00 Next Header: None (0) ----- 21-4-2008 15:51:01.330 ------ IKE DEBUG (504):Changing IKE SA state from Awaiting DH data to PH1 sent KE 45 00 00 7C 00 D0 00 00 E8 11 46 50 D4 B7 86 42 E...Ð..è.FPÔ. B 58 60 D7 F6 A9 50 11 94 00 68 00 00 00 00 00 00 X. ö.p..h... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö. 08 10 04 01 00 00 00 00 00 00 00 5C C7 A8 A1 CC... D6 C4 CA E0 56 F0 1C 39 A8 37 40 C8 21 3D 6C 36 Ö..àV..9.7...l6 Page 32

1A E5 A7 21 70 74 08 E3 67 09 CE BE 08 70 B3 48 1B A0 06 96 95 FB A0 F9 1A 6D FA 16 C7 D3 CB 34 AA 60 2B 89 B6 3F F8 C5 6C 6E A4 27.å..pt.ãg.Î..p³H... û.ù.m...ó.4....ø.ln.. IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 7C Length: 124 00 D0 ID: 208 00 00 Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: 232 11 Proto: UDP 46 50 Checksum: 18000 D4 B7 86 42 Src IP: 212.183.134.66 58 60 D7 F6 Dst IP: 213.152.58.85 UDP: A9 50 SRC Port:??? (43344) 11 94 DST Port: IKE FLOAT (4500) 00 68 Length: 104 00 00 Checksum: 0 IKE DEBUG: Handling IKE packet IKE DEBUG: Locating IKE context IKE DEBUG: Packet for existing negotiation IKE DEBUG (504):Located SA for existing phase 1 negotiation IKE DEBUG (504):IKE context located. Local session ID: 0x504 IKE DEBUG (504):Checking packet IKE DEBUG (504):IKE decrypting packet IKE DEBUG (504):Validating payloads IKE DEBUG (504):Checking payload (8) Hash Page 33

IKE DEBUG (504):Checking payload (130) NATD IKE DEBUG (504):Checking payload (130) NATD IKE DEBUG (504):Packet payloads check out OK IKE DEBUG (504):Packet type (4) Agressive mode IKE DEBUG (504):IKE role Responder IKE DEBUG (504):Handling aggressive mode packet and SA state is (3) PH1 sent KE IKE DEBUG (504):Processing agressive mode HASH message IKE DEBUG (504):Processing NATD payloads IKE DEBUG (504):HASH's same, we are not behind a NAT box IKE DEBUG (504):Remote is behind a NAT box IKE DEBUG (504):Verifying phase 1 HASH payload IKE DEBUG (504):Phase 1 agressive mode negotiation completed successfully IKE DEBUG (504):Changing IKE SA state from PH1 sent KE to PH1 complete IKE DEBUG (504):Saving completed phase 1 negotiation local ID: 0x1f8 IKE DEBUG (504):Send IKE lifetime (1200) notification to peer IKE DEBUG (504):IKE aggressive mode result 0 IKE DEBUG (504):Resetting IKE context 0 Page 34

IKE DEBUG (504):Retaining completed phase 1 SA local ID: 0x1f8 IKE DEBUG: IKE request to send LIFETIME notification IKE DEBUG (504):Prepare for new Phase 2 negotiation IKE DEBUG (505):New phase 2 session IKE DEBUG: Got new phase 2 session ID: 0xb6031922 IKE DEBUG (505):Changing IKE SA state from PH1 complete to PH2 Initial IKE DEBUG (505):Encrypting IKE packet ----- 21-4-2008 15:51:01.730 ------ IKE DEBUG: send LIFETIME notification lifetime 1200 ----- 21-4-2008 15:51:01.730 ------ IKE DEBUG (505):Transmit IKE packet ----- 21-4-2008 15:51:01.730 ------ IKE DEBUG (505):Transmit to peer 212.183.134.66 ----- 21-4-2008 15:51:01.730 ------ 45 00 00 74 01 D6 00 00 FA 11 33 52 58 60 D7 F6 E..t.Ö...3RX. ö D4 B7 86 42 11 94 A9 50 00 60 00 00 00 00 00 00 Ô. B..P... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö. 08 10 05 01 B6 03 19 22 00 00 00 54 C9 3F 4C 5B......T..L. 20 94 00 95 CE 00 C2 70 70 69 53 41 BA C9 23 65.. Î..ppiSA...e 55 2E AA 17 A7 73 EC A6 E3 05 5D 97 B9 7E C7 E3 U...s..ã.....ã 1C 74 F3 44 13 6B BF 7E F5 47 16 8D 1B 2B 9A 1B.tóD.k...G...š. A9 08 21 46...F IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 74 Length: 116 01 D6 ID: 470 00 00 Frag Offset: 0 Congestion: FA TTL: 250 11 Proto: UDP Normal May Fragment Last Fragment Page 35

33 52 Checksum: 13138 58 60 D7 F6 Src IP: 213.152.58.85 D4 B7 86 42 Dst IP: 212.183.134.66 UDP: 11 94 SRC Port: IKE FLOAT (4500) A9 50 DST Port:??? (43344) 00 60 Length: 96 00 00 Checksum: 0 ----- 21-4-2008 15:51:01.730 ------ IKE DEBUG (505):Resetting IKE context 50 ----- 21-4-2008 15:51:01.730 ------ IKE DEBUG (505):Removing IKE SA ----- 21-4-2008 15:51:01.840 ------ 45 00 00 D4 00 D1 00 00 E8 11 45 F7 D4 B7 86 42 E..Ô.Ñ..è.E Ô. B 58 60 D7 F6 A9 50 11 94 00 C0 00 00 00 00 00 00 X. ö.p.... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö. 08 10 20 01 21 23 EE 6C 00 00 00 B4 FF 41 AC 5B...îl....A.. BA 92 49 50 12 9A 60 D0 E3 E9 4D F9 F2 53 B8 D6. IP.š.ÐãéMùòS.Ö 71 A3 F3 A9 28 44 D5 CA 7B 74 6B 4E DE CF D3 C5 q.ó..dõ..tknþïó. 9D BF 92 89 B6 6F F1 48 5B FB 9A 84 16 54 73 DA. oñh.ûš.tsú 4B 8D 09 A2 20 D0 DD 36 10 23 64 EB 1C E7 1C AE K...ÐÝ6..dë.ç.. 2B 33 69 D8 B1 E5 EB E9 DD 6F 6C DA BA 0E AD AE.3iرåëéÝolÚ... 08 08 B8 F5 B5 11 32 AC 74 11 FE F6 C4 47 49 38...µ.2.t.þö.GI8 9C A6 28 B4 40 2F F5 19 37 B1 16 AC 51 8C E8 46 œ.....7±..qœèf 79 71 A3 7E 98 0A B9 C0 AE 2E 0F 1F 86 8A E3 36 yq..... Šã6 54 F4 82 EF EE 16 F0 42 E5 12 16 B1 73 53 39 CC Tô..î..Bå..±sS9. C5 EB 65 1C.ëe. IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 D4 Length: 212 00 D1 ID: 209 00 00 Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: 232 11 Proto: UDP 45 F7 Checksum: 17911 D4 B7 86 42 Src IP: 212.183.134.66 58 60 D7 F6 Dst IP: 213.152.58.85 UDP: A9 50 SRC Port:??? (43344) 11 94 DST Port: IKE FLOAT (4500) 00 C0 Length: 192 00 00 Checksum: 0 Page 36

----- 21-4-2008 15:51:01.840 ------ IKE DEBUG: Handling IKE packet ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG: Locating IKE context ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG: Packet for existing negotiation ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG: Packet for unknown phase 2 negotiation ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG: Packet for new phase 2 negotiation ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (504):Prepare for new Phase 2 negotiation ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (506):New phase 2 session ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (506):Changing IKE SA state from PH1 complete to PH2 Initial ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (506):IKE context located. Local session ID: 0x506 ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (506):Checking packet ----- 21-4-2008 15:51:01.840 ------ IKE DEBUG (506):IKE decrypting packet IKE DEBUG (506):Validating payloads IKE DEBUG (506):Checking payload (8) Hash IKE DEBUG (506):Checking payload (1) SA IKE DEBUG (506):Checking payload (10) Nonce IKE DEBUG (506):Checking payload (5) ID IKE DEBUG (506):Checking payload (5) ID IKE DEBUG (506):Checking payload (11) Notify Page 37

IKE DEBUG (506):Packet payloads check out OK IKE DEBUG (506):Packet type (32) Quick mode IKE DEBUG (506):IKE role Responder IKE DEBUG (506):Handling quick mode packet and SA state is (6) PH2 Initial IKE DEBUG (506):Process phase 2 SA message IKE DEBUG (506):Checking phase 2 HASH payload IKE DEBUG (506):HASH payload valid IKE DEBUG (506):Handling NOTIFY payload with message type 24578 IKE DEBUG (506):Checking next SA payload IKE DEBUG (506):Checking SA proposals IKE DEBUG (506):Checking proposal number 1 IKE DEBUG (506):Checking transform payloads. Expecting 1 transforms IKE DEBUG (506):Transforms payloads OK IKE DEBUG (506):Proposal payload OK IKE DEBUG (506):SA payload valid IKE DEBUG (506): Phase 2 proposal 1 Proposal has 1 transforms IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Attribute (4) Mode Mode: 61443:??? Page 38

Attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Attribute (1) Life type Life type (1) secs. Expecting life duration attribute next Attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Selecting transform from proposal 1 Select from 1 tranforms IKE DEBUG (506):IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Alg. is supported IKE DEBUG (506):Checking attribute (4) Mode Mode: 61443: UDP Tunnel IKE DEBUG (506):Checking attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Alg. is supported IKE DEBUG (506):Checking attribute (1) Life type Life type (1) secs. Expecting life duration attribute next IKE DEBUG (506):Checking attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Transform 1 has all required transform attributes IKE DEBUG (506):Getting remote subnet details ID type 4 len 8 Subnet mask is 255.255.255.0 Subnet IP is 10.1.63.0 IKE DEBUG (506):Getting local subnet details ID type 4 len 8 Subnet mask is 255.255.255.0 Subnet IP is 10.1.89.0 IKE DEBUG (506):Locating eroute matching this negotiation IKE DEBUG (506):Located eroute 0 our ID: responder Page 39

IKE DEBUG (506):Sending phase 2 SA reply IKE DEBUG: Got IPSec spi 0xcd861411 IKE DEBUG: Adding proposal nb: 1, protocol ID: 3, spi size: 4, nb_transforms: 1 IKE DEBUG (506): Phase 2 proposal 1 Proposal has 1 transforms IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Attribute (4) Mode Mode: 61443:??? Attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Attribute (1) Life type Life type (1) secs. Expecting life duration attribute next Attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Sending phase 2 SA message IKE DEBUG: Adding SA payload header doi: 1, situation 1 IKE DEBUG (506):Not doing PFS. KE payload not required IKE DEBUG (506):Adding remote subnet details IKE DEBUG (506):Adding subnet ID IP: 10.1.63.0 MASK: 255.255.255.0 IKE DEBUG (506):Adding local subnet details IKE DEBUG (506):Adding subnet ID IP: 10.1.89.0 MASK: 255.255.255.0 IKE DEBUG (506):Encrypting IKE packet ----- 21-4-2008 15:51:01.860 ------ IKE DEBUG (506):Transmit IKE packet ----- 21-4-2008 15:51:01.860 ------ IKE DEBUG (506):Transmit to peer 212.183.134.66 Page 40

----- 21-4-2008 15:51:01.860 ------ 45 00 00 D4 01 D7 00 00 FA 11 32 F1 58 60 D7 F6 E..Ô....2ñX. ö D4 B7 86 42 11 94 A9 50 00 C0 00 00 00 00 00 00 Ô. B..P... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö. 08 10 20 01 21 23 EE 6C 00 00 00 B4 38 48 65 39...îl... 8He9 5C 59 51 4C 4E 49 18 B3 D0 FF 77 9F 72 13 9F 13.YQLNI.³Ð.w.r... C1 33 C5 71 83 1B 6B AD E4 57 BB 0C 8C 23 82 CD.3.qƒ.k.äW..Œ... B6 39 13 4F FC C8 7D 23 32 16 97 E5 2A D4 AB 32 9.Oü...2. å.ô.2 F1 89 EB 1F 93 12 31 3B 35 31 00 26 36 B9 07 E5 ñ ë..1.51..6..å 4E 01 97 58 8A BA A8 56 A3 29 AB 7C 94 DA 80 20 N. XŠ..V... Ú. D1 8C 62 0F 42 E4 6E 3B 5F 7F 28 02 43 7C 6B EF ÑŒb.Bän...C.k. F2 A7 98 04 06 C0 B1 5C 79 4E 80 41 75 C9 0B 48 ò....±.yn Au..H 9F 2C 65 CC 17 5C 36 F1 41 81 56 88 B2 26 F5 67..e...6ñAVˆ...g AA C0 25 D7 97 1C B6 5E F9 E0 3C 8E C6 B1 13 9E.....ùà.ŽÆ±.ž 6C 31 0A F4 l1.ô IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 D4 Length: 212 01 D7 ID: 471 00 00 Frag Offset: 0 Congestion: Normal May Fragment Last Fragment FA TTL: 250 11 Proto: UDP 32 F1 Checksum: 13041 58 60 D7 F6 Src IP: 213.152.58.85 D4 B7 86 42 Dst IP: 212.183.134.66 UDP: 11 94 SRC Port: IKE FLOAT (4500) A9 50 DST Port:??? (43344) 00 C0 Length: 192 00 00 Checksum: 0 ----- 21-4-2008 15:51:01.860 ------ IKE DEBUG (506):Changing IKE SA state from PH2 Initial to PH2 sent SA ----- 21-4-2008 15:51:01.860 ------ IKE DEBUG (506):IKE quick mode result 1 ----- 21-4-2008 15:51:02.030 ------ 45 00 00 54 00 D2 00 00 E8 11 46 76 D4 B7 86 42 E..T.Ò..è.FvÔ. B 58 60 D7 F6 A9 50 11 94 00 40 00 00 00 00 00 00 X. ö.p.... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö. 08 10 20 01 21 23 EE 6C 00 00 00 34 6A 5B 2B A5...îl...4j.. E7 F0 84 34 A4 06 8D 15 01 9D D9 31 FA BC 31 16 ç. 4...Ù1..1. 55 7C 94 A4 U.. Page 41

IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: 20 00 TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 54 Length: 84 00 D2 ID: 210 00 00 Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: 232 11 Proto: UDP 46 76 Checksum: 18038 D4 B7 86 42 Src IP: 212.183.134.66 58 60 D7 F6 Dst IP: 213.152.58.85 UDP: A9 50 SRC Port:??? (43344) 11 94 DST Port: IKE FLOAT (4500) 00 40 Length: 64 00 00 Checksum: 0 ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG: Handling IKE packet ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG: Locating IKE context ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG: Packet for existing negotiation ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG (506):Located SA for existing phase 2 negotiation ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG (506):IKE context located. Local session ID: 0x506 ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG (506):Checking packet ----- 21-4-2008 15:51:02.030 ------ IKE DEBUG (506):IKE decrypting packet ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Validating payloads ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Checking payload (8) Hash ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Packet payloads check out OK Page 42

----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Packet type (32) Quick mode ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):IKE role Responder ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Handling quick mode packet and SA state is (7) PH2 sent SA ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Processing HASH reply message ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Phase 2 negotiation completed successfully ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Preparing to create IPSec SA's ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Generating IPSec key material ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):40 bytes of key material required ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):Changing IKE SA state from PH2 sent SA to PH2 complete ----- 21-4-2008 15:51:02.040 ------ IKE DEBUG (506):IKE quick mode result 1 ----- 21-4-2008 15:51:04.050 ------ IKE DEBUG (506):IKE SA timed out ----- 21-4-2008 15:51:04.050 ------ IKE DEBUG: Resetting IKE context 0 ----- 21-4-2008 15:51:04.050 ------ IKE DEBUG (506):Removing IKE SA Page 43

6 CONFIGURATION FILES 6.1 Sarian DR6410 Responder Configuration This is the configuration file from VPN Responder DR6410: eth 0 IPaddr "10.1.89.254" eth 0 bridge ON eth 0 ipanon ON lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 def_route 0 ll_ent "ppp" def_route 0 ll_add 1 def_route 1 ll_ent "PPP" def_route 1 ll_add 3 def_route 2 ll_ent "PPP" def_route 2 ll_add 4 eroute 0 peerid "initiator" eroute 0 ourid "responder" eroute 0 locip "10.1.89.0" eroute 0 locmsk "255.255.255.0" eroute 0 remip "10.1.63.0" eroute 0 remmsk "255.255.255.0" eroute 0 ESPauth "MD5" eroute 0 ESPenc "3DES" eroute 0 lkbytes 0 eroute 0 authmeth "PRESHARED" eroute 0 debug ON dhcp 0 IPmin "192.168.0.1" dhcp 0 mask "255.255.255.0" dhcp 0 gateway "192.168.0.99" dhcp 0 DNS "192.168.0.99" dhcp 0 wifionly ON ppp 0 timeout 300 ppp 1 IPaddr "0.0.0.0" ppp 1 username "your ADSL username" ppp 1 epassword "PTJ5WU1NRFM=" ppp 1 timeout 0 ppp 1 aodion 1 ppp 1 immoos ON ppp 1 autoassert 1 ppp 1 ipsec 2 ppp 1 echo 10 ppp 1 echodropcnt 5 ppp 1 l1iface "AAL" ppp 1 ipanon ON ppp 3 l_pap OFF ppp 3 l_chap OFF Page 44

ppp 3 l_addr ON ppp 3 r_chap OFF ppp 3 r_addr OFF ppp 3 IPaddr "0.0.0.0" ppp 3 username "ENTER WWAN Username" ppp 3 epassword "KD5lSVJDVVg=" ppp 3 phonenum "*98*1#" ppp 3 timeout 0 ppp 3 use_modem 1 ppp 3 aodion 1 ppp 3 immoos ON ppp 3 autoassert 1 ppp 3 defpak 16 ppp 4 l_acfc ON ppp 4 l_pfc ON ppp 4 IPaddr "1.2.3.5" ppp 4 IPmin "10.10.10.0" ppp 4 username "Enter PSTN Username" ppp 4 timeout 60 ppp 4 use_modem 3 ppp 4 defpak 16 ike 0 deblevel 4 modemcc 0 info_asy_add 9 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "Your.APN.Goes.Here" modemcc 0 link_retries 10 modemcc 0 stat_retries 30 modemcc 0 sms_interval 1 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.Goes.Here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 modemcc 0 sms_interval_2 1 ana 0 anon ON ana 0 l1on ON ana 0 lapdon 0 ana 0 asyon 1 ana 0 ipfilt "~500,4500" ana 0 ikeon ON ana 0 maxdata 1500 ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "sarian.router" cmd 0 tremto 1200 cmd 0 web_suffix ".wb2" user 1 name "jules" user 1 epassword "Mip6CVY=" user 1 access 0 user 2 access 0 user 3 access 0 user 4 access 0 Page 45

user 5 access 0 user 6 access 0 user 7 access 0 user 8 access 0 user 9 access 0 user 10 name "initiator" user 10 epassword "LDplTg==" user 10 access 4 local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privssh.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF wifi 0 enabled OFF wifi 0 ssid "sarian.router.sn:%s" wifi 1 enabled OFF 6.2 Sarian WR41 Initiator Configuration This is the configuration file from VPN Client HR4110: eth 0 IPaddr "10.1.63.254" eth 0 ipanon ON lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 def_route 0 ll_ent "ppp" def_route 0 ll_add 1 eroute 0 peerip "213.152.58.85" eroute 0 peerid "responder" eroute 0 ourid "initiator" eroute 0 locip "10.1.63.0" eroute 0 locmsk "255.255.255.0" eroute 0 remip "10.1.89.0" eroute 0 remmsk "255.255.255.0" eroute 0 ESPauth "MD5" eroute 0 ESPenc "3DES" eroute 0 lkbytes 0 eroute 0 authmeth "PRESHARED" eroute 0 nosa "TRY" eroute 0 autosa 1 eroute 0 debug ON dhcp 0 IPmin "192.168.1.100" dhcp 0 mask "255.255.255.0" dhcp 0 gateway "192.168.1.1" dhcp 0 DNS "192.168.1.1" dhcp 0 respdelms 500 ppp 0 timeout 300 ppp 1 r_chap OFF Page 46

ppp 1 IPaddr "0.0.0.0" ppp 1 phonenum "*98*1#" ppp 1 timeout 0 ppp 1 use_modem 1 ppp 1 aodion 1 ppp 1 autoassert 1 ppp 1 ipsec 1 ppp 1 ipanon ON ppp 3 defpak 16 ppp 4 defpak 16 ike 0 encalg "3DES" ike 0 aggressive ON ike 0 ikegroup 2 ike 0 deblevel 4 ike 0 delmode 1 modemcc 0 info_asy_add 7 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "internet" modemcc 0 link_retries 10 modemcc 0 stat_retries 30 modemcc 0 sms_interval 1 modemcc 0 sms_access 1 modemcc 0 sms_concat 0 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.goes.here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 ana 0 anon ON ana 0 l1on ON ana 0 lapdon 0 ana 0 asyon 1 ana 0 ipfilt "~500,4500" ana 0 ikeon ON ana 0 maxdata 1500 ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "digi.router" cmd 0 asyled_mode 2 cmd 0 tremto 1200 cmd 0 web_suffix ".wb2" user 0 access 0 user 1 name "username" user 1 epassword "KD5lSVJDVVg=" user 1 access 0 user 2 access 0 user 3 access 0 user 4 access 0 user 5 access 0 user 6 access 0 user 7 access 0 user 8 access 0 Page 47

user 9 access 0 user 10 name "responder" user 10 epassword "LDplTg==" user 10 access 4 local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privssh.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF 6.3 Sarian Firmware Versions This is the firmware \ hardware information from VPN Host DR6410: Sarian Systems. Sarian DR6410-HPA Mk.II DSL2/2+ Router Ser#:92903 HW Revision: 7502a Software Build Ver5076. Oct 8 2009 14:59:48 9W ARM Sarian Bios Ver 5.70 v35 197MHz B128-M128-F300-O100001,0 MAC:00042d016ae7 Power Up Profile: 0 Async Driver Revision: 1.19 Int clk Ethernet Hub Driver Revision: 1.11 Firewall Revision: 1.0 EventEdit Revision: 1.0 Timer Module Revision: 1.1 AAL Revision: 1.0 ADSL Revision: 1.0 (B)USBHOST Revision: 1.0 L2TP Revision: 1.10 PPTP Revision: 1.00 TACPLUS Revision: 1.00 MySQL Revision: 0.01 LAPB Revision: 1.12 X25 Layer Revision: 1.19 MACRO Revision: 1.0 PAD Revision: 1.4 X25 Switch Revision: 1.7 V120 Revision: 1.16 TPAD Interface Revision: 1.12 SCRIBATSK Revision: 1.0 BASTSK Revision: 1.0 ARM Sync Driver Revision: 1.18 TCP (HASH mode) Revision: 1.14 TCP Utils Revision: 1.13 PPP Revision: 1.19 WEB Revision: 1.5 SMTP Revision: 1.1 FTP Client Revision: 1.5 FTP Revision: 1.4 IKE Revision: 1.0 PollANS Revision: 1.2 PPPOE Revision: 1.0 BRIDGE Revision: 1.1 MODEM CC (Option 3G) Revision: 1.4 Page 48

FLASH Write Revision: 1.2 Command Interpreter Revision: 1.38 SSLCLI Revision: 1.0 OSPF Revision: 1.0 BGP Revision: 1.0 QOS Revision: 1.0 RADIUS Client Revision: 1.0 SSH Server Revision: 1.0 SCP Revision: 1.0 CERT Revision: 1.0 LowPrio Revision: 1.0 Tunnel Revision: 1.2 TEMPLOG Revision: 1.0 Wifi Revision: 1.1 This is the firmware \ hardware information from VPN Initiator WR41: Digi TransPort WR41H-AEU-B00 Ser#:92755 HW Revision: 7103a Software Build Ver5076. Oct 08 2009 13:45:03 ZW ARM Bios Ver 5.70 v36 399MHz B128-M128-F80-O100,0 MAC:00042d016a53 Power Up Profile: 0 Async Driver Revision: 1.19 Int clk Ethernet Driver Revision: 1.11 Firewall Revision: 1.0 EventEdit Revision: 1.0 Timer Module Revision: 1.1 (B)USBHOST Revision: 1.0 SDMMC Revision: 1.0 L2TP Revision: 1.10 PPTP Revision: 1.00 LAPB Revision: 1.12 X25 Layer Revision: 1.19 MACRO Revision: 1.0 PAD Revision: 1.4 V120 Revision: 1.16 TPAD Interface Revision: 1.12 GPS Revision: 1.0 SCRIBATSK Revision: 1.0 BASTSK Revision: 1.0 PYTHON Revision: 1.0 ARM Sync Driver Revision: 1.18 TCP (HASH mode) Revision: 1.14 TCP Utils Revision: 1.13 PPP Revision: 1.19 WEB Revision: 1.5 SMTP Revision: 1.1 FTP Client Revision: 1.5 FTP Revision: 1.4 IKE Revision: 1.0 PollANS Revision: 1.2 PPPOE Revision: 1.0 MODEM CC (Option 3G) Revision: 1.4 FLASH Write Revision: 1.2 Command Interpreter Revision: 1.38 Page 49

SSLCLI Revision: 1.0 OSPF Revision: 1.0 BGP Revision: 1.0 QOS Revision: 1.0 PWRCTRL Revision: 1.0 RADIUS Client Revision: 1.0 SSH Server Revision: 1.0 SCP Revision: 1.0 CERT Revision: 1.0 LowPrio Revision: 1.0 Tunnel Revision: 1.2 Page 50