IKE failed to find valid machine certificate

P

Paul

I'm so close it's driving me crazy.

IPSec Server:
Windows 2003
IPSec Client:
Windows 2000 SP3 + 128-bit encryption pack + NAT-T patch

C:\Windows\Debug\oakley.log
shows negotiation cruising along perfectly
(even NAT-T works).
But, I end with the error:
"IKE failed to find valid machine certificate" in
oakley.log and a nasty Windows Error box displaying:

Error: 786: The L2TP connection attempt failed because
there is no valid machine certificate on your computer for
security authentication.

I verified the certificate and certificate path on both
the client and the server and everything (fingerprints,
serial numbers) looks fine. The certificate seems to be
installed correctly in the machine store, but I still get
this error. I search google and microsoft for any bugs
relating to this, but found nothing.

Is anyone having this problem?

Here's my oakley.log file:

1-07: 17:24:52:500:dc Queuing work item, packetsize 292
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Receive: (get) SA = 0x00000000
from 68.227.86.101.500
1-07: 17:24:52:500:360 ISAKMP Header: (V1.0), len = 292
1-07: 17:24:52:500:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:500:360 R-COOKIE 0000000000000000
1-07: 17:24:52:500:360 exchange: Oakley Main Mode
1-07: 17:24:52:500:360 flags: 0
1-07: 17:24:52:500:360 next payload: SA
1-07: 17:24:52:500:360 message ID: 00000000
1-07: 17:24:52:500:360 Filter to match: Src 68.227.86.101
Dst 192.168.23.132
1-07: 17:24:52:500:360 MM PolicyName: 1
1-07: 17:24:52:500:360 MMPolicy dwFlags 2
SoftSAExpireTime 28800
1-07: 17:24:52:500:360 MMOffer[0] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[0] Encrypt: Triple DES CBC
Hash: SHA
1-07: 17:24:52:500:360 MMOffer[1] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[1] Encrypt: Triple DES CBC
Hash: MD5
1-07: 17:24:52:500:360 MMOffer[2] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[2] Encrypt: DES CBC Hash:
SHA
1-07: 17:24:52:500:360 MMOffer[3] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[3] Encrypt: DES CBC Hash:
MD5
1-07: 17:24:52:500:360 Auth[0]:RSA Sig DC=com,
DC=callwave, CN=CWVPNCA AuthFlags 0
1-07: 17:24:52:500:360 Created new SA 3dca1c8
1-07: 17:24:52:500:360 Responding with new SA 3dca1c8
1-07: 17:24:52:500:360 processing payload SA
1-07: 17:24:52:500:360 Received Phase 1 Transform 1
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 14
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 2
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 3
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 4
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 5
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Phase 1 SA accepted: transform=2
1-07: 17:24:52:500:360 SA - Oakley proposal accepted
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
1e2b516905991c7d7c96fcbfb587e461
1-07: 17:24:52:500:360 00000002
1-07: 17:24:52:500:360 Received VendorId MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Setting VendorId 1
1-07: 17:24:52:500:360 Setting PeerVersion 2
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
4048b7d56ebce88525e7de7f00d6c2d3
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId FRAGMENTATION
1-07: 17:24:52:500:360 Setting VendorId 17
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
90cb80913ebb696e086381b5ec427b1f
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId draft-ietf-ipsec-
nat-t-ike-02
1-07: 17:24:52:500:360 Setting VendorId 21
1-07: 17:24:52:500:360 ClearFragList
1-07: 17:24:52:500:360 In state OAK_MM_SA_SETUP
1-07: 17:24:52:500:360 constructing ISAKMP Header
1-07: 17:24:52:500:360 constructing SA (ISAKMP)
1-07: 17:24:52:500:360 Constructing Vendor MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Constructing Vendor FRAGMENTATION
1-07: 17:24:52:500:360 Constructing Vendor draft-ietf-
ipsec-nat-t-ike-02
1-07: 17:24:52:500:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 00000000
1-07: 17:24:52:515:360 TotalActiveTimers++ 2
1-07: 17:24:52:515:360 Inserting entry 03E03C28 in slot
20 CurWheelIndex 20 delta 1000
1-07: 17:24:52:515:360 Setting Retransmit: sa 3dca1c8
handle 3e03c28 context a3308
1-07: 17:24:52:515:360
1-07: 17:24:52:515:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:515:360 ISAKMP Header: (V1.0), len = 148
1-07: 17:24:52:515:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:515:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:515:360 exchange: Oakley Main Mode
1-07: 17:24:52:515:360 flags: 0
1-07: 17:24:52:515:360 next payload: SA
1-07: 17:24:52:515:360 message ID: 00000000
1-07: 17:24:52:515:360 Ports S:f401 D:f401
1-07: 17:24:52:515:360 Worker exiting
1-07: 17:24:52:796:dc Queuing work item, packetsize 232
1-07: 17:24:52:796:360
1-07: 17:24:52:796:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.500
1-07: 17:24:52:796:360 ISAKMP Header: (V1.0), len = 232
1-07: 17:24:52:796:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:796:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:796:360 exchange: Oakley Main Mode
1-07: 17:24:52:796:360 flags: 0
1-07: 17:24:52:796:360 next payload: KE
1-07: 17:24:52:796:360 message ID: 00000000
1-07: 17:24:52:796:360 processing payload KE
1-07: 17:24:52:921:360 Generated 128 byte Shared Secret
1-07: 17:24:52:921:360 KE processed; DH shared secret
computed
1-07: 17:24:52:921:360 processing payload NONCE
1-07: 17:24:52:921:360 PTID 129 PKTYPE 130
1-07: 17:24:52:921:360 PTID 130 PKTYPE 130
1-07: 17:24:52:921:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
28d45e6e5fcc05e9700c5e0f311ba361
1-07: 17:24:52:937:360 fa0b1365
1-07: 17:24:52:937:360 SA StateMask2 1e
1-07: 17:24:52:937:360 PTID 129 PKTYPE 130
1-07: 17:24:52:937:360 PTID 130 PKTYPE 130
1-07: 17:24:52:937:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
8cb0971c38866ef36c49f194b65ad699
1-07: 17:24:52:937:360 6965709d
1-07: 17:24:52:937:360 SA StateMask2 5e
1-07: 17:24:52:937:360 ClearFragList
1-07: 17:24:52:937:360 In state OAK_MM_Key_EXCH
1-07: 17:24:52:937:360 Peer behind NAT
1-07: 17:24:52:937:360 constructing ISAKMP Header
1-07: 17:24:52:937:360 constructing KE
1-07: 17:24:52:937:360 constructing NONCE (ISAKMP)
1-07: 17:24:52:937:360 Constructing Cert Request
1-07: 17:24:52:937:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:52:937:360 Constructing NatDisc
1-07: 17:24:52:937:360 Floated Ports Orig Me:f401
Peer:f401
1-07: 17:24:52:937:360 Floated Ports Me:9411 Peer:0
1-07: 17:24:52:937:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 000A3308
1-07: 17:24:52:937:360 TotalActiveTimers--2 1
1-07: 17:24:52:937:360 TotalActiveTimers++ 2
1-07: 17:24:52:937:360 Inserting entry 03E03C28 in slot
21 CurWheelIndex 20 delta 1000
1-07: 17:24:52:937:360
1-07: 17:24:52:937:360 Sending: SA 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:937:360 ISAKMP Header: (V1.0), len = 304
1-07: 17:24:52:937:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:937:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:937:360 exchange: Oakley Main Mode
1-07: 17:24:52:937:360 flags: 0
1-07: 17:24:52:937:360 next payload: KE
1-07: 17:24:52:937:360 message ID: 00000000
1-07: 17:24:52:937:360 Ports S:f401 D:f401
1-07: 17:24:52:937:360 Worker exiting
1-07: 17:24:53:46:dc Queuing work item, packetsize 1820
1-07: 17:24:53:46:360
1-07: 17:24:53:46:360 Receive: (get) SA = 0x03dca1c8 from
68.227.86.101.4500
1-07: 17:24:53:46:360 ISAKMP Header: (V1.0), len = 1820
1-07: 17:24:53:46:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:46:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:46:360 exchange: Oakley Main Mode
1-07: 17:24:53:46:360 flags: 1 ( encrypted )
1-07: 17:24:53:46:360 next payload: ID
1-07: 17:24:53:46:360 message ID: 00000000
1-07: 17:24:53:46:360 skeyid generated; crypto enabled
(responder)
1-07: 17:24:53:46:360 processing payload ID
1-07: 17:24:53:46:360 Got Cert ID
1-07: 17:24:53:46:360 processing payload CERT
1-07: 17:24:53:46:360 processing payload CRP
1-07: 17:24:53:46:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:53:46:360 processing payload SIG
1-07: 17:24:53:46:360 Verifying CertStore
1-07: 17:24:53:46:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:46:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:62:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:62:360 3269268f
1-07: 17:24:53:93:360 Cert Trustes. 0 100
1-07: 17:24:53:93:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:93:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 SubjectName: DC=com, DC=callwave,
CN=CWVPNCA
1-07: 17:24:53:93:360 Cert Serialnumber
618451f1a5568b47a1ab5c7a31c08708
1-07: 17:24:53:93:360
1-07: 17:24:53:93:360 Cert SHA Thumbprint
94f6446a1375329924defb0bfddacabc
1-07: 17:24:53:93:360 cc6d1b0a
1-07: 17:24:53:93:360 No BasicConstraints in cert
1-07: 17:24:53:93:360 Subject names match
1-07: 17:24:53:93:360 Not storing Peer's cert chain in SA.
1-07: 17:24:53:93:360 Cert lifetime in seconds low
31620077, high 0
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 Entered CRL check
1-07: 17:24:53:109:360 Left CRL check
1-07: 17:24:53:125:360 Keylen in cert 1024
1-07: 17:24:53:125:360 Signature validated
1-07: 17:24:53:125:360 ClearFragList
1-07: 17:24:53:125:360 Setting SA timeout: 25920
1-07: 17:24:53:125:360 constructing ISAKMP Header
1-07: 17:24:53:125:360 constructing ID
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Received no valid CRPs. Using all
configured
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:125:360 isadb_set_status sa:03DCA1C8
centry:00000000 status 35ee
1-07: 17:24:53:125:360 Stopping RetransTimer sa:03DCA1C8
centry:00000000 handle:03E03C28
1-07: 17:24:53:125:360 TotalActiveTimers--2 1
1-07: 17:24:53:140:360 Key Exchange Mode (Main Mode)
1-07: 17:24:53:140:360 Source IP Address 192.168.23.132
Source IP Address Mask 255.255.255.255 Destination IP
Address 68.227.86.101 Destination IP Address Mask
255.255.255.255 Protocol 0 Source Port 0 Destination
Port 0 IKE Local Addr 192.168.23.132 IKE Peer Addr
68.227.86.101 IKE Source Port 4500 IKE Destination Port
0 Peer Private Addr
1-07: 17:24:53:140:360 Certificate based Identity.
Peer Subject C=US, S=CA, L=Santa Barbara, O=CAllwave,
OU=Ops, CN=Paul Company, [email protected] Peer SHA
Thumbprint ed80ade5d53d1ffe55d1efc0f969356b3269268f Peer
Issuing Certificate Authority DC=com, DC=callwave,
CN=CWVPNCA Root Certificate Authority My Subject My
SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 68.227.86.101
1-07: 17:24:53:140:360 Me
1-07: 17:24:53:140:360 IKE failed to find valid machine
certificate
1-07: 17:24:53:140:360 Processed second (KE) payload
Responder. Delta Time 1 0x80092004 0x0
1-07: 17:24:53:140:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:140:360 constructing ISAKMP Header
1-07: 17:24:53:140:360 constructing HASH (null)
1-07: 17:24:53:140:360 constructing NOTIFY 28
1-07: 17:24:53:140:360 constructing HASH (Notify/Delete)
1-07: 17:24:53:140:360 Construct ND hash message len = 28
pcklen=80 hashlen=20
1-07: 17:24:53:140:360 send_request SA 03DCA1C8 centry
00000000 RetryType 1 Context 00000000
1-07: 17:24:53:140:360
1-07: 17:24:53:140:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 1.500
1-07: 17:24:53:140:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:140:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:140:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:140:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:140:360 flags: 1 ( encrypted )
1-07: 17:24:53:140:360 next payload: HASH
1-07: 17:24:53:140:360 message ID: f4cf6b9c
1-07: 17:24:53:140:360 Ports S:f401 D:f401
1-07: 17:24:53:140:360 Worker exiting
1-07: 17:24:53:218:dc Queuing work item, packetsize 84
1-07: 17:24:53:218:360
1-07: 17:24:53:218:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.4500
1-07: 17:24:53:218:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:218:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:218:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:218:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:218:360 flags: 1 ( encrypted )
1-07: 17:24:53:218:360 next payload: HASH
1-07: 17:24:53:218:360 message ID: 5a932dd2
1-07: 17:24:53:218:360 processing HASH (Notify/Delete)
1-07: 17:24:53:218:360 processing payload DELETE
1-07: 17:24:53:218:360 SA Dead. sa:03DCA1C8 status:35ef
1-07: 17:24:53:218:360 Worker exiting
1-07: 17:25:16:562:360 QM Deleted. Notify from driver:
Src 192.168.23.132 Dest 63.77.208.4 InSPI 3804782403
OutSpi 0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:170 QM Deleted. Notify from driver:
Src 192.168.72.12 Dest 63.77.208.4 InSPI 3863557746 OutSpi
0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:360 Removing SPI=3804782403
addr=4d04d3f flags=0
1-07: 17:25:16:562:170 Removing SPI=3863557746
addr=4d04d3f flags=0
1-07: 17:25:16:562:360 Failed to find SA to process
driver notify. Spi -490184893
1-07: 17:25:16:562:170 Failed to find SA to process
driver notify. Spi -431409550
1-07: 17:25:16:562:360 ICookie d84b48310a682820
1-07: 17:25:16:562:170 ICookie 0e1344df4fb2fe33
1-07: 17:25:16:562:360 PrivatePeerAddr 0
1-07: 17:25:16:562:170 PrivatePeerAddr 0
1-07: 17:25:23:31:e4 TotalActiveTimers--3 0
1-07: 17:25:23:31:e4 TotalActiveTimers++ 1
1-07: 17:25:23:31:e4 Inserting entry 03DF0CB8 in slot 18
CurWheelIndex 51 delta 32000
1-07: 17:25:23:31:e4 Handling Retransmit: sa 03DCA530
centry 00000000 handle 03DF0CB8 type 2
1-07: 17:25:23:31:e4 retransmit exhausted: sa = 03DCA530
centry 00000000, count = 6
1-07: 17:25:23:31:e4 SA Dead. sa:03DCA530 status:35ed
1-07: 17:25:23:31:e4 isadb_set_status sa:03DCA530
centry:00000000 status 35ed
1-07: 17:25:23:31:e4 Stopping RetransTimer sa:03DCA530
centry:00000000 handle:03DF0CB8
1-07: 17:25:23:31:e4 TotalActiveTimers--2 0
1-07: 17:25:23:31:e4 constructing ISAKMP Header
1-07: 17:25:23:31:e4 constructing DELETE. MM 03DCA530
1-07: 17:25:23:31:e4 send_request SA 03DCA530 centry
00000000 RetryType 1 Context 00000000
 
K

Kadirvel C Vanniarajan [MSFT]

You can do the following if the certificates are actually valid:
- Check the validity period of the certificates and make sure they are
fine
- Restart IPSec services
- Check if reinstalling the certificates solve the problem.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Paul said:
I'm so close it's driving me crazy.

IPSec Server:
Windows 2003
IPSec Client:
Windows 2000 SP3 + 128-bit encryption pack + NAT-T patch

C:\Windows\Debug\oakley.log
shows negotiation cruising along perfectly
(even NAT-T works).
But, I end with the error:
"IKE failed to find valid machine certificate" in
oakley.log and a nasty Windows Error box displaying:

Error: 786: The L2TP connection attempt failed because
there is no valid machine certificate on your computer for
security authentication.

I verified the certificate and certificate path on both
the client and the server and everything (fingerprints,
serial numbers) looks fine. The certificate seems to be
installed correctly in the machine store, but I still get
this error. I search google and microsoft for any bugs
relating to this, but found nothing.

Is anyone having this problem?

Here's my oakley.log file:

1-07: 17:24:52:500:dc Queuing work item, packetsize 292
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Receive: (get) SA = 0x00000000
from 68.227.86.101.500
1-07: 17:24:52:500:360 ISAKMP Header: (V1.0), len = 292
1-07: 17:24:52:500:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:500:360 R-COOKIE 0000000000000000
1-07: 17:24:52:500:360 exchange: Oakley Main Mode
1-07: 17:24:52:500:360 flags: 0
1-07: 17:24:52:500:360 next payload: SA
1-07: 17:24:52:500:360 message ID: 00000000
1-07: 17:24:52:500:360 Filter to match: Src 68.227.86.101
Dst 192.168.23.132
1-07: 17:24:52:500:360 MM PolicyName: 1
1-07: 17:24:52:500:360 MMPolicy dwFlags 2
SoftSAExpireTime 28800
1-07: 17:24:52:500:360 MMOffer[0] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[0] Encrypt: Triple DES CBC
Hash: SHA
1-07: 17:24:52:500:360 MMOffer[1] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[1] Encrypt: Triple DES CBC
Hash: MD5
1-07: 17:24:52:500:360 MMOffer[2] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[2] Encrypt: DES CBC Hash:
SHA
1-07: 17:24:52:500:360 MMOffer[3] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[3] Encrypt: DES CBC Hash:
MD5
1-07: 17:24:52:500:360 Auth[0]:RSA Sig DC=com,
DC=callwave, CN=CWVPNCA AuthFlags 0
1-07: 17:24:52:500:360 Created new SA 3dca1c8
1-07: 17:24:52:500:360 Responding with new SA 3dca1c8
1-07: 17:24:52:500:360 processing payload SA
1-07: 17:24:52:500:360 Received Phase 1 Transform 1
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 14
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 2
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 3
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 4
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 5
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Phase 1 SA accepted: transform=2
1-07: 17:24:52:500:360 SA - Oakley proposal accepted
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
1e2b516905991c7d7c96fcbfb587e461
1-07: 17:24:52:500:360 00000002
1-07: 17:24:52:500:360 Received VendorId MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Setting VendorId 1
1-07: 17:24:52:500:360 Setting PeerVersion 2
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
4048b7d56ebce88525e7de7f00d6c2d3
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId FRAGMENTATION
1-07: 17:24:52:500:360 Setting VendorId 17
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
90cb80913ebb696e086381b5ec427b1f
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId draft-ietf-ipsec-
nat-t-ike-02
1-07: 17:24:52:500:360 Setting VendorId 21
1-07: 17:24:52:500:360 ClearFragList
1-07: 17:24:52:500:360 In state OAK_MM_SA_SETUP
1-07: 17:24:52:500:360 constructing ISAKMP Header
1-07: 17:24:52:500:360 constructing SA (ISAKMP)
1-07: 17:24:52:500:360 Constructing Vendor MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Constructing Vendor FRAGMENTATION
1-07: 17:24:52:500:360 Constructing Vendor draft-ietf-
ipsec-nat-t-ike-02
1-07: 17:24:52:500:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 00000000
1-07: 17:24:52:515:360 TotalActiveTimers++ 2
1-07: 17:24:52:515:360 Inserting entry 03E03C28 in slot
20 CurWheelIndex 20 delta 1000
1-07: 17:24:52:515:360 Setting Retransmit: sa 3dca1c8
handle 3e03c28 context a3308
1-07: 17:24:52:515:360
1-07: 17:24:52:515:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:515:360 ISAKMP Header: (V1.0), len = 148
1-07: 17:24:52:515:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:515:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:515:360 exchange: Oakley Main Mode
1-07: 17:24:52:515:360 flags: 0
1-07: 17:24:52:515:360 next payload: SA
1-07: 17:24:52:515:360 message ID: 00000000
1-07: 17:24:52:515:360 Ports S:f401 D:f401
1-07: 17:24:52:515:360 Worker exiting
1-07: 17:24:52:796:dc Queuing work item, packetsize 232
1-07: 17:24:52:796:360
1-07: 17:24:52:796:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.500
1-07: 17:24:52:796:360 ISAKMP Header: (V1.0), len = 232
1-07: 17:24:52:796:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:796:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:796:360 exchange: Oakley Main Mode
1-07: 17:24:52:796:360 flags: 0
1-07: 17:24:52:796:360 next payload: KE
1-07: 17:24:52:796:360 message ID: 00000000
1-07: 17:24:52:796:360 processing payload KE
1-07: 17:24:52:921:360 Generated 128 byte Shared Secret
1-07: 17:24:52:921:360 KE processed; DH shared secret
computed
1-07: 17:24:52:921:360 processing payload NONCE
1-07: 17:24:52:921:360 PTID 129 PKTYPE 130
1-07: 17:24:52:921:360 PTID 130 PKTYPE 130
1-07: 17:24:52:921:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
28d45e6e5fcc05e9700c5e0f311ba361
1-07: 17:24:52:937:360 fa0b1365
1-07: 17:24:52:937:360 SA StateMask2 1e
1-07: 17:24:52:937:360 PTID 129 PKTYPE 130
1-07: 17:24:52:937:360 PTID 130 PKTYPE 130
1-07: 17:24:52:937:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
8cb0971c38866ef36c49f194b65ad699
1-07: 17:24:52:937:360 6965709d
1-07: 17:24:52:937:360 SA StateMask2 5e
1-07: 17:24:52:937:360 ClearFragList
1-07: 17:24:52:937:360 In state OAK_MM_Key_EXCH
1-07: 17:24:52:937:360 Peer behind NAT
1-07: 17:24:52:937:360 constructing ISAKMP Header
1-07: 17:24:52:937:360 constructing KE
1-07: 17:24:52:937:360 constructing NONCE (ISAKMP)
1-07: 17:24:52:937:360 Constructing Cert Request
1-07: 17:24:52:937:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:52:937:360 Constructing NatDisc
1-07: 17:24:52:937:360 Floated Ports Orig Me:f401
Peer:f401
1-07: 17:24:52:937:360 Floated Ports Me:9411 Peer:0
1-07: 17:24:52:937:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 000A3308
1-7: 17:24:52:937:360 TotalActiveTimers--2 1
1-07: 17:24:52:937:360 TotalActiveTimers++ 2
1-07: 17:24:52:937:360 Inserting entry 03E03C28 in slot
21 CurWheelIndex 20 delta 1000
1-07: 17:24:52:937:360
1-07: 17:24:52:937:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:937:360 ISAKMP Header: (V1.0), len = 304
1-07: 17:24:52:937:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:937:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:937:360 exchange: Oakley Main Mode
1-07: 17:24:52:937:360 flags: 0
1-07: 17:24:52:937:360 next payload: KE
1-07: 17:24:52:937:360 message ID: 00000000
1-07: 17:24:52:937:360 Ports S:f401 D:f401
1-07: 17:24:52:937:360 Worker exiting
1-07: 17:24:53:46:dc Queuing work item, packetsize 1820
1-07: 17:24:53:46:360
1-07: 17:24:53:46:360 Receive: (get) SA = 0x03dca1c8 from
68.227.86.101.4500
1-07: 17:24:53:46:360 ISAKMP Header: (V1.0), len = 1820
1-07: 17:24:53:46:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:46:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:46:360 exchange: Oakley Main Mode
1-07: 17:24:53:46:360 flags: 1 ( encrypted )
1-07: 17:24:53:46:360 next payload: ID
1-07: 17:24:53:46:360 message ID: 00000000
1-07: 17:24:53:46:360 skeyid generated; crypto enabled
(responder)
1-07: 17:24:53:46:360 processing payload ID
1-07: 17:24:53:46:360 Got Cert ID
1-07: 17:24:53:46:360 processing payload CERT
1-07: 17:24:53:46:360 processing payload CRP
1-07: 17:24:53:46:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:53:46:360 processing payload SIG
1-07: 17:24:53:46:360 Verifying CertStore
1-07: 17:24:53:46:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:46:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:62:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:62:360 3269268f
1-07: 17:24:53:93:360 Cert Trustes. 0 100
1-07: 17:24:53:93:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:93:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 SubjectName: DC=com, DC=callwave,
CN=CWVPNCA
1-07: 17:24:53:93:360 Cert Serialnumber
618451f1a5568b47a1ab5c7a31c08708
1-07: 17:24:53:93:360
1-07: 17:24:53:93:360 Cert SHA Thumbprint
94f6446a1375329924defb0bfddacabc
1-07: 17:24:53:93:360 cc6d1b0a
1-07: 17:24:53:93:360 No BasicConstraints in cert
1-07: 17:24:53:93:360 Subject names match
1-07: 17:24:53:93:360 Not storing Peer's cert chain in SA.
1-07: 17:24:53:93:360 Cert lifetime in seconds low
31620077, high 0
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 Entered CRL check
1-07: 17:24:53:109:360 Left CRL check
1-07: 17:24:53:125:360 Keylen in cert 1024
1-07: 17:24:53:125:360 Signature validated
1-07: 17:24:53:125:360 ClearFragList
1-07: 17:24:53:125:360 Setting SA timeout: 25920
1-07: 17:24:53:125:360 constructing ISAKMP Header
1-07: 17:24:53:125:360 constructing ID
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Received no valid CRPs. Using all
configured
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:125:360 isadb_set_status sa:03DCA1C8
centry:00000000 status 35ee
1-07: 17:24:53:125:360 Stopping RetransTimer sa:03DCA1C8
centry:00000000 handle:03E03C28
1-07: 17:24:53:125:360 TotalActiveTimers--2 1
1-07: 17:24:53:140:360 Key Exchange Mode (Main Mode)
1-07: 17:24:53:140:360 Source IP Address 192.168.23.132
Source IP Address Mask 255.255.255.255 Destination IP
Address 68.227.86.101 Destination IP Address Mask
255.255.255.255 Protocol 0 Source Port 0 Destination
Port 0 IKE Local Addr 192.168.23.132 IKE Peer Addr
68.227.86.101 IKE Source Port 4500 IKE Destination Port
0 Peer Private Addr
1-07: 17:24:53:140:360 Certificate based Identity.
Peer Subject C=US, S=CA, L=Santa Barbara, O=CAllwave,
OU=Ops, CN=Paul Company, [email protected] Peer SHA
Thumbprint ed80ade5d53d1ffe55d1efc0f969356b3269268f Peer
Issuing Certificate Authority DC=com, DC=callwave,
CN=CWVPNCA Root Certificate Authority My Subject My
SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 68.227.86.101
1-07: 17:24:53:140:360 Me
1-07: 17:24:53:140:360 IKE failed to find valid machine
certificate
1-07: 17:24:53:140:360 Processed second (KE) payload
Responder. Delta Time 1 0x80092004 0x0
1-07: 17:24:53:140:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:140:360 constructing ISAKMP Header
1-07: 17:24:53:140:360 constructing HASH (null)
1-07: 17:24:53:140:360 constructing NOTIFY 28
1-07: 17:24:53:140:360 constructing HASH (Notify/Delete)
1-07: 17:24:53:140:360 Construct ND hash message len = 28
pcklen=80 hashlen=20
1-07: 17:24:53:140:360 send_request SA 03DCA1C8 centry
00000000 RetryType 1 Context 00000000
1-07: 17:24:53:140:360
1-07: 17:24:53:140:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 1.500
1-07: 17:24:53:140:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:140:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:140:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:140:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:140:360 flags: 1 ( encrypted )
1-07: 17:24:53:140:360 next payload: HASH
1-07: 17:24:53:140:360 message ID: f4cf6b9c
1-07: 17:24:53:140:360 Ports S:f401 D:f401
1-07: 17:24:53:140:360 Worker exiting
1-07: 17:24:53:218:dc Queuing work item, packetsize 84
1-07: 17:24:53:218:360
1-07: 17:24:53:218:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.4500
1-07: 17:24:53:218:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:218:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:218:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:218:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:218:360 flags: 1 ( encrypted )
1-07: 17:24:53:218:360 next payload: HASH
1-07: 17:24:53:218:360 message ID: 5a932dd2
1-07: 17:24:53:218:360 processing HASH (Notify/Delete)
1-07: 17:24:53:218:360 processing payload DELETE
1-07: 17:24:53:218:360 SA Dead. sa:03DCA1C8 status:35ef
1-07: 17:24:53:218:360 Worker exiting
1-07: 17:25:16:562:360 QM Deleted. Notify from driver:
Src 192.168.23.132 Dest 63.77.208.4 InSPI 3804782403
OutSpi 0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:170 QM Deleted. Notify from driver:
Src 192.168.72.12 Dest 63.77.208.4 InSPI 3863557746 OutSpi
0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:360 Removing SPI=3804782403
addr=4d04d3f flags=0
1-07: 17:25:16:562:170 Removing SPI=3863557746
addr=4d04d3f flags=0
1-07: 17:25:16:562:360 Failed to find SA to process
driver notify. Spi -490184893
1-07: 17:25:16:562:170 Failed to find SA to process
driver notify. Spi -431409550
1-07: 17:25:16:562:360 ICookie d84b48310a682820
1-07: 17:25:16:562:170 ICookie 0e1344df4fb2fe33
1-07: 17:25:16:562:360 PrivatePeerAddr 0
1-07: 17:25:16:562:170 PrivatePeerAddr 0
1-07: 17:25:23:31:e4 TotalActiveTimers--3 0
1-07: 17:25:23:31:e4 TotalActiveTimers++ 1
1-07: 17:25:23:31:e4 Inserting entry 03DF0CB8 in slot 18
CurWheelIndex 51 delta 32000
1-07: 17:25:23:31:e4 Handling Retransmit: sa 03DCA530
centry 00000000 handle 03DF0CB8 type 2
1-07: 17:25:23:31:e4 retransmit exhausted: sa = 03DCA530
centry 00000000, count = 6
1-07: 17:25:23:31:e4 SA Dead. sa:03DCA530 status:35ed
1-07: 17:25:23:31:e4 isadb_set_status sa:03DCA530
centry:00000000 status 35ed
1-07: 17:25:23:31:e4 Stopping RetransTimer sa:03DCA530
centry:00000000 handle:03DF0CB8
1-07: 17:25:23:31:e4 TotalActiveTimers--2 0
1-07: 17:25:23:31:e4 constructing ISAKMP Header
1-07: 17:25:23:31:e4 constructing DELETE. MM 03DCA530
1-07: 17:25:23:31:e4 send_request SA 03DCA530 centry
00000000 RetryType 1 Context 00000000
Click to expand...
 
G

Guest

Thank you for your reply.
I tried you suggestions, but they didn't work.
The validity period was fine.
I restarted IPSec.
I tried reinstalling the certificates.
Nothing worked.

Is there a way to verify the protocol negotiation
when the server asks the client for the machine store
certificate?

Something is definetly broken in some way.
-----Original Message-----
You can do the following if the certificates are actually valid:
- Check the validity period of the certificates and make sure they are
fine
- Restart IPSec services
- Check if reinstalling the certificates solve the problem.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Paul said:
I'm so close it's driving me crazy.

IPSec Server:
Windows 2003
IPSec Client:
Windows 2000 SP3 + 128-bit encryption pack + NAT-T patch

C:\Windows\Debug\oakley.log
shows negotiation cruising along perfectly
(even NAT-T works).
But, I end with the error:
"IKE failed to find valid machine certificate" in
oakley.log and a nasty Windows Error box displaying:

Error: 786: The L2TP connection attempt failed because
there is no valid machine certificate on your computer for
security authentication.

I verified the certificate and certificate path on both
the client and the server and everything (fingerprints,
serial numbers) looks fine. The certificate seems to be
installed correctly in the machine store, but I still get
this error. I search google and microsoft for any bugs
relating to this, but found nothing.

Is anyone having this problem?

Here's my oakley.log file:

1-07: 17:24:52:500:dc Queuing work item, packetsize 292
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Receive: (get) SA = 0x00000000
from 68.227.86.101.500
1-07: 17:24:52:500:360 ISAKMP Header: (V1.0), len = 292
1-07: 17:24:52:500:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:500:360 R-COOKIE 0000000000000000
1-07: 17:24:52:500:360 exchange: Oakley Main Mode
1-07: 17:24:52:500:360 flags: 0
1-07: 17:24:52:500:360 next payload: SA
1-07: 17:24:52:500:360 message ID: 00000000
1-07: 17:24:52:500:360 Filter to match: Src 68.227.86.101
Dst 192.168.23.132
1-07: 17:24:52:500:360 MM PolicyName: 1
1-07: 17:24:52:500:360 MMPolicy dwFlags 2
SoftSAExpireTime 28800
1-07: 17:24:52:500:360 MMOffer[0] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[0] Encrypt: Triple DES CBC
Hash: SHA
1-07: 17:24:52:500:360 MMOffer[1] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[1] Encrypt: Triple DES CBC
Hash: MD5
1-07: 17:24:52:500:360 MMOffer[2] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[2] Encrypt: DES CBC Hash:
SHA
1-07: 17:24:52:500:360 MMOffer[3] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[3] Encrypt: DES CBC Hash:
MD5
1-07: 17:24:52:500:360 Auth[0]:RSA Sig DC=com,
DC=callwave, CN=CWVPNCA AuthFlags 0
1-07: 17:24:52:500:360 Created new SA 3dca1c8
1-07: 17:24:52:500:360 Responding with new SA 3dca1c8
1-07: 17:24:52:500:360 processing payload SA
1-07: 17:24:52:500:360 Received Phase 1 Transform 1
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 14
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 2
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 3
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 4
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 5
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Phase 1 SA accepted: transform=2
1-07: 17:24:52:500:360 SA - Oakley proposal accepted
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
1e2b516905991c7d7c96fcbfb587e461
1-07: 17:24:52:500:360 00000002
1-07: 17:24:52:500:360 Received VendorId MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Setting VendorId 1
1-07: 17:24:52:500:360 Setting PeerVersion 2
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
4048b7d56ebce88525e7de7f00d6c2d3
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId FRAGMENTATION
1-07: 17:24:52:500:360 Setting VendorId 17
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
90cb80913ebb696e086381b5ec427b1f
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId draft-ietf- ipsec-
nat-t-ike-02
1-07: 17:24:52:500:360 Setting VendorId 21
1-07: 17:24:52:500:360 ClearFragList
1-07: 17:24:52:500:360 In state OAK_MM_SA_SETUP
1-07: 17:24:52:500:360 constructing ISAKMP Header
1-07: 17:24:52:500:360 constructing SA (ISAKMP)
1-07: 17:24:52:500:360 Constructing Vendor MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Constructing Vendor FRAGMENTATION
1-07: 17:24:52:500:360 Constructing Vendor draft-ietf-
ipsec-nat-t-ike-02
1-07: 17:24:52:500:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 00000000
1-07: 17:24:52:515:360 TotalActiveTimers++ 2
1-07: 17:24:52:515:360 Inserting entry 03E03C28 in slot
20 CurWheelIndex 20 delta 1000
1-07: 17:24:52:515:360 Setting Retransmit: sa 3dca1c8
handle 3e03c28 context a3308
1-07: 17:24:52:515:360
1-07: 17:24:52:515:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:515:360 ISAKMP Header: (V1.0), len = 148
1-07: 17:24:52:515:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:515:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:515:360 exchange: Oakley Main Mode
1-07: 17:24:52:515:360 flags: 0
1-07: 17:24:52:515:360 next payload: SA
1-07: 17:24:52:515:360 message ID: 00000000
1-07: 17:24:52:515:360 Ports S:f401 D:f401
1-07: 17:24:52:515:360 Worker exiting
1-07: 17:24:52:796:dc Queuing work item, packetsize 232
1-07: 17:24:52:796:360
1-07: 17:24:52:796:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.500
1-07: 17:24:52:796:360 ISAKMP Header: (V1.0), len = 232
1-07: 17:24:52:796:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:796:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:796:360 exchange: Oakley Main Mode
1-07: 17:24:52:796:360 flags: 0
1-07: 17:24:52:796:360 next payload: KE
1-07: 17:24:52:796:360 message ID: 00000000
1-07: 17:24:52:796:360 processing payload KE
1-07: 17:24:52:921:360 Generated 128 byte Shared Secret
1-07: 17:24:52:921:360 KE processed; DH shared secret
computed
1-07: 17:24:52:921:360 processing payload NONCE
1-07: 17:24:52:921:360 PTID 129 PKTYPE 130
1-07: 17:24:52:921:360 PTID 130 PKTYPE 130
1-07: 17:24:52:921:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
28d45e6e5fcc05e9700c5e0f311ba361
1-07: 17:24:52:937:360 fa0b1365
1-07: 17:24:52:937:360 SA StateMask2 1e
1-07: 17:24:52:937:360 PTID 129 PKTYPE 130
1-07: 17:24:52:937:360 PTID 130 PKTYPE 130
1-07: 17:24:52:937:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
8cb0971c38866ef36c49f194b65ad699
1-07: 17:24:52:937:360 6965709d
1-07: 17:24:52:937:360 SA StateMask2 5e
1-07: 17:24:52:937:360 ClearFragList
1-07: 17:24:52:937:360 In state OAK_MM_Key_EXCH
1-07: 17:24:52:937:360 Peer behind NAT
1-07: 17:24:52:937:360 constructing ISAKMP Header
1-07: 17:24:52:937:360 constructing KE
1-07: 17:24:52:937:360 constructing NONCE (ISAKMP)
1-07: 17:24:52:937:360 Constructing Cert Request
1-07: 17:24:52:937:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:52:937:360 Constructing NatDisc
1-07: 17:24:52:937:360 Floaed Ports Orig Me:f401
Peer:f401
1-07: 17:24:52:937:360 Floated Ports Me:9411 Peer:0
1-07: 17:24:52:937:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 000A3308
1-07: 17:24:52:937:360 TotalActiveTimers--2 1
1-07: 17:24:52:937:360 TotalActiveTimers++ 2
1-07: 17:24:52:937:360 Inserting entry 03E03C28 in slot
21 CurWheelIndex 20 delta 1000
1-07: 17:24:52:937:360
1-07: 17:24:52:937:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:937:360 ISAKMP Header: (V1.0), len = 304
1-07: 17:24:52:937:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:937:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:937:360 exchange: Oakley Main Mode
1-07: 17:24:52:937:360 flags: 0
1-07: 17:24:52:937:360 next payload: KE
1-07: 17:24:52:937:360 message ID: 00000000
1-07: 17:24:52:937:360 Ports S:f401 D:f401
1-07: 17:24:52:937:360 Worker exiting
1-07: 17:24:53:46:dc Queuing work item, packetsize 1820
1-07: 17:24:53:46:360
1-07: 17:24:53:46:360 Receive: (get) SA = 0x03dca1c8 from
68.227.86.101.4500
1-07: 17:24:53:46:360 ISAKMP Header: (V1.0), len = 1820
1-07: 17:24:53:46:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:46:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:46:360 exchange: Oakley Main Mode
1-07: 17:24:53:46:360 flags: 1 ( encrypted )
1-07: 17:24:53:46:360 next payload: ID
1-07: 17:24:53:46:360 message ID: 00000000
1-07: 17:24:53:46:360 skeyid generated; crypto enabled
(responder)
1-07: 17:24:53:46:360 processing payload ID
1-07: 17:24:53:46:360 Got Cert ID
1-07: 17:24:53:46:360 processing payload CERT
1-07: 17:24:53:46:360 processing payload CRP
1-07: 17:24:53:46:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:53:46:360 processing payload SIG
1-07: 17:24:53:46:360 Verifying CertStore
1-07: 17:24:53:46:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:46:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:62:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:62:360 3269268f
1-07: 17:24:53:93:360 Cert Trustes. 0 100
1-07: 17:24:53:93:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:93:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 SubjectName: DC=com, DC=callwave,
CN=CWVPNCA
1-07: 17:24:53:93:360 Cert Serialnumber
618451f1a5568b47a1ab5c7a31c08708
1-07: 17:24:53:93:360
1-07: 17:24:53:93:360 Cert SHA Thumbprint
94f6446a1375329924defb0bfddacabc
1-07: 17:24:53:93:360 cc6d1b0a
1-07: 17:24:53:93:360 No BasicConstraints in cert
1-07: 17:24:53:93:360 Subject names match
1-07: 17:24:53:93:360 Not storing Peer's cert chain in SA.
1-07: 17:24:53:93:360 Cert lifetime in seconds low
31620077, high 0
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 Entered CRL check
1-07: 17:24:53:109:360 Left CRL check
1-07: 17:24:53:125:360 Keylen in cert 1024
1-07: 17:24:53:125:360 Signature validated
1-07: 17:24:53:125:360 ClearFragList
1-07: 17:24:53:125:360 Setting SA timeout: 25920
1-07: 17:24:53:125:360 constructing ISAKMP Header
1-07: 17:24:53:125:360 constructing ID
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Received no valid CRPs. Using all
configured
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:125:360 isadb_set_status sa:03DCA1C8
centry:00000000 status 35ee
1-07: 17:24:53:125:360 Stopping RetransTimer sa:03DCA1C8
centry:00000000 handle:03E03C28
1-07: 17:24:53:125:360 TotalActiveTimers--2 1
1-07: 17:24:53:140:360 Key Exchange Mode (Main Mode)
1-07: 17:24:53:140:360 Source IP Address 192.168.23.132
Source IP Address Mask 255.255.255.255 Destination IP
Address 68.227.86.101 Destination IP Address Mask
255.255.255.255 Protocol 0 Source Port 0 Destination
Port 0 IKE Local Addr 192.168.23.132 IKE Peer Addr
68.227.86.101 IKE Source Port 4500 IKE Destination Port
0 Peer Private Addr
1-07: 17:24:53:140:360 Certificate based Identity.
Peer Subject C=US, S=CA, L=Santa Barbara, O=CAllwave,
OU=Ops, CN=Paul Company, [email protected] Peer SHA
Thumbprint ed80ade5d53d1ffe55d1efc0f969356b3269268f Peer
Issuing Certificate Authority DC=com, DC=callwave,
CN=CWVPNCA Root Certificate Authority My Subject My
SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 68.227.86.101
1-07: 17:24:53:140:360 Me
1-07: 17:24:53:140:360 IKE failed to find valid machine
certificate
1-07: 17:24:53:140:360 Processed second (KE) payload
Responder. Delta Time 1 0x80092004 0x0
1-07: 17:24:53:140:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:140:360 constructing ISAKMP Header
1-07: 17:24:53:140:360 constructing HASH (null)
1-07: 17:24:53:140:360 constructing NOTIFY 28
1-07: 17:24:53:140:360 constructing HASH (Notify/Delete)
1-07: 17:24:53:140:360 Construct ND hash message len = 28
pcklen=80 hashlen=20
1-07: 17:24:53:140:360 send_request SA 03DCA1C8 centry
00000000 RetryType 1 Context 00000000
1-07: 17:24:53:140:360
1-07: 17:24:53:140:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 1.500
1-07: 17:24:53:140:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:140:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:140:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:140:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:140:360 flags: 1 ( encrypted )
1-07: 17:24:53:140:360 next payload: HASH
1-07: 17:24:53:140:360 message ID: f4cf6b9c
1-07: 17:24:53:140:360 Ports S:f401 D:f401
1-07: 17:24:53:140:360 Worker exiting
1-07: 17:24:53:218:dc Queuing work item, packetsize 84
1-07: 17:24:53:218:360
1-07: 17:24:53:218:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.4500
1-07: 17:24:53:218:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:218:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:218:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:218:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:218:360 flags: 1 ( encrypted )
1-07: 17:24:53:218:360 next payload: HASH
1-07: 17:24:53:218:360 message ID: 5a932dd2
1-07: 17:24:53:218:360 processing HASH (Notify/Delete)
1-07: 17:24:53:218:360 processing payload DELETE
1-07: 17:24:53:218:360 SA Dead. sa:03DCA1C8 status:35ef
1-07: 17:24:53:218:360 Worker exiting
1-07: 17:25:16:562:360 QM Deleted. Notify from driver:
Src 192.168.23.132 Dest 63.77.208.4 InSPI 3804782403
OutSpi 0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:170 QM Deleted. Notify from driver:
Src 192.168.72.12 Dest 63.77.208.4 InSPI 3863557746 OutSpi
0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:360 Removing SPI=3804782403
addr=4d04d3f flags=0
1-07: 17:25:16:562:170 Removing SPI=3863557746
addr=4d04d3f flags=0
1-07: 17:25:16:562:360 Failed to find SA to process
driver notify. Spi -490184893
1-07: 17:25:16:562:170 Failed to find SA to process
driver notify. Spi -431409550
1-07: 17:25:16:562:360 ICookie d84b48310a682820
1-07: 17:25:16:562:170 ICookie 0e1344df4fb2fe33
1-07: 17:25:16:562:360 PrivatePeerAddr 0
1-07: 17:25:16:562:170 PrivatePeerAddr 0
1-07: 17:25:23:31:e4 TotalActiveTimers--3 0
1-07: 17:25:23:31:e4 TotalActiveTimers++ 1
1-07: 17:25:23:31:e4 Inserting entry 03DF0CB8 in slot 18
CurWheelIndex 51 delta 32000
1-07: 17:25:23:31:e4 Handling Retransmit: sa 03DCA530
centry 00000000 handle 03DF0CB8 type 2
1-07: 17:25:23:31:e4 retransmit exhausted: sa = 03DCA530
centry 00000000, count = 6
1-07: 17:25:23:31:e4 SA Dead. sa:03DCA530 status:35ed
1-07: 17:25:23:31:e4 isadb_set_status sa:03DCA530
centry:00000000 status 35ed
1-07: 17:25:23:31:e4 Stopping RetransTimer sa:03DCA530
centry:00000000 handle:03DF0CB8
1-07: 17:25:23:31:e4 TotalActiveTimers--2 0
1-07: 17:25:23:31:e4 constructing ISAKMP Header
1-07: 17:25:23:31:e4 constructing DELETE. MM 03DCA530
1-07: 17:25:23:31:e4 send_request SA 03DCA530 centry
00000000 RetryType 1 Context 00000000
Click to expand...


.
Click to expand...
 
S

Sharoon Shetty K [MSFT]

Could you check this -
The certificate.pfx must be installed in personal store and certificate.cer
in trusted root CA. If we put certificate.cer in both
places, it fails with the error 786.

Thanks,
Sharoon

Thank you for your reply.
I tried you suggestions, but they didn't work.
The validity period was fine.
I restarted IPSec.
I tried reinstalling the certificates.
Nothing worked.

Is there a way to verify the protocol negotiation
when the server asks the client for the machine store
certificate?

Something is definetly broken in some way.
-----Original Message-----
You can do the following if the certificates are actually valid:
- Check the validity period of the certificates and make sure they are
fine
- Restart IPSec services
- Check if reinstalling the certificates solve the problem.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Paul said:
I'm so close it's driving me crazy.

IPSec Server:
Windows 2003
IPSec Client:
Windows 2000 SP3 + 128-bit encryption pack + NAT-T patch

C:\Windows\Debug\oakley.log
shows negotiation cruising along perfectly
(even NAT-T works).
But, I end with the error:
"IKE failed to find valid machine certificate" in
oakley.log and a nasty Windows Error box displaying:

Error: 786: The L2TP connection attempt failed because
there is no valid machine certificate on your computer for
security authentication.

I verified the certificate and certificate path on both
the client and the server and everything (fingerprints,
serial numbers) looks fine. The certificate seems to be
installed correctly in the machine store, but I still get
this error. I search google and microsoft for any bugs
relating to this, but found nothing.

Is anyone having this problem?

Here's my oakley.log file:

1-07: 17:24:52:500:dc Queuing work item, packetsize 292
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Receive: (get) SA = 0x00000000
from 68.227.86.101.500
1-07: 17:24:52:500:360 ISAKMP Header: (V1.0), len = 292
1-07: 17:24:52:500:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:500:360 R-COOKIE 0000000000000000
1-07: 17:24:52:500:360 exchange: Oakley Main Mode
1-07: 17:24:52:500:360 flags: 0
1-07: 17:24:52:500:360 next payload: SA
1-07: 17:24:52:500:360 message ID: 00000000
1-07: 17:24:52:500:360 Filter to match: Src 68.227.86.101
Dst 192.168.23.132
1-07: 17:24:52:500:360 MM PolicyName: 1
1-07: 17:24:52:500:360 MMPolicy dwFlags 2
SoftSAExpireTime 28800
1-07: 17:24:52:500:360 MMOffer[0] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[0] Encrypt: Triple DES CBC
Hash: SHA
1-07: 17:24:52:500:360 MMOffer[1] LifetimeSec 28800
QMLimit 0 DHGroup 2
1-07: 17:24:52:500:360 MMOffer[1] Encrypt: Triple DES CBC
Hash: MD5
1-07: 17:24:52:500:360 MMOffer[2] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[2] Encrypt: DES CBC Hash:
SHA
1-07: 17:24:52:500:360 MMOffer[3] LifetimeSec 28800
QMLimit 0 DHGroup 1
1-07: 17:24:52:500:360 MMOffer[3] Encrypt: DES CBC Hash:
MD5
1-07: 17:24:52:500:360 Auth[0]:RSA Sig DC=com,
DC=callwave, CN=CWVPNCA AuthFlags 0
1-07: 17:24:52:500:360 Created new SA 3dca1c8
1-07: 17:24:52:500:360 Responding with new SA 3dca1c8
1-07: 17:24:52:500:360 processing payload SA
1-07: 17:24:52:500:360 Received Phase 1 Transform 1
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 14
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 2
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 3
1-07: 17:24:52:500:360 Encryption Alg Triple DES CBC
(5)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 2
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 4
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg SHA(2)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Received Phase 1 Transform 5
1-07: 17:24:52:500:360 Encryption Alg DES CBC(1)
1-07: 17:24:52:500:360 Hash Alg MD5(1)
1-07: 17:24:52:500:360 Oakley Group 1
1-07: 17:24:52:500:360 Auth Method RSA Signature
with Certificates(3)
1-07: 17:24:52:500:360 Life type in Seconds
1-07: 17:24:52:500:360 Life duration of 28800
1-07: 17:24:52:500:360 Phase 1 SA accepted: transform=2
1-07: 17:24:52:500:360 SA - Oakley proposal accepted
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
1e2b516905991c7d7c96fcbfb587e461
1-07: 17:24:52:500:360 00000002
1-07: 17:24:52:500:360 Received VendorId MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Setting VendorId 1
1-07: 17:24:52:500:360 Setting PeerVersion 2
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
4048b7d56ebce88525e7de7f00d6c2d3
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId FRAGMENTATION
1-07: 17:24:52:500:360 Setting VendorId 17
1-07: 17:24:52:500:360 processing payload VENDOR ID
1-07: 17:24:52:500:360 Vendor ID
90cb80913ebb696e086381b5ec427b1f
1-07: 17:24:52:500:360
1-07: 17:24:52:500:360 Received VendorId draft-ietf- ipsec-
nat-t-ike-02
1-07: 17:24:52:500:360 Setting VendorId 21
1-07: 17:24:52:500:360 ClearFragList
1-07: 17:24:52:500:360 In state OAK_MM_SA_SETUP
1-07: 17:24:52:500:360 constructing ISAKMP Header
1-07: 17:24:52:500:360 constructing SA (ISAKMP)
1-07: 17:24:52:500:360 Constructing Vendor MS NT5
ISAKMPOAKLEY
1-07: 17:24:52:500:360 Constructing Vendor FRAGMENTATION
1-07: 17:24:52:500:360 Constructing Vendor draft-ietf-
ipsec-nat-t-ike-02
1-07: 17:24:52:500:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 00000000
1-07: 17:24:52:515:360 TotalActiveTimers++ 2
1-07: 17:24:52:515:360 Inserting entry 03E03C28 in slot
20 CurWheelIndex 20 delta 1000
1-07: 17:24:52:515:360 Setting Retransmit: sa 3dca1c8
handle 3e03c28 context a3308
1-07: 17:24:52:515:360
1-07: 17:24:52:515:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:515:360 ISAKMP Header: (V1.0), len = 148
1-07: 17:24:52:515:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:515:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:515:360 exchange: Oakley Main Mode
1-07: 17:24:52:515:360 flags: 0
1-07: 17:24:52:515:360 next payload: SA
1-07: 17:24:52:515:360 message ID: 00000000
1-07: 17:24:52:515:360 Ports S:f401 D:f401
1-07: 17:24:52:515:360 Worker exiting
1-07: 17:24:52:796:dc Queuing work item, packetsize 232
1-07: 17:24:52:796:360
1-07: 17:24:52:796:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.500
1-07: 17:24:52:796:360 ISAKMP Header: (V1.0), len = 232
1-07: 17:24:52:796:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:796:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:796:360 exchange: Oakley Main Mode
1-07: 17:24:52:796:360 flags: 0
1-07: 17:24:52:796:360 next payload: KE
1-07: 17:24:52:796:360 message ID: 00000000
1-07: 17:24:52:796:360 processing payload KE
1-07: 17:24:52:921:360 Generated 128 byte Shared Secret
1-07: 17:24:52:921:360 KE processed; DH shared secret
computed
1-07: 17:24:52:921:360 processing payload NONCE
1-07: 17:24:52:921:360 PTID 129 PKTYPE 130
1-07: 17:24:52:921:360 PTID 130 PKTYPE 130
1-07: 17:24:52:921:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
28d45e6e5fcc05e9700c5e0f311ba361
1-07: 17:24:52:937:360 fa0b1365
1-07: 17:24:52:937:360 SA StateMask2 1e
1-07: 17:24:52:937:360 PTID 129 PKTYPE 130
1-07: 17:24:52:937:360 PTID 130 PKTYPE 130
1-07: 17:24:52:937:360 processing payload NATDISC
1-07: 17:24:52:937:360 Processing NatHash
1-07: 17:24:52:937:360 Nat hash
8cb0971c38866ef36c49f194b65ad699
1-07: 17:24:52:937:360 6965709d
1-07: 17:24:52:937:360 SA StateMask2 5e
1-07: 17:24:52:937:360 ClearFragList
1-07: 17:24:52:937:360 In state OAK_MM_Key_EXCH
1-07: 17:24:52:937:360 Peer behind NAT
1-07: 17:24:52:937:360 constructing ISAKMP Header
1-07: 17:24:52:937:360 constructing KE
1-07: 17:24:52:937:360 constructing NONCE (ISAKMP)
1-07: 17:24:52:937:360 Constructing Cert Request
1-07: 17:24:52:937:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:52:937:360 Constructing NatDisc
1-07: 17:24:52:937:360 Floated Ports Orig Me:f401
Peer:f401
1-07: 17:24:52:937:360 Floated Ports Me:9411 Peer:0
1-07: 17:24:52:937:360 send_request SA 03DCA1C8 centry
00000000 RetryType 2 Context 000A3308
1-07: 17:24:52:937:360 TotalActiveTimers--2 1
1-07: 17:24:52:937:360 TotalActiveTimers++ 2
1-07: 17:24:52:937:360 Inserting entry 03E03C28 in slot
21 CurWheelIndex 20 delta 1000
1-07: 17:24:52:937:360
1-07: 17:24:52:937:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 2.500
1-07: 17:24:52:937:360 ISAKMP Header: (V1.0), len = 304
1-07: 17:24:52:937:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:52:937:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:52:937:360 exchange: Oakley Main Mode
1-07: 17:24:52:937:360 flags: 0
1-07: 17:24:52:937:360 next payload: KE
1-07: 17:24:52:937:360 message ID: 00000000
1-07: 17:24:52:937:360 Ports S:f401 D:f401
1-07: 17:24:52:937:360 Worker exiting
1-07: 17:24:53:46:dc Queuing work item, packetsize 1820
1-07: 17:24:53:46:360
1-07: 17:24:53:46:360 Receive: (get) SA = 0x03dca1c8 from
68.227.86.101.4500
1-07: 17:24:53:46:360 ISAKMP Header: (V1.0), len = 1820
1-07: 17:24:53:46:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:46:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:46:360 exchange: Oakley Main Mode
1-07: 17:24:53:46:360 flags: 1 ( encrypted )
1-07: 17:24:53:46:360 next payload: ID
1-07: 17:24:53:46:360 message ID: 00000000
1-07: 17:24:53:46:360 skeyid generated; crypto enabled
(responder)
1-07: 17:24:53:46:360 processing payload ID
1-07: 17:24:53:46:360 Got Cert ID
1-07: 17:24:53:46:360 processing payload CERT
1-07: 17:24:53:46:360 processing payload CRP
1-07: 17:24:53:46:360 DC=com, DC=callwave, CN=CWVPNCA
1-07: 17:24:53:46:360 processing payload SIG
1-07: 17:24:53:46:360 Verifying CertStore
1-07: 17:24:53:46:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:46:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:62:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:62:360 3269268f
1-07: 17:24:53:93:360 Cert Trustes. 0 100
1-07: 17:24:53:93:360 SubjectName: C=US, S=CA, L=Santa
Barbara, O=CAllwave, OU=Ops, CN=Paul Company,
[email protected]
1-07: 17:24:53:93:360 Cert Serialnumber
18000000000072a70e14
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 SubjectName: DC=com, DC=callwave,
CN=CWVPNCA
1-07: 17:24:53:93:360 Cert Serialnumber
618451f1a5568b47a1ab5c7a31c08708
1-07: 17:24:53:93:360
1-07: 17:24:53:93:360 Cert SHA Thumbprint
94f6446a1375329924defb0bfddacabc
1-07: 17:24:53:93:360 cc6d1b0a
1-07: 17:24:53:93:360 No BasicConstraints in cert
1-07: 17:24:53:93:360 Subject names match
1-07: 17:24:53:93:360 Not storing Peer's cert chain in SA.
1-07: 17:24:53:93:360 Cert lifetime in seconds low
31620077, high 0
1-07: 17:24:53:93:360 Cert SHA Thumbprint
ed80ade5d53d1ffe55d1efc0f969356b
1-07: 17:24:53:93:360 3269268f
1-07: 17:24:53:93:360 Entered CRL check
1-07: 17:24:53:109:360 Left CRL check
1-07: 17:24:53:125:360 Keylen in cert 1024
1-07: 17:24:53:125:360 Signature validated
1-07: 17:24:53:125:360 ClearFragList
1-07: 17:24:53:125:360 Setting SA timeout: 25920
1-07: 17:24:53:125:360 constructing ISAKMP Header
1-07: 17:24:53:125:360 constructing ID
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Received no valid CRPs. Using all
configured
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for IPSec only cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 Cert Trustes. 0 100
1-07: 17:24:53:125:360 Ignoring root only chain
1-07: 17:24:53:125:360 Looking for any cert
1-07: 17:24:53:125:360 failed to get chain 80092004
1-07: 17:24:53:125:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:125:360 isadb_set_status sa:03DCA1C8
centry:00000000 status 35ee
1-07: 17:24:53:125:360 Stopping RetransTimer sa:03DCA1C8
centry:00000000 handle:03E03C28
1-07: 17:24:53:125:360 TotalActiveTimers--2 1
1-07: 17:24:53:140:360 Key Exchange Mode (Main Mode)
1-07: 17:24:53:140:360 Source IP Address 192.168.23.132
Source IP Address Mask 255.255.255.255 Destination IP
Address 68.227.86.101 Destination IP Address Mask
255.255.255.255 Protocol 0 Source Port 0 Destination
Port 0 IKE Local Addr 192.168.23.132 IKE Peer Addr
68.227.86.101 IKE Source Port 4500 IKE Destination Port
0 Peer Private Addr
1-07: 17:24:53:140:360 Certificate based Identity.
Peer Subject C=US, S=CA, L=Santa Barbara, O=CAllwave,
OU=Ops, CN=Paul Company, [email protected] Peer SHA
Thumbprint ed80ade5d53d1ffe55d1efc0f969356b3269268f Peer
Issuing Certificate Authority DC=com, DC=callwave,
CN=CWVPNCA Root Certificate Authority My Subject My
SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 68.227.86.101
1-07: 17:24:53:140:360 Me
1-07: 17:24:53:140:360 IKE failed to find valid machine
certificate
1-07: 17:24:53:140:360 Processed second (KE) payload
Responder. Delta Time 1 0x80092004 0x0
1-07: 17:24:53:140:360 ProcessFailure: sa:03DCA1C8
centry:00000000 status:35ee
1-07: 17:24:53:140:360 constructing ISAKMP Header
1-07: 17:24:53:140:360 constructing HASH (null)
1-07: 17:24:53:140:360 constructing NOTIFY 28
1-07: 17:24:53:140:360 constructing HASH (Notify/Delete)
1-07: 17:24:53:140:360 Construct ND hash message len = 28
pcklen=80 hashlen=20
1-07: 17:24:53:140:360 send_request SA 03DCA1C8 centry
00000000 RetryType 1 Context 00000000
1-07: 17:24:53:140:360
1-07: 17:24:53:140:360 Sending: SA = 0x03DCA1C8 to
68.227.86.101:Type 1.500
1-07: 17:24:53:140:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:140:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:140:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:140:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:140:360 flags: 1 ( encrypted )
1-07: 17:24:53:140:360 next payload: HASH
1-07: 17:24:53:140:360 message ID: f4cf6b9c
1-07: 17:24:53:140:360 Ports S:f401 D:f401
1-07: 17:24:53:140:360 Worker exiting
1-07: 17:24:53:218:dc Queuing work item, packetsize 84
1-07: 17:24:53:218:360
1-07: 17:24:53:218:360 Receive: (get) SA = 0x03dca1c8
from 68.227.86.101.4500
1-07: 17:24:53:218:360 ISAKMP Header: (V1.0), len = 84
1-07: 17:24:53:218:360 I-COOKIE a6f4a0ffb5ff7377
1-07: 17:24:53:218:360 R-COOKIE 9c912255400b69ee
1-07: 17:24:53:218:360 exchange: ISAKMP Informational
Exchange
1-07: 17:24:53:218:360 flags: 1 ( encrypted )
1-07: 17:24:53:218:360 next payload: HASH
1-07: 17:24:53:218:360 message ID: 5a932dd2
1-07: 17:24:53:218:360 processing HASH (Notify/Delete)
1-07: 17:24:53:218:360 processing payload DELETE
1-07: 17:24:53:218:360 SA Dead. sa:03DCA1C8 status:35ef
1-07: 17:24:53:218:360 Worker exiting
1-07: 17:25:16:562:360 QM Deleted. Notify from driver:
Src 192.168.23.132 Dest 63.77.208.4 InSPI 3804782403
OutSpi 0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:170 QM Deleted. Notify from driver:
Src 192.168.72.12 Dest 63.77.208.4 InSPI 3863557746 OutSpi
0 Tunnel 0 TunnelFilter 0
1-07: 17:25:16:562:360 Removing SPI=3804782403
addr=4d04d3f flags=0
1-07: 17:25:16:562:170 Removing SPI=3863557746
addr=4d04d3f flags=0
1-07: 17:25:16:562:360 Failed to find SA to process
driver notify. Spi -490184893
1-07: 17:25:16:562:170 Failed to find SA to process
driver notify. Spi -431409550
1-07: 17:25:16:562:360 ICookie d84b48310a682820
1-07: 17:25:16:562:170 ICookie 0e1344df4fb2fe33
1-07: 17:25:16:562:360 PrivatePeerAddr 0
1-07: 17:25:16:562:170 PrivatePeerAddr 0
1-07: 17:25:23:31:e4 TotalActiveTimers--3 0
1-07: 17:25:23:31:e4 TotalActiveTimers++ 1
1-07: 17:25:23:31:e4 Inserting entry 03DF0CB8 in slot 18
CurWheelIndex 51 delta 32000
1-07: 17:25:23:31:e4 Handling Retransmit: sa 03DCA530
centry 00000000 handle 03DF0CB8 type 2
1-07: 17:25:23:31:e4 retransmit exhausted: sa = 03DCA530
centry 00000000, count = 6
1-07: 17:25:23:31:e4 SA Dead. sa:03DCA530 status:35ed
1-07: 17:25:23:31:e4 isadb_set_status sa:03DCA530
centry:00000000 status 35ed
1-07: 17:25:23:31:e4 Stopping RetransTimer sa:03DCA530
centry:00000000 handle:03DF0CB8
1-07: 17:25:23:31:e4 TotalActiveTimers--2 0
1-07: 17:25:23:31:e4 constructing ISAKMP Header
1-07: 17:25:23:31:e4 constructing DELETE. MM 03DCA530
1-07: 17:25:23:31:e4 send_request SA 03DCA530 centry
00000000 RetryType 1 Context 00000000
Click to expand...


.
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WCG Stats Tuesday 04 October 2022 3
Error 786 1
WCG Stats Thursday 27 December 2018 3
WCG Stats Thursday 03 January 2019 3
WCG Stats Friday 25 January 2019 3
WCG Stats Thursday 07 February 2019 3
WCG Stats Saturday 24 November 2018 2
WCG Stats Saturday 02 February 2019 3

Top