SA Quick Mode Complete but not encrypting Mark D. (GY) 12.06.2007 22:35:00 Hi, I have two servers sitting on different sites. They have Kerio software firewalls running and I need to get IPsec working on them. To test the connection, Im trying to get traffic from one site to the other encrypted on port 80. I have setup the policies and I can see the Security Associations are successfully been established. However, the actual data doesn't seem to be passing across. My log files are: 6-12: 23:23:15:468:5d4 Receive: (get) SA = 0x04db2720 from 88.xx.xx.xx.500 6-12: 23:23:15:468:5d4 ISAKMP Header: (V1.0), len = 52 6-12: 23:23:15:468:5d4 I-COOKIE ae26114f7038b095 6-12: 23:23:15:468:5d4 R-COOKIE d469050dc17cceaa 6-12: 23:23:15:468:5d4 exchange: Oakley Quick Mode 6-12: 23:23:15:468:5d4 flags: 3 ( encrypted commit ) 6-12: 23:23:15:468:5d4 next payload: HASH 6-12: 23:23:15:468:5d4 message ID: 5b77dbf3 6-12: 23:23:15:468:5d4 processing HASH (QM) 6-12: 23:23:15:468:5d4 ClearFragList 6-12: 23:23:15:468:5d4 Adding QMs: src = 89.xx.xx.xx.0080, dst = 88.xx.xx.xx 4.0000, proto = 06, context = 00000010, my tunnel = 0.0.0.0, peer tunnel = 0.0.0 ..0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 0 Direction 1 EncapType 1 6-12: 23:23:15:468:5d4 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA 6-12: 23:23:15:468:5d4 Algo[0] MySpi: 3986995574 PeerSpi: 1759997365 6-12: 23:23:15:468:5d4 Encap Ports Src 500 Dst 500 6-12: 23:23:15:468:5d4 isadb_set_status sa:04DB2720 centry:000EB818 status 0 6-12: 23:23:15:468:5d4 Constructing Commit Notify 6-12: 23:23:15:468:5d4 constructing ISAKMP Header 6-12: 23:23:15:468:5d4 constructing HASH (null) 6-12: 23:23:15:468:5d4 constructing NOTIFY 16384 6-12: 23:23:15:468:5d4 constructing HASH (QM) 6-12: 23:23:15:468:5d4 6-12: 23:23:15:468:5d4 Sending: SA = 0x04DB2720 to 88.xx.xx.xx:Type 4.500 6-12: 23:23:15:468:5d4 ISAKMP Header: (V1.0), len = 84 6-12: 23:23:15:468:5d4 I-COOKIE ae26114f7038b095 6-12: 23:23:15:468:5d4 R-COOKIE d469050dc17cceaa 6-12: 23:23:15:468:5d4 exchange: Oakley Quick Mode 6-12: 23:23:15:468:5d4 flags: 3 ( encrypted commit ) 6-12: 23:23:15:468:5d4 next payload: HASH 6-12: 23:23:15:468:5d4 message ID: 5b77dbf3 6-12: 23:23:15:468:5d4 Ports S:f401 D:f401 6-12: 23:24:06:312:5d4 CE Dead. sa:04DB2720 ce:000EB818 status:35f0 while the other side reports: 6-12: 23:23:22:156:458 Receive: (get) SA = 0x00119e18 from 89.xx.xx.xx.500 6-12: 23:23:22:156:458 ISAKMP Header: (V1.0), len = 84 6-12: 23:23:22:156:458 I-COOKIE ae26114f7038b095 6-12: 23:23:22:156:458 R-COOKIE d469050dc17cceaa 6-12: 23:23:22:156:458 exchange: Oakley Quick Mode 6-12: 23:23:22:156:458 flags: 3 ( encrypted commit ) 6-12: 23:23:22:156:458 next payload: HASH 6-12: 23:23:22:156:458 message ID: 5b77dbf3 6-12: 23:23:22:156:458 processing HASH (Notify/Delete) 6-12: 23:23:22:156:458 ClearFragList 6-12: 23:23:22:156:458 processing payload NOTIFY 6-12: 23:23:22:156:458 Adding QMs: src = 88.xx.xx.xx.0000, dst = 89.xx.xx.xx.0080, proto = 06, context = 00000012, my tunnel = 0.0.0.0, peer tunnel = 0.0.0 ..0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 100 Direction 3 EncapType 1 6-12: 23:23:22:156:458 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA 6-12: 23:23:22:156:458 Algo[0] MySpi: 1759997365 PeerSpi: 3986995574 6-12: 23:23:22:156:458 Encap Ports Src 500 Dst 500 6-12: 23:23:22:156:458 Skipping Inbound SA add 6-12: 23:23:22:156:458 isadb_set_status sa:00119E18 centry:000E45F8 status 0 6-12: 23:23:22:156:458 CE Dead. sa:00119E18 ce:000E45F8 status:0 This has been driving me mad for 4 days now so I'm hoping someone will be able to offer some advice? Thanks, Mark.

RE: SA Quick Mode Complete but not encrypting Mark D. (GY) 12.06.2007 22:39:02 I should also mention that I have tried completely removing the Kerio firewalls to make sure that wasn't causing the problem. "Mark D. (GY)" wrote: [Quoted Text] > Hi, > > I have two servers sitting on different sites. They have Kerio software > firewalls running and I need to get IPsec working on them. > > To test the connection, Im trying to get traffic from one site to the other > encrypted on port 80. I have setup the policies and I can see the Security > Associations are successfully been established. However, the actual data > doesn't seem to be passing across. > > > My log files are: > > 6-12: 23:23:15:468:5d4 Receive: (get) SA = 0x04db2720 from 88.xx.xx.xx.500 > 6-12: 23:23:15:468:5d4 ISAKMP Header: (V1.0), len = 52 > 6-12: 23:23:15:468:5d4 I-COOKIE ae26114f7038b095 > 6-12: 23:23:15:468:5d4 R-COOKIE d469050dc17cceaa > 6-12: 23:23:15:468:5d4 exchange: Oakley Quick Mode > 6-12: 23:23:15:468:5d4 flags: 3 ( encrypted commit ) > 6-12: 23:23:15:468:5d4 next payload: HASH > 6-12: 23:23:15:468:5d4 message ID: 5b77dbf3 > 6-12: 23:23:15:468:5d4 processing HASH (QM) > 6-12: 23:23:15:468:5d4 ClearFragList > 6-12: 23:23:15:468:5d4 Adding QMs: src = 89.xx.xx.xx.0080, dst = 88.xx.xx.xx > 4.0000, proto = 06, context = 00000010, my tunnel = 0.0.0.0, peer tunnel = > 0.0.0 > .0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes > 100000 > dwFlags 0 Direction 1 EncapType 1 > 6-12: 23:23:15:468:5d4 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA > 6-12: 23:23:15:468:5d4 Algo[0] MySpi: 3986995574 PeerSpi: 1759997365 > 6-12: 23:23:15:468:5d4 Encap Ports Src 500 Dst 500 > 6-12: 23:23:15:468:5d4 isadb_set_status sa:04DB2720 centry:000EB818 status 0 > 6-12: 23:23:15:468:5d4 Constructing Commit Notify > 6-12: 23:23:15:468:5d4 constructing ISAKMP Header > 6-12: 23:23:15:468:5d4 constructing HASH (null) > 6-12: 23:23:15:468:5d4 constructing NOTIFY 16384 > 6-12: 23:23:15:468:5d4 constructing HASH (QM) > 6-12: 23:23:15:468:5d4 > 6-12: 23:23:15:468:5d4 Sending: SA = 0x04DB2720 to 88.xx.xx.xx:Type 4.500 > 6-12: 23:23:15:468:5d4 ISAKMP Header: (V1.0), len = 84 > 6-12: 23:23:15:468:5d4 I-COOKIE ae26114f7038b095 > 6-12: 23:23:15:468:5d4 R-COOKIE d469050dc17cceaa > 6-12: 23:23:15:468:5d4 exchange: Oakley Quick Mode > 6-12: 23:23:15:468:5d4 flags: 3 ( encrypted commit ) > 6-12: 23:23:15:468:5d4 next payload: HASH > 6-12: 23:23:15:468:5d4 message ID: 5b77dbf3 > 6-12: 23:23:15:468:5d4 Ports S:f401 D:f401 > 6-12: 23:24:06:312:5d4 CE Dead. sa:04DB2720 ce:000EB818 status:35f0 > > > while the other side reports: > > 6-12: 23:23:22:156:458 Receive: (get) SA = 0x00119e18 from 89.xx.xx.xx.500 > 6-12: 23:23:22:156:458 ISAKMP Header: (V1.0), len = 84 > 6-12: 23:23:22:156:458 I-COOKIE ae26114f7038b095 > 6-12: 23:23:22:156:458 R-COOKIE d469050dc17cceaa > 6-12: 23:23:22:156:458 exchange: Oakley Quick Mode > 6-12: 23:23:22:156:458 flags: 3 ( encrypted commit ) > 6-12: 23:23:22:156:458 next payload: HASH > 6-12: 23:23:22:156:458 message ID: 5b77dbf3 > 6-12: 23:23:22:156:458 processing HASH (Notify/Delete) > 6-12: 23:23:22:156:458 ClearFragList > 6-12: 23:23:22:156:458 processing payload NOTIFY > 6-12: 23:23:22:156:458 Adding QMs: src = 88.xx.xx.xx.0000, dst = > 89.xx.xx.xx.0080, proto = 06, context = 00000012, my tunnel = 0.0.0.0, peer > tunnel = 0.0.0 > .0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes > 100000 > dwFlags 100 Direction 3 EncapType 1 > 6-12: 23:23:22:156:458 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA > 6-12: 23:23:22:156:458 Algo[0] MySpi: 1759997365 PeerSpi: 3986995574 > 6-12: 23:23:22:156:458 Encap Ports Src 500 Dst 500 > 6-12: 23:23:22:156:458 Skipping Inbound SA add > 6-12: 23:23:22:156:458 isadb_set_status sa:00119E18 centry:000E45F8 status 0 > 6-12: 23:23:22:156:458 CE Dead. sa:00119E18 ce:000E45F8 status:0 > > > This has been driving me mad for 4 days now so I'm hoping someone will be > able to offer some advice? > > Thanks, > Mark.