Hi,
In the Security Manager for the Shiva VPN Gateway, I have defined an Access Control List with a Security Association (SA) that does a match on e-mail address. The client supplies the e-mail address when it requests a connection. When the client initiated the tunnel, this is the log seen on the client. (First log entries are at the bottom, most recent are at the top.) We get fairly well into the negotiation when we hit a snag:
11/17/2005 [4:41:12 PM] [tunnel]:No SA defined for DHCP, Client IP not obtained
Anyone out there have some insight as to why the SA does not appear to be defined to DHCP? The VPN gateway is set up to be a DHCP server for the incoming clients.
*******************************************************
11/17/2005 [4:41:13 PM] [ipsec] DELETE NOTIF (ISAKMP) for CKY-I: 1c0079acbf13194e, CKY-R: 3cce8c5bd4c7ffed sent to 24.158.16.210, 4500 [63cb6bfe]
11/17/2005 [4:41:13 PM] [ipsec] New INFO exchange for 24.158.16.210, INITIATOR [63cb6bfe]
11/17/2005 [4:41:13 PM] [ipsec] IKE_QUICK_I_2: PKT sent to 24.158.16.210, 4500 [288f3a62]
11/17/2005 [4:41:13 PM] [ipsec] DELETE NOTIF (ESP) for SPI: 0x0D667983 sent to 24.158.16.210, 4500 [6e5d1ad6]
11/17/2005 [4:41:13 PM] [ipsec] New INFO exchange for 24.158.16.210, INITIATOR [6e5d1ad6]
11/17/2005 [4:41:12 PM] [tunnel]:No SA defined for DHCP, Client IP not obtained
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_R_1: Negotiation DONE with 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_I_1: PKT sent to 24.158.16.210, 4500 [288f3a62]
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_R_1: PKT sent to 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] New QUICK SA for 24.158.16.210, INITIATOR [288f3a62]
11/17/2005 [4:41:12 PM] [ipsec] REPLAY-STATUS disabled (ESP) NOTIF sent to 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] New QUICK SA for 24.158.16.210, RESPONDER [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] IKE_NEGOTIATION_DONE_1: Negotiation DONE with 24.158.16.210, 4500 [54dc368f] id [0341]
11/17/2005 [4:41:11 PM] [ipsec] IKE_CONFIG_I_1: PKT sent to 24.158.16.210, 4500 [54dc368f] id [0341]
11/17/2005 [4:41:11 PM] [ipsec] New CONFIG exchange for 24.158.16.210, INITIATOR [54dc368f]
11/17/2005 [4:41:10 PM] [ipsec] INITIAL-CONTACT NOTIF sent to 24.158.16.210, 4500 [28fa2778]
11/17/2005 [4:41:10 PM] [ipsec] IKE_BASE_I_2: Negotiation DONE with 24.158.16.210, 4500 [0000]
11/17/2005 [4:41:10 PM] [ipsec] NAT devices found on both ends on the route to 24.158.16.210.
11/17/2005 [4:41:09 PM] [ipsec] IKE_BASE_I_2: PKT sent to 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] RESPONDER-LIFETIME (ISAKMP) NOTIF rcvd (3600 sec) from 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] XAUTH supported by this vendor
11/17/2005 [4:41:08 PM] [ipsec] Heartbeats supported by this vendor
11/17/2005 [4:41:08 PM] [ipsec] IKE_BASE_I_1: PKT sent to 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] New BASE SA for 24.158.16.210, INITIATOR , PRESHARED KEYS [0000]
In the Security Manager for the Shiva VPN Gateway, I have defined an Access Control List with a Security Association (SA) that does a match on e-mail address. The client supplies the e-mail address when it requests a connection. When the client initiated the tunnel, this is the log seen on the client. (First log entries are at the bottom, most recent are at the top.) We get fairly well into the negotiation when we hit a snag:
11/17/2005 [4:41:12 PM] [tunnel]:No SA defined for DHCP, Client IP not obtained
Anyone out there have some insight as to why the SA does not appear to be defined to DHCP? The VPN gateway is set up to be a DHCP server for the incoming clients.
*******************************************************
11/17/2005 [4:41:13 PM] [ipsec] DELETE NOTIF (ISAKMP) for CKY-I: 1c0079acbf13194e, CKY-R: 3cce8c5bd4c7ffed sent to 24.158.16.210, 4500 [63cb6bfe]
11/17/2005 [4:41:13 PM] [ipsec] New INFO exchange for 24.158.16.210, INITIATOR [63cb6bfe]
11/17/2005 [4:41:13 PM] [ipsec] IKE_QUICK_I_2: PKT sent to 24.158.16.210, 4500 [288f3a62]
11/17/2005 [4:41:13 PM] [ipsec] DELETE NOTIF (ESP) for SPI: 0x0D667983 sent to 24.158.16.210, 4500 [6e5d1ad6]
11/17/2005 [4:41:13 PM] [ipsec] New INFO exchange for 24.158.16.210, INITIATOR [6e5d1ad6]
11/17/2005 [4:41:12 PM] [tunnel]:No SA defined for DHCP, Client IP not obtained
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_R_1: Negotiation DONE with 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_I_1: PKT sent to 24.158.16.210, 4500 [288f3a62]
11/17/2005 [4:41:12 PM] [ipsec] IKE_QUICK_R_1: PKT sent to 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] New QUICK SA for 24.158.16.210, INITIATOR [288f3a62]
11/17/2005 [4:41:12 PM] [ipsec] REPLAY-STATUS disabled (ESP) NOTIF sent to 24.158.16.210, 4500 [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] New QUICK SA for 24.158.16.210, RESPONDER [58a55e4b]
11/17/2005 [4:41:12 PM] [ipsec] IKE_NEGOTIATION_DONE_1: Negotiation DONE with 24.158.16.210, 4500 [54dc368f] id [0341]
11/17/2005 [4:41:11 PM] [ipsec] IKE_CONFIG_I_1: PKT sent to 24.158.16.210, 4500 [54dc368f] id [0341]
11/17/2005 [4:41:11 PM] [ipsec] New CONFIG exchange for 24.158.16.210, INITIATOR [54dc368f]
11/17/2005 [4:41:10 PM] [ipsec] INITIAL-CONTACT NOTIF sent to 24.158.16.210, 4500 [28fa2778]
11/17/2005 [4:41:10 PM] [ipsec] IKE_BASE_I_2: Negotiation DONE with 24.158.16.210, 4500 [0000]
11/17/2005 [4:41:10 PM] [ipsec] NAT devices found on both ends on the route to 24.158.16.210.
11/17/2005 [4:41:09 PM] [ipsec] IKE_BASE_I_2: PKT sent to 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] RESPONDER-LIFETIME (ISAKMP) NOTIF rcvd (3600 sec) from 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] XAUTH supported by this vendor
11/17/2005 [4:41:08 PM] [ipsec] Heartbeats supported by this vendor
11/17/2005 [4:41:08 PM] [ipsec] IKE_BASE_I_1: PKT sent to 24.158.16.210, 500 [0000]
11/17/2005 [4:41:08 PM] [ipsec] New BASE SA for 24.158.16.210, INITIATOR , PRESHARED KEYS [0000]