ipcop-user

[IPCop-user] Windows VPN client help - thegreenbow

[Charles R. <mai...@aw...>]

Is anyone using TheGreenBow VPN client with IP Cop?  www.thegreenbow.com

I am trying to setup a simple PSK VPN and IP Cop is not getting past 
Phase1 of the IPSEC authentication.  I have followed their IP Cop 
specific instructions to the letter so I am rather frustrated.

You can see a copy of the the IP Cop log at the bottom of this message.  
I know that is it complaining about a mismatched preshared secret.  But 
I have made the secret a grand total of three letters and I know darn 
well it is entered correctly in TheGreenBow.

My current test setup is:  TheGreenBow Computer--> IP Cop firewall 
---->  Internet ---> IP Cop firewall.    I do not think this should have 
an impact on things.  I am not doing to an IP Cop to IP Cop VPN as this 
is for a laptop that will be traveling to various locations with various 
Internet connections.  I would worry if the software cannot work behind 
IP Cop.

Anyone have suggestions on setting this up?

As an FYI, I am looking at this software as I have yet to find a 
reliable IPSEC VPN client for Windows/IP Cop combos.  If anyone can 
suggest other software, then please give some suggestions.  Do note that 
OpenVPN is not an option as it does not work when the Windows users is a 
limited (locked down) user.  Any software suggested must work with a 
limited user.

Thanks in advance.

Cheers.

--- Charles


IP Cop Log:
===============================================
14:54:22 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: sending notification 
PAYLOAD_MALFORMED to 99.225.xx.xxx:500
14:54:22 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: probable 
authentication failure (mismatch of preshared secrets?): malformed 
payload in packet
14:54:22 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: next payload type of 
ISAKMP Identification Payload has an unknown value: 88
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: sending notification 
PAYLOAD_MALFORMED to 99.225.xx.xxx:500
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: probable 
authentication failure (mismatch of preshared secrets?): malformed 
payload in packet
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: next payload type of 
ISAKMP Identification Payload has an unknown value: 88
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: NAT-Traversal: 
Result using RFC 3947: no NAT detected
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: transition from 
state (null) to state STATE_MAIN_R1
14:54:12 pluto[20429] "gbtest"[3] 99.225.xx.xxx #8: responding to Main 
Mode from unknown peer 99.225.xx.xxx
14:54:12 pluto[20429] packet from 99.225.xx.xxx:500: received Vendor ID 
payload [Dead Peer Detection]
14:54:12 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-00]
14:54:12 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02]
14:54:12 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03]
14:54:12 pluto[20429] packet from 99.225.xx.xxx:500: received Vendor ID 
payload [RFC 3947]
14:54:12 pluto[20429] "gbtest"[2] 99.225.xx.xxx: deleting connection 
"gbtest" instance with peer 99.225.xx.xxx
14:54:12 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: max number of 
retransmissions (2) reached STATE_MAIN_R2
14:53:32 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: sending notification 
PAYLOAD_MALFORMED to 99.225.xx.xxx:500
14:53:32 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: probable 
authentication failure (mismatch of preshared secrets?): malformed 
payload in packet
14:53:32 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: next payload type of 
ISAKMP Identification Payload has an unknown value: 68
14:53:12 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: sending notification 
PAYLOAD_MALFORMED to 99.225.xx.xxx:500
14:53:12 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: probable 
authentication failure (mismatch of preshared secrets?): malformed 
payload in packet
14:53:12 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: next payload type of 
ISAKMP Identification Payload has an unknown value: 68
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: sending notification 
PAYLOAD_MALFORMED to 99.225.xx.xxx:500
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: probable 
authentication failure (mismatch of preshared secrets?): malformed 
payload in packet
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: next payload type of 
ISAKMP Identification Payload has an unknown value: 68
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: NAT-Traversal: 
Result using RFC 3947: no NAT detected
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: transition from 
state (null) to state STATE_MAIN_R1
14:53:02 pluto[20429] "gbtest"[2] 99.225.xx.xxx #7: responding to Main 
Mode from unknown peer 99.225.xx.xxx
14:53:02 pluto[20429] packet from 99.225.xx.xxx:500: received Vendor ID 
payload [Dead Peer Detection]
14:53:02 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-00]
14:53:02 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02]
14:53:02 pluto[20429] packet from 99.225.xx.xxx:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03]
14:53:02 pluto[20429] packet from 99.225.xx.xxx:500: received Vendor ID 
payload [RFC 3947]

Re: [IPCop-user] Windows VPN client help - thegreenbow

[Andrew B. <an...@hi...>]

I had a certain amount of success using SSH Sentinel (version 3) as a 
non-commercial user with a modem connection, but ran into problems when 
the client was located behind a NATing router.  Because Sentinel loads 
when the computer starts, and intercepted all communication, this meant 
that the client had no internet access at all (not just an absence of 
VPN) when behind a NATing router.

I believe there are supposed to be ways around this but it all became 
too much for me and now I limit my remote access to VNC over an SSH 
tunnel.

So, does the GreenBow work any better if the client is on a modem (real 
IP address)?  Does it have any dedicated NAT traversal features you 
need to be turning on?  Am I talking complete rot?

Cannot comment on operation with a locked-down user but I suspect the 
newer versions would feel right at home.

Regards,  Andrew Borland (UK)

Re: [IPCop-user] Windows VPN client help - thegreenbow

[Chris R. <cj...@tr...>]

On Thursday 23 Oct 2008, Charles Roy wrote:
> Do note that
> OpenVPN is not an option as it does not work when the Windows users is a
> limited (locked down) user.

This is probably a really ignorant answer (you have been warned!), but would 
it not be possible to set up OpenVPN to "run as administrator", so that the 
user remains locked down but OpenVPN runs with sufficient rights.

Just a thought.

Chris.

Re: [IPCop-user] Windows VPN client help - thegreenbow

[Brad M. <b-m...@co...>]

>> Do note that
>> OpenVPN is not an option as it does not work when the Windows users is a
>> limited (locked down) user.

> This is probably a really ignorant answer (you have been warned!), but
would 
> it not be possible to set up OpenVPN to "run as administrator", so that
the 
> user remains locked down but OpenVPN runs with sufficient rights.

The OpenVPN (+GUI) version I'm running has a service mode that allows
limited users to open connections. Exactly what the OP claims doesn't work.

Regards,

Brad