Hello,<br><br>I realized what was wrong. The problem was the split-tunnel acl wich contains only a /32 address. I think something is wrong with Shrew implementation of the split-tunneling function (VPNC is working in this setup) because even the route appears in the routing table, the packets fail the SA identity check on Cisco:<br>
<br>Jul 7 13:31:32: IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br>Jul 7 13:31:33: IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br>Jul 7 13:31:34: IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br>
<br>Now, with a /30 in the split-tunnel acl, everything is as it should be:<br><br> route -n | grep 10.10.10.0 <br>10.10.10.0 3.3.3.3 255.255.255.252 UG 0 0 0 tap0<br><br>vpn-concentrator#sh crypto ipsec sa peer 2.2.2.2 | i encaps|decaps<br>
#pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227<br><br>Thank you,<br><br><div class="gmail_quote">On Thu, Jul 7, 2011 at 11:40 AM, mihai gabriel <span dir="ltr"><<a href="mailto:mihaigabriel@gmail.com">mihaigabriel@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello, <br><br> I a have a Cisco 7200 with a VAM2+ PA installed that is
acting as an ipsec concentrator. Using vpnc everything is ok, but with
Shrew (Linux or Windows) even the tunnel is up, there is no traffic
passed through the tunnel.<br>
The difference between vpnc and Shrew is that on 7200, the local_proxy is set to <a href="http://0.0.0.0/255.255.255.255/0/0" target="_blank">0.0.0.0/255.255.255.255/0/0</a> (type=1) when Shrew is used, and local_proxy= <a href="http://0.0.0.0/0.0.0.0/0/0" target="_blank">0.0.0.0/0.0.0.0/0/0</a> (type=4) when vpnc is used.<br>
I attached the config and some logs on cisco:<br><br>crypto isakmp policy 1<br> encr aes<br> authentication pre-share<br> group 2<br>!<br>crypto isakmp client configuration group vpn<br> key 6 ThJ\giXJQKgTAVSMV^]QVdeJ[faFPgPVe<br>
pool ippool<br> acl 100<br> netmask 255.255.255.224<br>crypto isakmp profile vpn<br> match identity group vpn<br> virtual-template 1<br><br>crypto ipsec transform-set vpn esp-aes esp-sha-hmac <br>!<br>crypto ipsec profile vpn<br>
set security-association lifetime seconds 3600<br> set transform-set vpn<br> set isakmp-profile vpn<br><br>crypto dynamic-map vpn 1<br> set transform-set vpn<br><br> interface Virtual-Template1 type tunnel<br> ip unnumbered FastEthernet0/0<br>
ip virtual-reassembly<br> tunnel source FastEthernet0/1<br> tunnel mode ipsec ipv4<br> tunnel protection ipsec profile vpn<br><br><br>Cisco debug when Shrew is used:<br><br>Jul 7 11:04:44: IPSEC(validate_proposal_request): proposal part #1,<br>
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2, <br> local_proxy= <a href="http://0.0.0.0/255.255.255.255/0/0" target="_blank">0.0.0.0/255.255.255.255/0/0</a> (type=1), <br> remote_proxy= <a href="http://3.3.3.3/255.255.255.255/0/0" target="_blank">3.3.3.3/255.255.255.255/0/0</a> (type=1),<br>
protocol= ESP, transform= NONE (Tunnel), <br> lifedur= 0s and 0kb, <br> spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0<br><br> <br>IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br>IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br>
<br>vpn-concentrator#sh crypto isakmp sa<br>IPv4 Crypto ISAKMP SA<br>dst src state conn-id status<br>1.1.1.1 2.2.2.2 QM_IDLE 13019 ACTIVE<br>
<br>vpn-concentrator#sh crypto ipsec sa<br><br>interface: Virtual-Access3<br> Crypto map tag: Virtual-Access3-head-9, local addr 1.1.1.1<br><br> protected vrf: (none)<br> local ident (addr/mask/prot/port): (<a href="http://0.0.0.0/255.255.255.255/0/0" target="_blank">0.0.0.0/255.255.255.255/0/0</a>)<br>
remote ident (addr/mask/prot/port): (<a href="http://3.3.3.3/255.255.255.255/0/0" target="_blank">3.3.3.3/255.255.255.255/0/0</a>)<br> current_peer 2.2.2.2 port 500<br> PERMIT, flags={origin_is_acl,}<br> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0<br>
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0<br> #pkts compressed: 0, #pkts decompressed: 0<br> #pkts not compressed: 0, #pkts compr. failed: 0<br> #pkts not decompressed: 0, #pkts decompress failed: 0<br>
#send errors 0, #recv errors 0<br><br>Shrew logs:<br>
<br>
11/07/07 08:43:49 ii : - loc ANY:3.3.3.3:* -> ANY:0.0.0.0:*<br>
11/07/07 08:43:49 ii : - rmt ANY:0.0.0.0:* -> ANY:3.3.3.3:*<br>
11/07/07 08:43:49 ii : phase2 sa established<br>
11/07/07 08:43:49 ii :<a href="http://2.2.2.2:500" target="_blank">2.2.2.2:500</a> <-> <a href="http://1.1.1.1:500" target="_blank">1.1.1.1:500</a><br>
11/07/07 08:43:49 K< : recv pfkey GETSPI ESP message<br>
11/07/07 08:43:49 ii : - seq = 0x60c8de99<br>
11/07/07 08:43:49 ii : - spi = 0x40602cd0<br>
11/07/07 08:43:49 ii : - src = <a href="http://2.2.2.2:0" target="_blank">2.2.2.2:0</a><br>
11/07/07 08:43:49 ii : - dst = <a href="http://1.1.1.1:0" target="_blank">1.1.1.1:0</a><br>
<br><br><br>Using VPNC:<br><br>Jul 7 11:23:58: IPSEC(validate_proposal_request): proposal part #1,<br> (key eng. msg.) INBOUND local=1.1.1.1, remote= 2.2.2.2, <br> local_proxy= <a href="http://0.0.0.0/0.0.0.0/0/0" target="_blank">0.0.0.0/0.0.0.0/0/0</a> (type=4), <br>
remote_proxy= <a href="http://3.3.3.3/255.255.255.255/0/0" target="_blank">3.3.3.3/255.255.255.255/0/0</a> (type=1),<br> protocol= ESP, transform= NONE (Tunnel), <br> lifedur= 0s and 0kb, <br> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0<br>
<br>I tried 3 IOS and Shrew 2.2 and 2.1.7. The ip addressess used are fictive.<br><br>I would be very grateful if someone would help me to solve this.<br><br>Thank you,<br>
</blockquote></div><br>