[vpn-devel] Strongswan / Shrew Split Tunnel
Markus Stockhausen
markus.stockhausen at collogia.de
Wed Feb 8 08:53:47 CST 2012
Hello,
at the moment I'm ivestigating some interoperability issues between
Shrew and Openswan when working with split tunnel setups. I do not
know whom to blame so I start with the client side because the log
files encourage me to search the error over there. Here we go:
To enable split tunnel on strongswan I inserted the following lines
into /etc/strongswan.conf
pluto {
plugins {
attr {
netmask = 255.255.255.0
28675 = collogia.de
28676 = 192.168.2.0/24
}
}
}
With these pluto ike daemon should inject the required Cisco Unity
Mode Config flags into the pull request. When looking at the logs
everything looks nice:
...
| ****emit ISAKMP ModeCfg attribute:
| ModeCfg attr type: UNITY_SPLIT_INCLUDE
| emitting 8 raw bytes of UNITY_SPLIT_INCLUDE into ISAKMP ModeCfg attribute
| UNITY_SPLIT_INCLUDE c0 a8 02 00 ff ff ff 00
| emitting length of ISAKMP ModeCfg attribute: 8
| emitting length of ISAKMP Mode Attribute: 36
| ModeCfg HASH computed:
| 93 77 8c 5d a1 af d6 73 0a d8 98 0c a8 35 5a 62
| e9 72 69 a1
| emitting length of ISAKMP Message: 88
...
The package is received by Shrew that for some reason does not
find those attribute:
12/02/08 15:22:28 ii : configure hash verified
12/02/08 15:22:28 ii : received config pull response
12/02/08 15:22:28 ii : - IP4 Address = 192.0.2.1
12/02/08 15:22:28 ii : - IP4 Netmask = 255.255.255.0
12/02/08 15:22:28 DB : config resend event canceled ( ref count = 1 )
12/02/08 15:22:28 DB : config ref decrement ( ref count = 0, obj count = 1 )
12/02/08 15:22:28 DB : phase1 ref decrement ( ref count = 3, obj count = 1 )
12/02/08 15:22:31 ii : enabled adapter ROOT\VNET\0000
12/02/08 15:22:31 ii : apapter ROOT\VNET\0000 MTU is 1500
Searching the Shrew IKE source code I thought that this
could be the result of getting a "No-Cisco" paylog during handshake.
At least the logs show that this should not be the case:
12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : unknown vendor id ( 16 bytes )
12/02/08 15:22:28 0x : 882fe56d 6fd20dbc 2251613b 2ebe5beb
12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : peer is CISCO UNITY compatible
12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : peer supports XAUTH
I'm on Shrew 2.1.7 and everything works like a charm when using the
same setup with racoon on the other end.
Maybe someone can help.
Markus
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20120208/bae191e1/attachment-0002.txt>
More information about the vpn-devel
mailing list