[vpn-devel] Strongswan / Shrew Split Tunnel

Markus Stockhausen markus.stockhausen at collogia.de
Wed Feb 8 08:53:47 CST 2012 

Hello,

at the moment I'm ivestigating some interoperability issues between
Shrew and Openswan when working with split tunnel setups. I do not
know whom to blame so I start with the client side because the log
files encourage me to search the error over there. Here we go:

To enable split tunnel on strongswan I inserted the following lines
into /etc/strongswan.conf

pluto {
   plugins {
     attr {
       netmask = 255.255.255.0
       28675 = collogia.de
       28676 = 192.168.2.0/24
     }
   }
}

With these pluto ike daemon should inject the required Cisco Unity
Mode Config flags into the pull request. When looking at the logs
everything looks nice:

...
| ****emit ISAKMP ModeCfg attribute:
|    ModeCfg attr type: UNITY_SPLIT_INCLUDE
| emitting 8 raw bytes of UNITY_SPLIT_INCLUDE into ISAKMP ModeCfg attribute
| UNITY_SPLIT_INCLUDE  c0 a8 02 00  ff ff ff 00
| emitting length of ISAKMP ModeCfg attribute: 8
| emitting length of ISAKMP Mode Attribute: 36
| ModeCfg HASH computed:
|   93 77 8c 5d  a1 af d6 73  0a d8 98 0c  a8 35 5a 62
|   e9 72 69 a1
| emitting length of ISAKMP Message: 88
...

The package is received by Shrew that for some reason does not
find those attribute:

12/02/08 15:22:28 ii : configure hash verified
12/02/08 15:22:28 ii : received config pull response
12/02/08 15:22:28 ii : - IP4 Address = 192.0.2.1
12/02/08 15:22:28 ii : - IP4 Netmask = 255.255.255.0
12/02/08 15:22:28 DB : config resend event canceled ( ref count = 1 )
12/02/08 15:22:28 DB : config ref decrement ( ref count = 0, obj count = 1 )
12/02/08 15:22:28 DB : phase1 ref decrement ( ref count = 3, obj count = 1 )
12/02/08 15:22:31 ii : enabled adapter ROOT\VNET\0000
12/02/08 15:22:31 ii : apapter ROOT\VNET\0000 MTU is 1500

Searching the Shrew IKE source code I thought that this
could be the result of getting a "No-Cisco" paylog during handshake.
At least the logs show that this should not be the case:

12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : unknown vendor id ( 16 bytes )
12/02/08 15:22:28 0x : 882fe56d 6fd20dbc 2251613b 2ebe5beb
12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : peer is CISCO UNITY compatible
12/02/08 15:22:28 << : vendor id payload
12/02/08 15:22:28 ii : peer supports XAUTH

I'm on Shrew 2.1.7 and everything works like a charm when using the
same setup with racoon on the other end.

Maybe someone can help.

Markus
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20120208/bae191e1/attachment-0002.txt>

More information about the vpn-devel mailing list