[vpn-devel] Strongswan / Shrew Split Tunnel

Matthew Grooms mgrooms at shrew.net
Tue Feb 14 20:28:29 CST 2012 

The Shrew Soft client has the option to dump decrypted IKE packets in 
pcap format. If you suspect the modecfg payload includes a payload that 
is incorrectly being ignored by the client, you can dump the packets to 
have a closer look at them later using Wireshark. That's where I would 
start anyway.

-Matthew

On 2/8/2012 8:53 AM, Markus Stockhausen wrote:
> Hello,
>
> at the moment I'm ivestigating some interoperability issues between
> Shrew and Openswan when working with split tunnel setups. I do not
> know whom to blame so I start with the client side because the log
> files encourage me to search the error over there. Here we go:
>
> To enable split tunnel on strongswan I inserted the following lines
> into /etc/strongswan.conf
>
> pluto {
> plugins {
> attr {
> netmask = 255.255.255.0
> 28675 = collogia.de
> 28676 = 192.168.2.0/24
> }
> }
> }
>
> With these pluto ike daemon should inject the required Cisco Unity
> Mode Config flags into the pull request. When looking at the logs
> everything looks nice:
>
> ...
> | ****emit ISAKMP ModeCfg attribute:
> | ModeCfg attr type: UNITY_SPLIT_INCLUDE
> | emitting 8 raw bytes of UNITY_SPLIT_INCLUDE into ISAKMP ModeCfg attribute
> | UNITY_SPLIT_INCLUDE c0 a8 02 00 ff ff ff 00
> | emitting length of ISAKMP ModeCfg attribute: 8
> | emitting length of ISAKMP Mode Attribute: 36
> | ModeCfg HASH computed:
> | 93 77 8c 5d a1 af d6 73 0a d8 98 0c a8 35 5a 62
> | e9 72 69 a1
> | emitting length of ISAKMP Message: 88
> ...
>
> The package is received by Shrew that for some reason does not
> find those attribute:
>
> 12/02/08 15:22:28 ii : configure hash verified
> 12/02/08 15:22:28 ii : received config pull response
> 12/02/08 15:22:28 ii : - IP4 Address = 192.0.2.1
> 12/02/08 15:22:28 ii : - IP4 Netmask = 255.255.255.0
> 12/02/08 15:22:28 DB : config resend event canceled ( ref count = 1 )
> 12/02/08 15:22:28 DB : config ref decrement ( ref count = 0, obj count =
> 1 )
> 12/02/08 15:22:28 DB : phase1 ref decrement ( ref count = 3, obj count =
> 1 )
> 12/02/08 15:22:31 ii : enabled adapter ROOT\VNET\0000
> 12/02/08 15:22:31 ii : apapter ROOT\VNET\0000 MTU is 1500
>
> Searching the Shrew IKE source code I thought that this
> could be the result of getting a "No-Cisco" paylog during handshake.
> At least the logs show that this should not be the case:
>
> 12/02/08 15:22:28 << : vendor id payload
> 12/02/08 15:22:28 ii : unknown vendor id ( 16 bytes )
> 12/02/08 15:22:28 0x : 882fe56d 6fd20dbc 2251613b 2ebe5beb
> 12/02/08 15:22:28 << : vendor id payload
> 12/02/08 15:22:28 ii : peer is CISCO UNITY compatible
> 12/02/08 15:22:28 << : vendor id payload
> 12/02/08 15:22:28 ii : peer supports XAUTH
>
> I'm on Shrew 2.1.7 and everything works like a charm when using the
> same setup with racoon on the other end.
>
> Maybe someone can help.
>
> Markus
>
>
> _______________________________________________
> vpn-devel mailing list
> vpn-devel at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-devel

More information about the vpn-devel mailing list