[vpn-help] -12 against ipsec-tools 0.6.6

Matthew Grooms mgrooms at shrew.net
Thu Jul 27 11:07:36 CDT 2006 

Peter Eisch wrote:
> This is closer.  We get the ISAKMP config from the server (10.1.202.0/24,
> etc.) but it doesn't seem to get ack'd.  The server never adds the SA
> entries, nor does the client seem to.  At this point we just wither and all
> the routing still goes out the "normal" path.  (Again: Hybrid 3des/md5/dh
> group 2; 3des/md5/pf 2.  Server config has not changed, client config
> attached.)
> 

It looks like its working properly. The problem appears to be that the 
client is configured to request a split network list ...

 > ii : determining required modecfg attributes
 > ii : - IP4 Address
 > ii : - IP4 Netamask
 > ii : - IP4 DNS Server
 > ii : - IP4 DNS Suffix
 > ii : - Split DNS Domains
 > ii : - IP4 WINS Server
 > ii : - IP4 Split Network Include List
 > ii : - IP4 Split Network Exclude List
 > ii : sending isakmp config request

.... but none are being returned ...

 > ii : received isakmp config reply
 > ii : - IP4 Address = 10.1.202.0
 > ii : - IP4 Netmask = 255.255.255.0
 > ii : - IP4 DNS Server = 10.1.100.126
 > ii : - IP4 WINS Server = 10.1.100.126

... I probably need to add a check for this and spit an warning out in 
the client feedback window.

The problem is most likely due to no split network configuration being 
defined in your modecfg section ...

mode_cfg {
         network4 10.1.202.0;
         pool_size 255;
         netmask4 255.255.255.0;
         auth_source system;
         dns4 10.1.100.126;
         wins4 10.1.100.126;
#	default_domain "visionshareinc.com";
         banner "/etc/racoon/motd";
         pfs_group 2;
}

... If you are attempting to access the 10.1.100.0/24 network, you need 
to add a statement to your modecfg section like so ...

split_network include 10.1.100.0/24;

... The alternative is to configure the client to force all traffic 
across the tunnel. However, configuring split tunneling is the 
recommended method of configuration. The cisco client was probably 
working because it defaults to forcing all traffic if no split network 
config is returned. Please let me know how this works out for you.

Also, If you have a chance, I would be interested to hear if the client 
still works with the ca.crt moved back to the original location or if it 
was the updated client that fixed the problem.

Thanks,

-Matthew

More information about the vpn-help mailing list