[Vpn-help] vpn -> Lancom 1811

Michael Rignaz uluquai at inode.at
Mon Nov 13 22:57:56 CST 2006 

Hi there!

A total newbie needs your help..
I'm having troubles using Windows builtin ipsec support for connecting 
to a remote vpn gateway..
The tunnel doesn't work anymore whenever there's higher latency without 
any of the peers noticing..
That's whay I tried your vpn client.
It would be very nice if you could help me out a bit, 'cause I'm having 
troubles with your client too :)

My config is as follows:
I'm using certificates and main mode 2.. encryption is 3des and hash 
algorithms are either sha1 or md5.. with none of them it works..
I must say that the server is configured correctly because builtin 
windows vpn is able to connect.. but as I stated earlier this connection 
dies on heavy load/high latencies.
Just to compare this was my ipsec.conf for ipsec tools:

conn <Server>
   left=%any
   right=<server's public ip>
   rightsubnet=192.168.0.0/24
   rightca="CN=<CN of the CA>"
   network=auto
   auto=start
   pfs=yes


I wonder why I cannot specify a CN for the CA in your client's 
settings.Just the ASN.1 for the client and the remote identity.


"Local Host": "Use a virtual adapter and a private address"
"Obtain Automatically" checked
IKE UDP port 500
Client:
NATT disabled

Enable DPD Notify Support checked
Enable Fragmentation Support unchecked (nothing works if I enable that 
option)
Other Options:
nothing checked.

Name Resolution:
everything enabled
Authentication:
Mutual RSA
Local Identity:
ASN1 Distinguishes Name
ASN.1 DN String:
CN=<my cn>


Same for remote identity except the appropriate ASN.1 String.
Credentials:
Server Certificate Authority File:
path to my ca.crt
Client Certificate file:
path to my crt
Client Private Key File
path to my private key file

Phase1:

Exchange Type: main
DH exchange: group 2
Cipher Algorithm 3des
Hash: sha1
Key Life Time limit and Data limit default

Phase2:

Transform Algorithm: esp-3des
HMAC Algorithm: sha1

PFS Exchange: group2
Key Life Time limit and Data limit default.

When I connect, I get the following messages:

config loaded for site 'domainname to server'
configuring client settings ...
attached to IPSEC daemon ...
peer configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
no policies defined, routing all traffic
forcing adapter netmask
virtual network device configured
virtual network device enabled
tunnel enabled

On the server I get the following:

[VPN-Status] 2006/11/14 05:43:04,040
IKE info: Phase-1 [responder] for peer <my peer> between initiator id 
CN=<my cn> responder id CN=<server's cn> done
IKE info: SA ISAKMP for peer <my peer> encryption 3des-cbc 
authentication sha1
IKE info: life time ( 86400 sec/ 0 kb)


[VPN-Status] 2006/11/14 05:43:04,090
IKE info: NOTIFY received of type INITIAL_CONTACT for peer <my peer>


[VPN-Status] 2006/11/14 05:43:04,090
IKE info: Phase-1 [responder] got initial contact from peer <unknown> 
(<my public ip>)


[VPN-Status] 2006/11/14 05:43:04,090
IKE info: IKE-CFG: Received REQUEST message with id 54363 from peer <my 
peer>
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_ADDRESS     len 4 value 
0.0.0.0 received
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_NETMASK     len 4 value 
0.0.0.0 received
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_DNS         len 4 value 
0.0.0.0 received
IKE info: IKE-CFG:   Attribute <Unknown 28674>          len 0 is private 
-> ignore
IKE info: IKE-CFG:   Attribute <Unknown 28675>          len 0 is private 
-> ignore
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_NBNS        len 4 value 
0.0.0.0 received
IKE info: IKE-CFG:   Attribute <Unknown 28676>          len 0 is private 
-> ignore
IKE info: IKE-CFG:   Attribute <Unknown 28678>          len 0 is private 
-> ignore


[VPN-Status] 2006/11/14 05:43:04,100
IKE info: IKE-CFG: Creating REPLY message with id 54363 for peer <my peer>
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_NBNS        len 0 skipped
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_DNS         len 4 value 
192.168.0.2 added
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_NETMASK     len 0 skipped
IKE info: IKE-CFG:   Attribute INTERNAL_IP4_ADDRESS     len 4 value 
255.255.255.255 added
IKE info: IKE-CFG: Sending message


It seems as if it doesn't get past Phase 1.
Shrewsoft's Client says tunnel enabled, but I don't see any interface 
coming up (should there be one virtual adapter coming up like these TAP 
interfaces do?)

Shrewsoft's Trace Utility prints the following:


## : IPSEC Daemon, ver 1.1.0
## : Copyright 2006 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened 'dump-ike.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : rebuilding vprot interface list ...
ii : interface IP=192.168.1.100, MTU=1500, MAC=00:15:f2:28:7e:a4 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
<C : client peer config message
<C : client user credentials message
<C : client local id 'CN=<my CN>' message
<C : client remote id 'CN=<CN of the Server> message
<C : client remote cert 'ca.crt' message
<C : client local cert 'my.crt' message
<C : client local key 'my.key' message
<C : client tunnel enable message
ii : matched phase1 proposal
ii : - protocol     = isakmp
ii : - transform    = ike
ii : - key length   = default
ii : - cipher type  = 3des
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = sig-rsa
ii : - life seconds = 86400
ii : - life kbytes  = 0
ii : local nat traversal is disabled
ii : peerid match ( /CN=<Cn of the Server>)
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/CN=<Cn of the Server>
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/CN=<CN of my CA>
ii : phase1 sa established
ii : 192.168.1.100:500 <-> <Servers pub. ip>:500
ii : 6efacbadc3492dfd:b965764d3a4af303
ii : sent peer notification, INITIAL-CONTACT
ii : 192.168.1.100 -> <server pub. ip>
ii : isakmp spi = 6efacbadc3492dfd:b965764d3a4af303
ii : data size 0
ii : determining required modecfg attributes
ii : sending isakmp config request
ii : received isakmp config reply
ii : client recv thread begin ...
ii : waiting for vnet to arrive ...
!! : defaulting to MTU of 1500.
ii : added host route for remote peer
!! : add tunnel default route failed

It doesn't matter whether I set static routes or let it obtain 
automatically..

Do you know what might be the problem?
Sorry about this confused post, I simply am a real newbie and don't know 
what information might be important

Thank you very much for any help!

Regards,
Michael

More information about the vpn-help mailing list