[Vpn-help] vpn -> Lancom 1811
Michael Rignaz
uluquai at inode.at
Mon Nov 13 22:57:56 CST 2006
Hi there!
A total newbie needs your help..
I'm having troubles using Windows builtin ipsec support for connecting
to a remote vpn gateway..
The tunnel doesn't work anymore whenever there's higher latency without
any of the peers noticing..
That's whay I tried your vpn client.
It would be very nice if you could help me out a bit, 'cause I'm having
troubles with your client too :)
My config is as follows:
I'm using certificates and main mode 2.. encryption is 3des and hash
algorithms are either sha1 or md5.. with none of them it works..
I must say that the server is configured correctly because builtin
windows vpn is able to connect.. but as I stated earlier this connection
dies on heavy load/high latencies.
Just to compare this was my ipsec.conf for ipsec tools:
conn <Server>
left=%any
right=<server's public ip>
rightsubnet=192.168.0.0/24
rightca="CN=<CN of the CA>"
network=auto
auto=start
pfs=yes
I wonder why I cannot specify a CN for the CA in your client's
settings.Just the ASN.1 for the client and the remote identity.
"Local Host": "Use a virtual adapter and a private address"
"Obtain Automatically" checked
IKE UDP port 500
Client:
NATT disabled
Enable DPD Notify Support checked
Enable Fragmentation Support unchecked (nothing works if I enable that
option)
Other Options:
nothing checked.
Name Resolution:
everything enabled
Authentication:
Mutual RSA
Local Identity:
ASN1 Distinguishes Name
ASN.1 DN String:
CN=<my cn>
Same for remote identity except the appropriate ASN.1 String.
Credentials:
Server Certificate Authority File:
path to my ca.crt
Client Certificate file:
path to my crt
Client Private Key File
path to my private key file
Phase1:
Exchange Type: main
DH exchange: group 2
Cipher Algorithm 3des
Hash: sha1
Key Life Time limit and Data limit default
Phase2:
Transform Algorithm: esp-3des
HMAC Algorithm: sha1
PFS Exchange: group2
Key Life Time limit and Data limit default.
When I connect, I get the following messages:
config loaded for site 'domainname to server'
configuring client settings ...
attached to IPSEC daemon ...
peer configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
no policies defined, routing all traffic
forcing adapter netmask
virtual network device configured
virtual network device enabled
tunnel enabled
On the server I get the following:
[VPN-Status] 2006/11/14 05:43:04,040
IKE info: Phase-1 [responder] for peer <my peer> between initiator id
CN=<my cn> responder id CN=<server's cn> done
IKE info: SA ISAKMP for peer <my peer> encryption 3des-cbc
authentication sha1
IKE info: life time ( 86400 sec/ 0 kb)
[VPN-Status] 2006/11/14 05:43:04,090
IKE info: NOTIFY received of type INITIAL_CONTACT for peer <my peer>
[VPN-Status] 2006/11/14 05:43:04,090
IKE info: Phase-1 [responder] got initial contact from peer <unknown>
(<my public ip>)
[VPN-Status] 2006/11/14 05:43:04,090
IKE info: IKE-CFG: Received REQUEST message with id 54363 from peer <my
peer>
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 4 value
0.0.0.0 received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 4 value
0.0.0.0 received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 4 value
0.0.0.0 received
IKE info: IKE-CFG: Attribute <Unknown 28674> len 0 is private
-> ignore
IKE info: IKE-CFG: Attribute <Unknown 28675> len 0 is private
-> ignore
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 4 value
0.0.0.0 received
IKE info: IKE-CFG: Attribute <Unknown 28676> len 0 is private
-> ignore
IKE info: IKE-CFG: Attribute <Unknown 28678> len 0 is private
-> ignore
[VPN-Status] 2006/11/14 05:43:04,100
IKE info: IKE-CFG: Creating REPLY message with id 54363 for peer <my peer>
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 0 skipped
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 4 value
192.168.0.2 added
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 0 skipped
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 4 value
255.255.255.255 added
IKE info: IKE-CFG: Sending message
It seems as if it doesn't get past Phase 1.
Shrewsoft's Client says tunnel enabled, but I don't see any interface
coming up (should there be one virtual adapter coming up like these TAP
interfaces do?)
Shrewsoft's Trace Utility prints the following:
## : IPSEC Daemon, ver 1.1.0
## : Copyright 2006 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8a 11 Oct 2005
ii : opened 'dump-ike.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : rebuilding vprot interface list ...
ii : interface IP=192.168.1.100, MTU=1500, MAC=00:15:f2:28:7e:a4 active
ii : 1 adapter(s) active
ii : client ctrl thread begin ...
<C : client peer config message
<C : client user credentials message
<C : client local id 'CN=<my CN>' message
<C : client remote id 'CN=<CN of the Server> message
<C : client remote cert 'ca.crt' message
<C : client local cert 'my.crt' message
<C : client local key 'my.key' message
<C : client tunnel enable message
ii : matched phase1 proposal
ii : - protocol = isakmp
ii : - transform = ike
ii : - key length = default
ii : - cipher type = 3des
ii : - hash type = sha1
ii : - dh group = modp-1024
ii : - auth type = sig-rsa
ii : - life seconds = 86400
ii : - life kbytes = 0
ii : local nat traversal is disabled
ii : peerid match ( /CN=<Cn of the Server>)
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/CN=<Cn of the Server>
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/CN=<CN of my CA>
ii : phase1 sa established
ii : 192.168.1.100:500 <-> <Servers pub. ip>:500
ii : 6efacbadc3492dfd:b965764d3a4af303
ii : sent peer notification, INITIAL-CONTACT
ii : 192.168.1.100 -> <server pub. ip>
ii : isakmp spi = 6efacbadc3492dfd:b965764d3a4af303
ii : data size 0
ii : determining required modecfg attributes
ii : sending isakmp config request
ii : received isakmp config reply
ii : client recv thread begin ...
ii : waiting for vnet to arrive ...
!! : defaulting to MTU of 1500.
ii : added host route for remote peer
!! : add tunnel default route failed
It doesn't matter whether I set static routes or let it obtain
automatically..
Do you know what might be the problem?
Sorry about this confused post, I simply am a real newbie and don't know
what information might be important
Thank you very much for any help!
Regards,
Michael
More information about the vpn-help
mailing list