[Vpn-help] vpn-release-1.1 communicate with racoon problem
Zhao Tongyi
zhaotongyi at gmail.com
Thu Nov 23 21:27:20 CST 2006
verify_cert off;
log :
Nov 22 18:24:22 info racoon INFO: respond new phase 1 negotiation:
192.168.20.133[500]<=>192.168.20.240[500] 2 Nov 22 18:24:22 info
racoon INFO: begin Aggressive mode. 3 Nov 22 18:24:22 info
racoon INFO:
received Vendor ID: CISCO-UNITY 4 Nov 22 18:24:22 info racoon INFO:
received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 5 Nov 22 18:24:22
info racoon INFO: received Vendor ID: RFC 3947 6 Nov 22 18:24:22
info racoon INFO: received broken Microsoft ID: FRAGMENTATION 7 Nov
22 18:24:22 info racoon INFO: received Vendor ID: DPD 8 Nov 22
18:24:22 info racoon INFO: Selected NAT-T version: RFC 3947 9 Nov
22 18:24:22 info racoon INFO: Adding remote and local NAT-D payloads.
10 Nov 22 18:24:22 info racoon INFO: Hashing 192.168.20.240[500] with
algo #2 11 Nov 22 18:24:22 info racoon INFO: Hashing
192.168.20.133[500] with algo #2 12 Nov 22 18:24:23 info racoon INFO:
NAT not detected 13 Nov 22 18:24:23 info racoon INFO: ISAKMP-SA
established 192.168.20.133[500]-192.168.20.240[500]
spi:14660c5f08d82402:aa7052ec72ccc334 14 Nov 22 18:24:23 info
racoon INFO: Using port 0
and
iptalbes
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*tproxy
:PREROUTING ACCEPT [7656:612953]
:OUTPUT ACCEPT [1:73]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*raw
:PREROUTING ACCEPT [40176:6334687]
:OUTPUT ACCEPT [38555:7046209]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*nat
:PREROUTING ACCEPT [6177:417641]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination
192.168.1.122:80 <http://192.168.1.122/>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22222 -j DNAT --to-destination
192.168.1.2:22
-A PREROUTING -d 192.168.26.0/255.255.255.0 -i eth0 -j NETMAP --to
192.168.2.0/24
-A PREROUTING -d 20.0.0.0/255.255.255.254 -i eth0 -j NETMAP --to 10.0.0.0/31
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth0 -j NETMAP --to
192.168.26.0/24
-A POSTROUTING -s 10.0.0.0/255.255.255.254 -o eth0 -j NETMAP --to
20.0.0.0/31
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*mangle
:PREROUTING ACCEPT [40176:6334687]
:INPUT ACCEPT [40172:6334290]
:FORWARD ACCEPT [4:397]
:OUTPUT ACCEPT [38555:7046209]
:POSTROUTING ACCEPT [38559:7046606]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*filter
:INPUT ACCEPT [7654:612811]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:73]
:ACCEPTLOG - [0:0]
:DROPLOG - [0:0]
:FORWARD_ADV - [0:0]
:FORWARD_DMZ - [0:0]
:FORWARD_USR - [0:0]
:INPUT_ADV - [0:0]
:INPUT_USR - [0:0]
:REJECTLOG - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_ADV
-A INPUT -j INPUT_USR
-A FORWARD -j FORWARD_ADV
-A FORWARD -j FORWARD_USR
-A FORWARD -j FORWARD_DMZ
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ACCEPTLOG -j LOG
-A ACCEPTLOG -j ACCEPT
-A DROPLOG -j LOG
-A DROPLOG -j DROP
-A FORWARD_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD_DMZ -i eth1 -o eth0 -j ACCEPT
-A FORWARD_DMZ -i eth0 -o eth1 -j ACCEPT
-A FORWARD_DMZ -i eth2 -j ACCEPT
-A FORWARD_DMZ -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD_DMZ -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A INPUT_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT
-A REJECTLOG -j LOG
-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
eth0 192.168.20.133 eth1 192.168.1.1
ip route
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.133
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
and thank you very much
2006/11/23, Matthew Grooms <mgrooms at shrew.net>:
>
> Zhao,
>
> Thanks for trying out the VPN Client. If you see esp packets being
> emitted from the client ( passing both phase1 and phase2 ), it is very
> likely close to working.
>
> To start, it would be a good idea to reconfigure your client address
> range to start with .1 instead of .0 as this can cause problems. I will
> see if I can sneak in an ipsec-tools fix to prevent this from happening
> before we branch for 0.7.
>
> For example ...
>
> mode_cfg {
> pool_size 253;
> network4 192.168.1.1;
> netmask4 255.255.255.0;
> dns4 192.168.20.1;
> auth_source system;
> }
>
> Also, does your debian gateway have selinux or a firewall like iptables
> installed? As for the certificate verification not working, could you
> run racoon with the -d option and forward me the relevant debug output
> regarding this issue.
>
> Thanks,
>
> -Matthew
>
--
Best regards,
Tongyi ,Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061124/2d3f73a8/attachment-0002.html>
More information about the vpn-help
mailing list