[Vpn-help] vpn-release-1.1 communicate with racoon problem

Zhao Tongyi zhaotongyi at gmail.com
Thu Nov 23 21:27:20 CST 2006 

verify_cert off;
log :

Nov 22 18:24:22  info  racoon  INFO: respond new phase 1 negotiation:
192.168.20.133[500]<=>192.168.20.240[500]        2 Nov 22 18:24:22  info
racoon  INFO: begin Aggressive mode.        3 Nov 22 18:24:22  info
racoon  INFO:
received Vendor ID: CISCO-UNITY        4 Nov 22 18:24:22  info  racoon  INFO:
received Vendor ID: draft-ietf-ipsec-nat-t-ike-02        5 Nov 22 18:24:22
info  racoon  INFO: received Vendor ID: RFC 3947        6 Nov 22 18:24:22
info  racoon  INFO: received broken Microsoft ID: FRAGMENTATION        7 Nov
22 18:24:22  info  racoon  INFO: received Vendor ID: DPD        8 Nov 22
18:24:22  info  racoon  INFO: Selected NAT-T version: RFC 3947        9 Nov
22 18:24:22  info  racoon  INFO: Adding remote and local NAT-D payloads.
   10 Nov 22 18:24:22  info  racoon  INFO: Hashing 192.168.20.240[500] with
algo #2        11 Nov 22 18:24:22  info  racoon  INFO: Hashing
192.168.20.133[500] with algo #2        12 Nov 22 18:24:23  info  racoon  INFO:
NAT not detected        13 Nov 22 18:24:23  info  racoon  INFO: ISAKMP-SA
established 192.168.20.133[500]-192.168.20.240[500]
spi:14660c5f08d82402:aa7052ec72ccc334        14 Nov 22 18:24:23  info
racoon  INFO: Using port 0
and
iptalbes
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*tproxy
:PREROUTING ACCEPT [7656:612953]
:OUTPUT ACCEPT [1:73]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*raw
:PREROUTING ACCEPT [40176:6334687]
:OUTPUT ACCEPT [38555:7046209]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*nat
:PREROUTING ACCEPT [6177:417641]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination
192.168.1.122:80 <http://192.168.1.122/>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22222 -j DNAT --to-destination
192.168.1.2:22
-A PREROUTING -d 192.168.26.0/255.255.255.0 -i eth0 -j NETMAP --to
192.168.2.0/24
-A PREROUTING -d 20.0.0.0/255.255.255.254 -i eth0 -j NETMAP --to 10.0.0.0/31
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth0 -j NETMAP --to
192.168.26.0/24
-A POSTROUTING -s 10.0.0.0/255.255.255.254 -o eth0 -j NETMAP --to
20.0.0.0/31
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*mangle
:PREROUTING ACCEPT [40176:6334687]
:INPUT ACCEPT [40172:6334290]
:FORWARD ACCEPT [4:397]
:OUTPUT ACCEPT [38555:7046209]
:POSTROUTING ACCEPT [38559:7046606]
COMMIT
# Completed on Wed Nov 22 18:26:27 2006
# Generated by iptables-save v1.3.5 on Wed Nov 22 18:26:27 2006
*filter
:INPUT ACCEPT [7654:612811]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:73]
:ACCEPTLOG - [0:0]
:DROPLOG - [0:0]
:FORWARD_ADV - [0:0]
:FORWARD_DMZ - [0:0]
:FORWARD_USR - [0:0]
:INPUT_ADV - [0:0]
:INPUT_USR - [0:0]
:REJECTLOG - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_ADV
-A INPUT -j INPUT_USR
-A FORWARD -j FORWARD_ADV
-A FORWARD -j FORWARD_USR
-A FORWARD -j FORWARD_DMZ
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ACCEPTLOG -j LOG
-A ACCEPTLOG -j ACCEPT
-A DROPLOG -j LOG
-A DROPLOG -j DROP
-A FORWARD_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD_DMZ -i eth1 -o eth0 -j ACCEPT
-A FORWARD_DMZ -i eth0 -o eth1 -j ACCEPT
-A FORWARD_DMZ -i eth2 -j ACCEPT
-A FORWARD_DMZ -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD_DMZ -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A INPUT_ADV -m state --state RELATED,ESTABLISHED -j ACCEPT
-A REJECTLOG -j LOG
-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Nov 22 18:26:27 2006

eth0 192.168.20.133 eth1 192.168.1.1

ip route
192.168.20.0/24 dev eth0  proto kernel  scope link  src 192.168.20.133
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1

and thank you very much



2006/11/23, Matthew Grooms <mgrooms at shrew.net>:
>
> Zhao,
>
> Thanks for trying out the VPN Client. If you see esp packets being
> emitted from the client ( passing both phase1 and phase2 ), it is very
> likely close to working.
>
> To start, it would be a good idea to reconfigure your client address
> range to start with .1 instead of .0 as this can cause problems. I will
> see if I can sneak in an ipsec-tools fix to prevent this from happening
> before we branch for 0.7.
>
> For example ...
>
> mode_cfg {
>         pool_size 253;
>         network4 192.168.1.1;
>         netmask4 255.255.255.0;
>         dns4 192.168.20.1;
>         auth_source system;
> }
>
> Also, does your debian gateway have selinux or a firewall like iptables
> installed? As for the certificate verification not working, could you
> run racoon with the -d option and forward me the relevant debug output
> regarding this issue.
>
> Thanks,
>
> -Matthew
>



-- 
Best regards,

Tongyi ,Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061124/2d3f73a8/attachment-0002.html>

More information about the vpn-help mailing list