[Vpn-help] route problem and tcp traffic problem

Matthew Grooms mgrooms at shrew.net
Thu Dec 6 15:19:08 CST 2007 

Rodrigo Ferroni wrote:
> hi,
> 
> we are using shrew 2.0.3 (winxp) with ipsec-tools 0.7 (debian).
> the connection appears to establish correctly but we have 2 problems.
> 
> after the connection success, we need to create a route manually in the 
> client,
> for example route add 10.55.0.0(split_network include) mask 255.255.0.0 
> <http://255.255.0.0> 10.66.0.2 <http://10.66.0.2> (network4)
> without this we can't reach the split_network. Is there any way to pass 
> a gateway with mode_cfg?
> 
> after creating that route manually, we can send traffic inside the 
> tunnel, the first packet create the SA.
> sending icmp traffic, for ex. 32 bytes or 1500 bytes (the frag works 
> fine) it works.
> but when trying to use tcp traffic on port 80, openning a web site or 
> ssh connection, at firts works, but only
> a few packets and then the client doesn't responds any more.
> 
> I've got racoon log's and tcpdump output if can help
> thanks.
> rodrigo.
> 

Rodrigo,

If you have configured split_network for modecfg in the racoon.conf, the 
shrew soft client should automatically generate policies and routes to 
support the connectivity. If its not, then there may be a configuration 
problem or you may have hit a bug in the client. Lets try to get that 
working first and then we can look into your communications issues.

First use the VPN Trace application options menu to bump up the client 
log output level to debug and restart the ike service. Then attempt to 
connect to your gateway and examine the log output. You will should see 
some modecfg related lines that look similar to this ( example uses an 
ipsec-tools 0.7 peer ) ...

ii : building config attribute list
ii : - IP4 Address
ii : - Address Expiry
ii : - IP4 Netamask
ii : - IP4 DNS Server
ii : - IP4 WINS Server
ii : - DNS Suffix
ii : - Split DNS Domain
ii : - IP4 Split Network Include
ii : - IP4 Split Network Exclude
ii : - Login Banner
ii : - Save Password
ii : sending config pull request
== : new phase2 iv ( 8 bytes )
 >> : hash payload
 >> : attribute payload
== : new configure hash ( 20 bytes )
 >= : encrypt iv ( 8 bytes )
=> : encrypt packet ( 104c bytes )
== : stored iv ( 8 bytes )
-> : send NAT-T:IKE packet x.x.x.x:4500 -> y.y.y.y:4500 ( 140 bytes )
<- : recv NAT-T:IKE packet y.y.y.y:4500 -> x.x.x.x:4500 ( 460 bytes )
DB : phase1 found
ii : processing config packet ( 460 bytes )
DB : config found
=< : decrypt iv ( 8 bytes )
<= : decrypt packet ( 460 bytes )
<= : trimmed packet padding ( 7 bytes )
== : stored iv ( 8 bytes )
<< : hash payload
<< : attribute payload
== : configure hash_i ( computed ) ( 20 bytes )
== : configure hash_c ( computed ) ( 20 bytes )
ii : configure hash verified
ii : received config pull response
ii : - IP4 Address = 10.2.1.128
ii : - IP4 Netmask = 255.255.255.0
ii : - IP4 DNS Server = a.a.a.1
ii : - IP4 WINS Server = a.a.a.1
ii : - DNS Suffix = shrew.net
ii : - Split Domain = shrew.net
ii : - Split Domain = blah.com
ii : - IP4 Split Network Include = b.b.b.b/32
ii : - IP4 Split Network Include = c.c.c.c/32
ii : - IP4 Split Network Include = d.d.d.d/32
ii : - Login Banner = Welcome to hole ...
ii : - Save Password = 0

If you don't see anything like this then you have a configuration 
problem which I would be glad to help with. If you do see output like 
this, you should also see routes created that use the virtual network 
adapter address as the next hop for every split network received via 
modecfg. If you don't see these, let me know and we can investigate 
this. Feel free to send me a copy of your client or racoon debug output 
in a private email.

Hope this helps,

-Matthew

More information about the vpn-help mailing list