[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts

Harondel J. Sibble help at pdscc.com
Mon Sep 17 16:57:03 CDT 2007 

Matthew

On 17 Sep 2007 at 16:01, mgrooms wrote:

> It doesn't proceed to phase2 as we are getting stalled during the mode
> config exchange.

Hmm, I've seen something similar with the Sonicwall units resulting in having 
to use dhcp over ipsec or local ip configuration.  Perfect example, the NCP 
client on my Windows Mobile 5 Axim X51V, using mode config against the 
sonicwall tz170, the connection will fail every time. Configuring the client 
to use the local address works every time, but then dns resolution on the lan 
(windows 2003 AD) fails from the pda.

This was the info I got from NCP tech support

    DHCP over IPsec is not a mechanism that is encouraged to be used; as it's
    very prone to timeouts.  The ('standard') mechanism that does what you are
    looking for is called IKE-ConfigMode (or IKE-CFG), which essentially sends
    the client a (virtual) IP address, and also the DNS/WINS server addresses.
    However, although this can be selected by the NCP Secure Client, it is
    NOT, to the best of my knowledge a feature that is available on the
    SonicWALL.   

    You can also manually configure the DNS/WINS server addresses within the
    client; and enable NetBIOS on the client, and you should be able to
    resolve names and not have to resort to using IP addresses only!  If it's
    not working, then I suggest you double check routing to ensure the client
    can reach the DNS server specified.


> Please upgrade to beta 4 ( or rc1 which should be released tonight ). A
> locking issue was present in beta 3 that caused iked to hang in some cases
> which was particularly troublesome on Linux.

I'll give it a try
 
> > On the Shrew side I see the following. P.S. is there are way to have
> > date/time stamp on the logs, that'd be really hand to have.

> Right. This is a bit embarrassing and should have been fixed by now. I will
> get this fixed in the next release.

Sweet!
 
> The configuration mode exchange draft defines two methods for peer
> configuration, push and pull. Cisco and IPsec Tools both support the pull
> configuration method which is the client default. Both methods are supported
> by the Shrew Soft IKE daemon when acting as a gateway or a client. The push
> method is used by other vendors ( although I can't remember which ones at the
> moment ). Here is a basic description ( from memory ) on how they work ...

Hmm, I'm updating my case with Fortinet to request whether they support mode 
config as opposed to dhcp over ipsec. From experience I suspect they support 
the latter and not the former, similar to Sonicwall.  Does Shrew support the 
latter.
 
> > Where do I get sysv startup script I see mentioned in a few posts, that
> > doesn't seem to be around after my compile.

> I will forward this to the list again when I get back to my pc.

Excellent
 
> > Lastly, running iked manually, I noticed it stops running on it's own
> > about
> > half the time and has to be restarted manually.
> 
> Hmmm ... that doesn't sound good. Hopefully this was the problem that was
> corrected in beta 4. Do you have an example of the log output when this
> occurs?

This doesn't stop during a session,. but after you disconnect the client, 
then hit the connect button again, about 50% of the time it says "failed to 
attach to key daemon". Hmm, seems to consistenly happen after I change the 
client config. I assume that's a feature so the daemon can reload the 
policies?
 
> Alright, so I see that phase1 is established here but I don't see it moving to
> the configuration phase. Is the client set to use the push method? I probably

I'll try both methods and see what happens.  I'm pretty sure I tried it both 
ways, it just sits there saying "sending config pull request".

> need to add a log output line that shows this so this will be more transparent
> in the future. The ike daemon may simply be waiting for the gateway to offer
> the configuration attribute list. If this is the case, perhaps you need to use
> the pull configuration method. The Fortgate doesn't seem to be sending a push
> configuration in its log output so I think this is likely the problem. Do you
> have any sample log output using the pull method?

After the initial contact info it sits about 8 lines later at the sending 
config pull request and doesn't go any further,  none of the DPD stuff.  
Tried it both with Nat-T disabled and enabled, no change. Switch back to push 
method and I start seeing the DPD messages again on both sides.

Gonna try manual configuration and see what happens. Using the Virtual 
adaptor and an address configured in the lan scope behind the gateway, I 
still end up with DPD messages and no connection. Next tried using the local 
nic without the virtual adaptor. Same result DPD messages, no connection 
completed.
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

More information about the vpn-help mailing list