[Vpn-help] Shrew v. 2.1.4 Openswan 2.4.6.1

Matthew Grooms mgrooms at shrew.net
Fri Nov 21 09:01:12 CST 2008


Stefan Bauer wrote:
> Matthew Grooms schrieb:
>> Hmmm, not a lot to work with here. It looks like the only information 
>> being logged is related to packet reception. I would venture to guess 
>> that the log level is set too low to be of any use in identifying or 
>> resolving the problem.

Stefan,

If I understand correctly, the SWAN products are really two separate 
components. Klips which is the kernel mode IPsec processing engine and 
Pluto which is the user mode IKE daemon ( similar to iked ). The log 
output you have attached appears to be the klips output which would 
explain why it only depicts packet traffic and key management events. 
The "IKE packet - not handled here" messages confirms this since the 
kernel mode portion would pass a non ESP-IN-UDP packet up to the user 
mode IKE daemon for processing and is completely normal.

> klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [1].
> klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:340 id:1303 frag_off:0
> ttl:54 proto:17 (UDP) chk:26227 saddr:85.181.184.81:500 daddr:10.8.0.1:500
> klips_debug:ipsec_rcv: IKE packet - not handled here

Please take a look at the Pluto log output which will contain the info 
related to the IKE exchange failure. As I mentioned previously, I'm far 
from an *SWAN expert or I would offer some more detailed advice. The 
OpenSWAN wiki seems to be down at the moment but here is one copy of a 
man page for pluto. I have no idea how current it is ...

http://linux.die.net/man/8/ipsec_pluto

Hope this helps,

-Matthew



More information about the vpn-help mailing list