[Vpn-help] shrewsoft not respoding to openswan messages during phase I

Mohit Mehta mohit.mehta at vyatta.com
Tue Sep 8 17:08:52 CDT 2009 

I am trying to establish a vpn connection to openswan using shrewsoft vpn client. I am using a similar setup as the example on this page - http://lists.openswan.org/pipermail/users/2006-November/011216.html Specifically, I am trying to connect my window's pc with IP 10.3.0.168 to a box with IP 10.3.0.57 with openswan running on it. The remote network I am trying to access is 192.168.1.0/24 i.e. the private subnet behind the openswan server. 

On running wireshark on the pc's interface, I can see phase 1 packets going to and received from the openswan server. However, shrewsoft doesn't seem to respond to the message from openswan and keeps retransmitting phase 1 packets and finally times out. Any help or hints with this would be much appreciated.

Please find relevant configuration below -

Shrewsoft's vpn config :

n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:540
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:14
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:256
n:phase2-keylen:256
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.1.0/255.255.255.0
n:version:2
s:network-host:10.1.0.57
s:client-auto-mode:pull
n:network-mtu-size:1380
s:client-iface:virtual
s:client-ip-addr:192.168.1.3
s:client-ip-mask:255.255.255.255
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:bW9oaXRtZWh0YQ==
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
n:vendor-chkpt-enable:0
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
n:policy-nailed:0
s:policy-list-include:192.168.1.0 / 255.255.255.0
s:client-saved-username:


Log on shrewsoft while trying to connect to openswan :

09/09/08 14:53:02 ## : IKE Daemon, ver 2.1.4
09/09/08 14:53:02 ## : Copyright 2008 Shrew Soft Inc.
09/09/08 14:53:02 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'
09/09/08 14:53:02 ii : rebuilding vnet device list ...
09/09/08 14:53:02 ii : device ROOT\VNET\0000 disabled
09/09/08 14:53:02 ii : network process thread begin ...
09/09/08 14:53:02 ii : ipc server process thread begin ...
09/09/08 14:53:02 ii : pfkey process thread begin ...
09/09/08 14:53:06 ii : ipc client process thread begin ...
09/09/08 14:53:06 <A : peer config add message
09/09/08 14:53:06 DB : peer added ( obj count = 1 )
09/09/08 14:53:06 ii : local address 10.3.0.168:500 selected for peer
09/09/08 14:53:06 DB : tunnel added ( obj count = 1 )
09/09/08 14:53:06 <A : proposal config message
09/09/08 14:53:06 <A : proposal config message
09/09/08 14:53:06 <A : client config message
09/09/08 14:53:06 <A : preshared key message
09/09/08 14:53:06 <A : remote resource message
09/09/08 14:53:06 <A : peer tunnel enable message
09/09/08 14:53:06 DB : new phase1 ( ISAKMP initiator )
09/09/08 14:53:06 DB : exchange type is identity protect
09/09/08 14:53:06 DB : 10.3.0.168:500 <-> 10.1.0.57:500
09/09/08 14:53:06 DB : 99e78855f85c9d1a:0000000000000000
09/09/08 14:53:06 DB : phase1 added ( obj count = 1 )
09/09/08 14:53:06 >> : security association payload
09/09/08 14:53:06 >> : - proposal #1 payload 
09/09/08 14:53:06 >> : -- transform #1 payload 
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports nat-t ( draft v00 )
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports nat-t ( draft v01 )
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports nat-t ( draft v02 )
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports nat-t ( draft v03 )
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports nat-t ( rfc )
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports FRAGMENTATION
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local supports DPDv1
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local is SHREW SOFT compatible
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local is NETSCREEN compatible
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local is SIDEWINDER compatible
09/09/08 14:53:06 >> : vendor id payload
09/09/08 14:53:06 ii : local is CISCO UNITY compatible
09/09/08 14:53:06 >= : cookies 99e78855f85c9d1a:0000000000000000
09/09/08 14:53:06 >= : message 00000000
09/09/08 14:53:06 -> : send IKE packet 10.3.0.168:500 -> 10.1.0.57:500 ( 344 bytes )
09/09/08 14:53:06 DB : phase1 resend event scheduled ( ref count = 2 )
09/09/08 14:53:11 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
09/09/08 14:53:16 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
09/09/08 14:53:21 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
09/09/08 14:53:26 ii : resend limit exceeded for phase1 exchange
09/09/08 14:53:26 ii : phase1 removal before expire time
09/09/08 14:53:26 DB : phase1 deleted ( obj count = 0 )
09/09/08 14:53:26 DB : policy not found
09/09/08 14:53:26 DB : policy not found
09/09/08 14:53:26 DB : tunnel stats event canceled ( ref count = 1 )
09/09/08 14:53:26 DB : removing tunnel config references
09/09/08 14:53:26 DB : removing tunnel phase2 references
09/09/08 14:53:26 DB : removing tunnel phase1 references
09/09/08 14:53:26 DB : tunnel deleted ( obj count = 0 )
09/09/08 14:53:27 DB : removing all peer tunnel refrences
09/09/08 14:53:27 DB : peer deleted ( obj count = 0 )
09/09/08 14:53:27 ii : ipc client process thread exit ...
09/09/08 14:54:59 ii : halt signal received, shutting down
09/09/08 14:54:59 ii : ipc server process thread exit ...
09/09/08 14:54:59 ii : pfkey process thread exit ...
09/09/08 14:54:59 ii : network process thread exit ...


Openswan's config -

mars:~# more /etc/ipsec.secrets
10.1.0.57 %any : PSK "mohitmehta"

mars:~# more /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug=controlmore
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0

conn xauth-roadwarriors
        authby=secret
        pfs=no
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        #
        left=10.1.0.57
        leftsubnet=192.168.1.0/24
        #
        right=%any
        rightsubnet=192.168.1.3/32
        #
        auto=add
        keyingtries=3

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


Logs on openswan's side :

 packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
 packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
 "xauth-roadwarriors"[1] 10.3.0.168 #3: Aggressive mode peer ID is ID_FQDN: '@mohit'
 "xauth-roadwarriors"[1] 10.3.0.168 #3: responding to Aggressive Mode, state #3, connection "xauth-roadwarriors" from 10.
3.0.168
 "xauth-roadwarriors"[1] 10.3.0.168 #3: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
 "xauth-roadwarriors"[1] 10.3.0.168 #3: STATE_AGGR_R1: sent AR1, expecting AI2
....
same messages repeated below as above
....
 packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
 packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
 "xauth-roadwarriors"[1] 10.3.0.168 #4: Aggressive mode peer ID is ID_FQDN: '@mohit'
 "xauth-roadwarriors"[1] 10.3.0.168 #4: responding to Aggressive Mode, state #4, connection "xauth-roadwarriors" from 10.
3.0.168
 "xauth-roadwarriors"[1] 10.3.0.168 #4: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
 "xauth-roadwarriors"[1] 10.3.0.168 #4: STATE_AGGR_R1: sent AR1, expecting AI2


Mohit

More information about the vpn-help mailing list