[Vpn-help] shrewsoft not respoding to openswan messages during phase I

Mohit Mehta mohit.mehta at vyatta.com
Tue Sep 8 17:57:55 CDT 2009 

Corrections to previous post -

While connecting from 10.3.0.168 (using shrewsoft) to 10.1.0.57 (running openswan), openswan on 10.1.0.57 logs -

Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [Dead Peer Detection]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Sep  8 15:44:07 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
Sep  8 15:44:07 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #23: responding to Main Mode from unknown peer 10.3.0.168
Sep  8 15:44:07 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #23: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep  8 15:44:07 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #23: STATE_MAIN_R1: sent MR1, expecting MI2

above messages repeated again below

Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: received Vendor ID payload [Dead Peer Detection]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Sep  8 15:44:12 mars pluto[14235]: packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
Sep  8 15:44:12 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #24: responding to Main Mode from unknown peer 10.3.0.168
Sep  8 15:44:12 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #24: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep  8 15:44:12 mars pluto[14235]: "xauth-roadwarriors"[2] 10.3.0.168 #24: STATE_MAIN_R1: sent MR1, expecting MI2


Mohit

----- Mohit Mehta <mohit.mehta at vyatta.com> wrote:
> I am trying to establish a vpn connection to openswan using shrewsoft vpn client. I am using a similar setup as the example on this page - http://lists.openswan.org/pipermail/users/2006-November/011216.html Specifically, I am trying to connect my window's pc with IP 10.3.0.168 to a box with IP 10.3.0.57 with openswan running on it. The remote network I am trying to access is 192.168.1.0/24 i.e. the private subnet behind the openswan server. 
> 
> On running wireshark on the pc's interface, I can see phase 1 packets going to and received from the openswan server. However, shrewsoft doesn't seem to respond to the message from openswan and keeps retransmitting phase 1 packets and finally times out. Any help or hints with this would be much appreciated.
> 
> Please find relevant configuration below -
> 
> Shrewsoft's vpn config :
> 
> n:network-ike-port:500
> n:client-addr-auto:0
> n:network-natt-port:4500
> n:network-natt-rate:30
> n:network-dpd-enable:1
> n:network-frag-enable:1
> n:network-frag-size:540
> n:client-banner-enable:0
> n:network-notify-enable:1
> n:client-wins-used:0
> n:client-wins-auto:1
> n:client-dns-used:0
> n:client-dns-auto:0
> n:client-splitdns-used:0
> n:client-splitdns-auto:0
> n:phase1-dhgroup:14
> n:phase1-life-secs:86400
> n:phase1-life-kbytes:0
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-list-auto:0
> n:phase1-keylen:256
> n:phase2-keylen:256
> s:network-natt-enable:enable
> s:phase2-compress:none
> s:policy-list-type:include
> s:policy-entry-network:192.168.1.0/255.255.255.0
> n:version:2
> s:network-host:10.1.0.57
> s:client-auto-mode:pull
> n:network-mtu-size:1380
> s:client-iface:virtual
> s:client-ip-addr:192.168.1.3
> s:client-ip-mask:255.255.255.255
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:auth-method:mutual-psk
> s:ident-client-type:address
> s:ident-server-type:address
> b:auth-mutual-psk:bW9oaXRtZWh0YQ==
> s:phase1-exchange:main
> s:phase1-cipher:aes
> s:phase1-hash:sha1
> n:vendor-chkpt-enable:0
> s:phase2-transform:esp-aes
> s:phase2-hmac:sha1
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:-1
> n:policy-nailed:0
> s:policy-list-include:192.168.1.0 / 255.255.255.0
> s:client-saved-username:
> 
> 
> Log on shrewsoft while trying to connect to openswan :
> 
> 09/09/08 14:53:02 ## : IKE Daemon, ver 2.1.4
> 09/09/08 14:53:02 ## : Copyright 2008 Shrew Soft Inc.
> 09/09/08 14:53:02 ## : This product linked OpenSSL 0.9.8h 28 May 2008
> 09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
> 09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
> 09/09/08 14:53:02 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'
> 09/09/08 14:53:02 ii : rebuilding vnet device list ...
> 09/09/08 14:53:02 ii : device ROOT\VNET\0000 disabled
> 09/09/08 14:53:02 ii : network process thread begin ...
> 09/09/08 14:53:02 ii : ipc server process thread begin ...
> 09/09/08 14:53:02 ii : pfkey process thread begin ...
> 09/09/08 14:53:06 ii : ipc client process thread begin ...
> 09/09/08 14:53:06 <A : peer config add message
> 09/09/08 14:53:06 DB : peer added ( obj count = 1 )
> 09/09/08 14:53:06 ii : local address 10.3.0.168:500 selected for peer
> 09/09/08 14:53:06 DB : tunnel added ( obj count = 1 )
> 09/09/08 14:53:06 <A : proposal config message
> 09/09/08 14:53:06 <A : proposal config message
> 09/09/08 14:53:06 <A : client config message
> 09/09/08 14:53:06 <A : preshared key message
> 09/09/08 14:53:06 <A : remote resource message
> 09/09/08 14:53:06 <A : peer tunnel enable message
> 09/09/08 14:53:06 DB : new phase1 ( ISAKMP initiator )
> 09/09/08 14:53:06 DB : exchange type is identity protect
> 09/09/08 14:53:06 DB : 10.3.0.168:500 <-> 10.1.0.57:500
> 09/09/08 14:53:06 DB : 99e78855f85c9d1a:0000000000000000
> 09/09/08 14:53:06 DB : phase1 added ( obj count = 1 )
> 09/09/08 14:53:06 >> : security association payload
> 09/09/08 14:53:06 >> : - proposal #1 payload 
> 09/09/08 14:53:06 >> : -- transform #1 payload 
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports nat-t ( draft v00 )
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports nat-t ( draft v01 )
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports nat-t ( draft v02 )
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports nat-t ( draft v03 )
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports nat-t ( rfc )
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports FRAGMENTATION
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local supports DPDv1
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local is SHREW SOFT compatible
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local is NETSCREEN compatible
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local is SIDEWINDER compatible
> 09/09/08 14:53:06 >> : vendor id payload
> 09/09/08 14:53:06 ii : local is CISCO UNITY compatible
> 09/09/08 14:53:06 >= : cookies 99e78855f85c9d1a:0000000000000000
> 09/09/08 14:53:06 >= : message 00000000
> 09/09/08 14:53:06 -> : send IKE packet 10.3.0.168:500 -> 10.1.0.57:500 ( 344 bytes )
> 09/09/08 14:53:06 DB : phase1 resend event scheduled ( ref count = 2 )
> 09/09/08 14:53:11 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 09/09/08 14:53:16 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 09/09/08 14:53:21 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 09/09/08 14:53:26 ii : resend limit exceeded for phase1 exchange
> 09/09/08 14:53:26 ii : phase1 removal before expire time
> 09/09/08 14:53:26 DB : phase1 deleted ( obj count = 0 )
> 09/09/08 14:53:26 DB : policy not found
> 09/09/08 14:53:26 DB : policy not found
> 09/09/08 14:53:26 DB : tunnel stats event canceled ( ref count = 1 )
> 09/09/08 14:53:26 DB : removing tunnel config references
> 09/09/08 14:53:26 DB : removing tunnel phase2 references
> 09/09/08 14:53:26 DB : removing tunnel phase1 references
> 09/09/08 14:53:26 DB : tunnel deleted ( obj count = 0 )
> 09/09/08 14:53:27 DB : removing all peer tunnel refrences
> 09/09/08 14:53:27 DB : peer deleted ( obj count = 0 )
> 09/09/08 14:53:27 ii : ipc client process thread exit ...
> 09/09/08 14:54:59 ii : halt signal received, shutting down
> 09/09/08 14:54:59 ii : ipc server process thread exit ...
> 09/09/08 14:54:59 ii : pfkey process thread exit ...
> 09/09/08 14:54:59 ii : network process thread exit ...
> 
> 
> Openswan's config -
> 
> mars:~# more /etc/ipsec.secrets
> 10.1.0.57 %any : PSK "mohitmehta"
> 
> mars:~# more /etc/ipsec.conf
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         plutodebug=controlmore
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         nhelpers=0
> 
> conn xauth-roadwarriors
>         authby=secret
>         pfs=no
>         type=tunnel
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         #
>         left=10.1.0.57
>         leftsubnet=192.168.1.0/24
>         #
>         right=%any
>         rightsubnet=192.168.1.3/32
>         #
>         auto=add
>         keyingtries=3
> 
> # sample VPN connections, see /etc/ipsec.d/examples/
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> Logs on openswan's side :
> 
>  packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>  packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
>  "xauth-roadwarriors"[1] 10.3.0.168 #3: Aggressive mode peer ID is ID_FQDN: '@mohit'
>  "xauth-roadwarriors"[1] 10.3.0.168 #3: responding to Aggressive Mode, state #3, connection "xauth-roadwarriors" from 10.
> 3.0.168
>  "xauth-roadwarriors"[1] 10.3.0.168 #3: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
>  "xauth-roadwarriors"[1] 10.3.0.168 #3: STATE_AGGR_R1: sent AR1, expecting AI2
> ....
> same messages repeated below as above
> ....
>  packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>  packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>  packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
>  packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
>  "xauth-roadwarriors"[1] 10.3.0.168 #4: Aggressive mode peer ID is ID_FQDN: '@mohit'
>  "xauth-roadwarriors"[1] 10.3.0.168 #4: responding to Aggressive Mode, state #4, connection "xauth-roadwarriors" from 10.
> 3.0.168
>  "xauth-roadwarriors"[1] 10.3.0.168 #4: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
>  "xauth-roadwarriors"[1] 10.3.0.168 #4: STATE_AGGR_R1: sent AR1, expecting AI2
> 
> 
> Mohit

More information about the vpn-help mailing list