[Vpn-help] shrewsoft not respoding to openswan messages during phase I

Matthew Grooms mgrooms at shrew.net
Wed Sep 9 01:42:50 CDT 2009


Mohit Mehta wrote:
> I am trying to establish a vpn connection to openswan using shrewsoft vpn client. I am using a similar setup as the example on this page - http://lists.openswan.org/pipermail/users/2006-November/011216.html Specifically, I am trying to connect my window's pc with IP 10.3.0.168 to a box with IP 10.3.0.57 with openswan running on it. The remote network I am trying to access is 192.168.1.0/24 i.e. the private subnet behind the openswan server. 
> 
> On running wireshark on the pc's interface, I can see phase 1 packets going to and received from the openswan server. However, shrewsoft doesn't seem to respond to the message from openswan and keeps retransmitting phase 1 packets and finally times out. Any help or hints with this would be much appreciated.
> 

Hi Mohit,

> 09/09/08 14:53:06 -> : send IKE packet 10.3.0.168:500 -> 10.1.0.57:500 ( 344 bytes )
> 09/09/08 14:53:06 DB : phase1 resend event scheduled ( ref count = 2 )
> 09/09/08 14:53:11 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 09/09/08 14:53:16 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 09/09/08 14:53:21 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500

This is very peculiar. If the client is able to send packets, then it 
has attached itself properly to your network driver interface. What I 
don't understand is why it would be able to send packets but not see the 
received packets. Wireshark uses an NDIS Protocol driver which is higher 
up the network stack than the Shrew Soft driver. Typically, you wouldn't 
see the return packets in WireShark because they are already intercepted 
by the Shrew Soft driver at a lower layer.

In the VPN Trace application, do you see the Hits increase for the IKE 
divert firewall rule that gets created for the connection? If so, the 
driver does see the IKE packet and is diverting it to the IKE daemon for 
inspection. If not, the driver is either not seeing the packet or its 
not evaluating it correctly for some reason.

-Matthew



More information about the vpn-help mailing list