[Vpn-help] shrewsoft not respoding to openswan messages during phase I

Mohit Mehta mohit.mehta at vyatta.com
Thu Sep 10 13:36:17 CDT 2009


Hi Matthew,

Thanks for responding. As it turned out, your suspicion about the driver misbehaving was correct. I switched from using a wired connection that was using Broadcom NetXtreme 57XX device to a wireless connection that's using an Intel device and now I'm able to establish a VPN connection to the openswan server.

However, a different problem I have now is that I cannot ping a host (192.168.74.2) in the remote private subnet (192.168.74.0/24) from my pc. Perhaps, a misconfiguration on my part? I do see a route to 192.168.74.0/24 via 192.168.74.5 (virtual adapter address) on my PC after the client has established a connection to the VPN server. The config for both the openswan server and shrewsoft client are below -

Shrew soft config : 

n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:540
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:0
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:0
n:phase2-keylen:256
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.1.0/255.255.255.0
n:version:2
n:network-mtu-size:1380
n:vendor-chkpt-enable:0
n:policy-nailed:0
s:network-host:10.1.0.57
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:192.168.74.5
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:bW9oaXRtZWh0YQ==
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-list-include:192.168.74.0 / 255.255.255.0
s:client-saved-username:



Config for openswan server :

mars:~# more /etc/ipsec.secrets
10.1.0.57 %any : PSK "mohitmehta"


mars:~# more /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug=controlmore
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn SHREWPSK
        authby=secret
        pfs=no
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        #
        left=10.1.0.57
        leftsubnet=192.168.74.0/24
        #
        right=%any
        #
        auto=add
        keyingtries=3

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


Mohit 
----- Matthew Grooms <mgrooms at shrew.net> wrote:
> Mohit Mehta wrote:
> > I am trying to establish a vpn connection to openswan using shrewsoft vpn client. I am using a similar setup as the example on this page - http://lists.openswan.org/pipermail/users/2006-November/011216.html Specifically, I am trying to connect my window's pc with IP 10.3.0.168 to a box with IP 10.3.0.57 with openswan running on it. The remote network I am trying to access is 192.168.1.0/24 i.e. the private subnet behind the openswan server. 
> > 
> > On running wireshark on the pc's interface, I can see phase 1 packets going to and received from the openswan server. However, shrewsoft doesn't seem to respond to the message from openswan and keeps retransmitting phase 1 packets and finally times out. Any help or hints with this would be much appreciated.
> > 
> 
> Hi Mohit,
> 
> > 09/09/08 14:53:06 -> : send IKE packet 10.3.0.168:500 -> 10.1.0.57:500 ( 344 bytes )
> > 09/09/08 14:53:06 DB : phase1 resend event scheduled ( ref count = 2 )
> > 09/09/08 14:53:11 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> > 09/09/08 14:53:16 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> > 09/09/08 14:53:21 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.1.0.57:500
> 
> This is very peculiar. If the client is able to send packets, then it 
> has attached itself properly to your network driver interface. What I 
> don't understand is why it would be able to send packets but not see the 
> received packets. Wireshark uses an NDIS Protocol driver which is higher 
> up the network stack than the Shrew Soft driver. Typically, you wouldn't 
> see the return packets in WireShark because they are already intercepted 
> by the Shrew Soft driver at a lower layer.
> 
> In the VPN Trace application, do you see the Hits increase for the IKE 
> divert firewall rule that gets created for the connection? If so, the 
> driver does see the IKE packet and is diverting it to the IKE daemon for 
> inspection. If not, the driver is either not seeing the packet or its 
> not evaluating it correctly for some reason.
> 
> -Matthew




More information about the vpn-help mailing list