[vpn-help] Linux Road Warrior: Shrew 2.1.5 -> OpenBSD 4.7

Toni Mueller support-shrew at oeko.net
Wed Apr 7 08:01:25 CDT 2010 

Hello,

I'm trying to connect with Shrew 2.1.5 under Debian Testing road
warrior (kernel 2.6.32) to an OpenBSD machine that runs a current
snapshot of OpenBSD (ie, almost 4.7). My desired setup is as follows:

           Debian box ---- Internet ---- OpenBSD box (gateway)

192.168.3.1/32 (1.2.3.4) ---- Internet ---- (3.4.5.6) 192.168.1.0/24

 - OR -

192.168.3.1/32 (1.2.3.4) ---- Internet ---- (3.4.5.6) 0.0.0.0/0

(ie, an assigned private IP address and a default route through the tunnel)



I've configured the OpenBSD box support IPSEC connections with the
following properties:

Authentication: X.509 certificates (= RSASIG)

I issue the certificates from my own CA.


Phase 1: Debian machine = initiator, OpenBSD machine = responder

main mode, AES 256, SHA1, GRP5

Phase 2: Same thing, plus PFS, plus IKE_CONFIG


With this setup, which works flawlessly with at least older NCP clients
under Windows XP, I have a number of problems:

1. The moment the server sends an IKE_CONFIG packet, the client logs
   "config message type is invalid for pull config", and terminates the
   connection.

2. If I set "Autoconfiguration" to "disabled" in the "General" tab, and
   manually set up a default route in the policies tab, or check
   "obtain topology automatically", the connection goes down after a
   few moments due to "gateway is not responding".

3. If I set up only a network route, the connection is claimed to be
   established from within the client (ikea), but can't be seen on the
   gateway.

4. Worst of all, if I ping something in the remote LAN, packets want
   to go out of ppp0 with a source and/or destination address in
   RFC1918 range. I'm catching these with iptables, but the packets
   must only have source and destination addresses in the public IP
   space, as I'm using ESP and not AH w/o ESP.

5. At no point have I been able to "see" the LAN I want to connect to.


I've also compiled, and tried, the most recent 2.1.6-*, but things
didn't improve.

It would generally be nice if I could resize the settings window so I
can read everything that is written in there.



Kind regards,
--Toni++

More information about the vpn-help mailing list