[vpn-help] Linux Road Warrior: Shrew 2.1.5 -> OpenBSD 4.7
Toni Mueller
support-shrew at oeko.net
Wed Apr 7 08:01:25 CDT 2010
Hello,
I'm trying to connect with Shrew 2.1.5 under Debian Testing road
warrior (kernel 2.6.32) to an OpenBSD machine that runs a current
snapshot of OpenBSD (ie, almost 4.7). My desired setup is as follows:
Debian box ---- Internet ---- OpenBSD box (gateway)
192.168.3.1/32 (1.2.3.4) ---- Internet ---- (3.4.5.6) 192.168.1.0/24
- OR -
192.168.3.1/32 (1.2.3.4) ---- Internet ---- (3.4.5.6) 0.0.0.0/0
(ie, an assigned private IP address and a default route through the tunnel)
I've configured the OpenBSD box support IPSEC connections with the
following properties:
Authentication: X.509 certificates (= RSASIG)
I issue the certificates from my own CA.
Phase 1: Debian machine = initiator, OpenBSD machine = responder
main mode, AES 256, SHA1, GRP5
Phase 2: Same thing, plus PFS, plus IKE_CONFIG
With this setup, which works flawlessly with at least older NCP clients
under Windows XP, I have a number of problems:
1. The moment the server sends an IKE_CONFIG packet, the client logs
"config message type is invalid for pull config", and terminates the
connection.
2. If I set "Autoconfiguration" to "disabled" in the "General" tab, and
manually set up a default route in the policies tab, or check
"obtain topology automatically", the connection goes down after a
few moments due to "gateway is not responding".
3. If I set up only a network route, the connection is claimed to be
established from within the client (ikea), but can't be seen on the
gateway.
4. Worst of all, if I ping something in the remote LAN, packets want
to go out of ppp0 with a source and/or destination address in
RFC1918 range. I'm catching these with iptables, but the packets
must only have source and destination addresses in the public IP
space, as I'm using ESP and not AH w/o ESP.
5. At no point have I been able to "see" the LAN I want to connect to.
I've also compiled, and tried, the most recent 2.1.6-*, but things
didn't improve.
It would generally be nice if I could resize the settings window so I
can read everything that is written in there.
Kind regards,
--Toni++
More information about the vpn-help
mailing list