[vpn-help] Can't ping/ssh over vpn [Shrew Soft ver 2.1.5 on Ubuntu 10.04]
Gaurav
gaurav.knangla at gmail.com
Thu Apr 29 10:43:08 CDT 2010
All,
I found Mathew's original post:
http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html on
the subject.
I edited my /etc/sysctl.d/10-network-security.conf as directed, even my
sysctl rp_filter options are set to 0 (see below), *but things didn't work
out*.
desktop:~$ sudo sysctl -a | grep rp_filter | grep -v arp
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.vmnet1.rp_filter = 0
net.ipv4.conf.vmnet8.rp_filter = 0
net.ipv4.conf.tap0.rp_filter = 0
I still the face the dropping of packets by the kernel even though I've set
all rp_filter options to 0; I quote Mathew from the original
thread<http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html>"the
client can establish a connection and negotiate IPSec SAs, but return
traffic never makes it to the userland applications...ping displays the
following stalled output...even though you can see response packets using
tcpdump"
Has anyone else run into this problem on Ubuntu 10.04?
I really need this to be resolved.
Thanks,
Gaurav
pgp.mit.edu - PubkeyID:0x1bf31eef13ee431e
On Thu, Apr 29, 2010 at 2:37 PM, oliver <Oliver at triplere.com> wrote:
> Hi Gaurav,
>
> i had the same problem,also 10.04. i unfortunately didnt save the details,
> but there is a thread (by Mathew i think) that describes this issue. It
> seems that even though the connection is established, the packets dont get
> through, and that can be changed by editing
> /etc/sysctl.d/10-network-security.conf ...thats as much as i can recall;
> keyword afair is "rp_filter"
>
>
> its not much of help i am afraid, but should give u an idea what to look
> for
>
> Rgds
> Oliver
>
>
>
> On 29/04/2010 10:44, Gaurav wrote:
>
> Hi All,
>
> I've raised this issue earlier. I couldn't resolve it, so I'd like to
> raise it once again with all the debugging info in one place.
>
> Hope it helps; I so don't want to want run a Windows VM just for VPN
> access.
>
> *Original post:*
> *
> *
> I've been using the Shrew Soft client for years on Windows without any
> problems.
>
> I switched to Ubuntu 10.04 once and for all recently; but ran into issues
> with a .pcf imported that worked flawlessly on Windows 7 recently.
>
> Imported the sane .pcf into the Shrew Soft ver 2.1.5 on Ubuntu 10.04,
> managed to connect as well but just couldn't ping/ssh my remote machines
> over vpn.
>
> I've tried possible workarounds/tweaks/fixes, the little that I could dig
> up around this but things didn't workout.
>
> Any suggestions?
>
> Prints/logs follow.
>
> *Connection prints:*
> config loaded for site 'xxxxxxxxxx.pcf'
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> user authentication error
> tunnel disabled
> detached from key daemon ...
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> user authentication error
> tunnel disabled
> detached from key daemon ...
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> network device configured
> tunnel enabled
>
> *Logs:*
> desktop:~$ cat /var/log/iked.log
> 10/04/28 00:36:01 ## : IKE Daemon, ver 2.1.5
> 10/04/28 00:36:01 ## : Copyright 2009 Shrew Soft Inc.
> 10/04/28 00:36:01 ## : This product linked OpenSSL 0.9.8k 25 Mar 2009
> 10/04/28 00:36:01 K! : recv X_SPDDUMP message failure ( errno = 2 )
> 10/04/28 00:41:19 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:41:19 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:41:26 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:42:18 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:46:48 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:46:48 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:46:57 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:51:32 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:53:19 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:53:19 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:53:19 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:53:26 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:54:31 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:54:37 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:55:01 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 00:55:22 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:55:22 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:55:22 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:55:28 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:56:42 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:56:52 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:57:12 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 00:57:22 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 00:58:12 !! : invalid private netmask, defaulting to class c
> 10/04/28 00:58:12 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 00:58:12 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:00:33 !! : invalid private netmask, defaulting to class c
> 10/04/28 01:00:33 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:00:34 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:00:38 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:02:46 !! : invalid private netmask, defaulting to class c
> 10/04/28 01:02:46 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:02:46 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:02:56 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 )
> 10/04/28 01:05:16 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:05:17 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:05:43 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:05:48 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:17:59 !! : invalid private netmask, defaulting to class c
> 10/04/28 01:17:59 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:18:11 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:22:33 !! : invalid private netmask, defaulting to class c
> 10/04/28 01:22:33 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:22:46 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
> 10/04/28 01:22:52 !! : peer violates RFC, transform number mismatch ( 1 !=
> 17 )
>
> */sbin/ifconfig output:*
> desktop:~$ /sbin/ifconfig
> eth0 Link encap:Ethernet HWaddr 00:1f:d0:d2:d2:a4
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::21f:d0ff:fed2:d2a4/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:7026 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6401 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:6469445 (6.4 MB) TX bytes:1176183 (1.1 MB)
> Interrupt:27
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:18 errors:0 dropped:0 overruns:0 frame:0
> TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1100 (1.1 KB) TX bytes:1100 (1.1 KB)
>
> tap0 Link encap:Ethernet HWaddr f2:47:0e:c8:b6:99
> inet addr:192.168.20.141 Bcast:192.168.20.255
> Mask:255.255.255.0
> inet6 addr: fe80::f047:eff:fec8:b699/64 Scope:Link
> UP BROADCAST RUNNING MTU:1380 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01
> inet addr:192.168.184.1 Bcast:192.168.184.255
> Mask:255.255.255.0
> inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08
> inet addr:192.168.111.1 Bcast:192.168.111.255
> Mask:255.255.255.0
> inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> */sbin/route output:*
> desktop:~$ /sbin/route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 172.17.48.31 192.168.20.141 255.255.255.255 UGH 0 0 0
> tap0
> 10.8.50.232 192.168.20.141 255.255.255.255 UGH 0 0 0
> tap0
> 172.17.48.3 192.168.20.141 255.255.255.255 UGH 0 0 0
> tap0
> 172.17.48.32 192.168.20.141 255.255.255.255 UGH 0 0 0
> tap0
> 172.17.48.22 192.168.20.141 255.255.255.255 UGH 0 0 0
> tap0
> 10.10.7.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.20.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 192.168.20.0 * 255.255.255.0 U 0 0 0
> tap0
> 10.10.2.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.19.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 192.168.1.0 * 255.255.255.0 U 1 0 0
> eth0
> 10.155.114.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 172.17.20.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.12.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 192.168.184.0 * 255.255.255.0 U 0 0 0
> vmnet1
> 192.168.111.0 * 255.255.255.0 U 0 0 0
> vmnet8
> 10.10.10.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.9.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.75.0 192.168.20.141 255.255.255.0 UG 0 0 0
> tap0
> 10.10.96.0 192.168.20.141 255.255.252.0 UG 0 0 0
> tap0
> 172.17.144.0 192.168.20.141 255.255.240.0 UG 0 0 0
> tap0
> 172.17.128.0 192.168.20.141 255.255.240.0 UG 0 0 0
> tap0
> 172.17.0.0 192.168.20.141 255.255.240.0 UG 0 0 0
> tap0
> 172.17.32.0 192.168.20.141 255.255.240.0 UG 0 0 0
> tap0
> 172.25.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 172.31.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 172.18.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 172.16.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> link-local * 255.255.0.0 U 1000 0 0
> eth0
> 192.168.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 10.201.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 10.202.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> 10.203.0.0 192.168.20.141 255.255.0.0 UG 0 0 0
> tap0
> default 192.168.1.1 0.0.0.0 UG 0 0 0
> eth0
>
> *client configuration file :*
> desktop:~$ cat file.pcf
> [main]
> Description=
> Host=xxx-xxxxxxx.xxxxxxxxxx.com
> AuthType=1
> GroupName=xxxxx-xxxxxxx
> GroupPwd=
>
> enc_GroupPwd=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> EnableISPConnect=0
> ISPConnectType=0
> ISPConnect=test
> ISPPhonebook=C:\Documents and Settings\All Users\Application
> Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
> ISPCommand=
> Username=xxxxxx.xxxxxx
> SaveUserPassword=0
> UserPassword=
> enc_UserPassword=
> NTDomain=
> EnableBackup=0
> BackupServer=
> EnableMSLogon=1
> MSLogonType=0
> EnableNat=1
> TunnelingMode=0
> TcpTunnelingPort=10000
> CertStore=0
> CertName=
> CertPath=
> CertSubjectName=
> CertSerialHash=00000000000000000000000000000000
> SendCertChain=0
> PeerTimeout=90
> EnableLocalLAN=0
>
>
> Gaurav
> pgp.mit.edu - PubkeyID:0x1bf31eef13ee431e
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.nethttp://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100429/ba04abf1/attachment-0002.html>
More information about the vpn-help
mailing list