[vpn-help] More detail in re: linux clients connect but no traffic passes.

Jason Norman jnorman at ticom-geo.com
Mon Feb 8 16:51:00 CST 2010


Not sure if this is unique to our site or not. In any event, here's some 
detail:

Linux clients, using ShrewSoft 2.1.5 (compiled on each system) and using 
a site profile that is used successfully by Windows clients, connect to 
our gateway. The client reports a successful connect, and tap0 is 
spawned with a valid IP address from our ip pool.

If the linux client attempts to ping or connect to a LAN resource, the 
connection fails. Nothing passes over the tap0 interface, and no traffic 
ever hits the remote side.

Details: linux clients have included Ubuntu 9.10, Fedora core 6, Fedora 
core 9, Ubuntu 8.x
iked versions tried: 2.1.5, 2.1.6b4, 2.2.0a9
Gateway is a Juniper SSG350M running 6.2.0r3.0 (Firewall+VPN)
Windows clients (Vista, XP and 7, 32 and 64 bit) running 2.1.5 are able 
to connect using this same site profile. Mac clients using the same 
parameters connect using IPSecuritas. In other words, Linux clients fail 
exclusively, which implies either a linux config issue or an iked bug 
not present on Windows?
I have debug logs and pcap logs. Is there a support email that they can 
be sent to? I can sanitize them to a certain extent and post them here 
if anyone has any ideas. I do see log entries like:
Fairly early on (starting iked)
recv X_SPDUMP message failure ( errno = 2 )
Much later, after xauth has passed and tap0 has been configured, during 
the policy add, I see
send pfkey X_SPDADD UPSPEC message
and that repeats at least 3 times. Then the policy sets up and tap0 is 
enabled. Now, if I start pinging the LAN that the tunnel is attached to, 
all I see are
DPDV1-R-U-THERE notification
messages over and over, every X seconds as the tunnel tries to stay 
alive. Otherwise, nothing is happening on the logs or over the 
interfaces. Routing is proper according to the route tables 
(192.168.0.0/20 -> tap0) and, again, this profile works on windows 
ShrewSoft clients.

If anyone has any ideas....I'd be happy to try just about anything.

Thanks,
jason



More information about the vpn-help mailing list