[vpn-help] More detail in re: linux clients connect but no traffic passes.
Jason Norman
jnorman at ticom-geo.com
Mon Feb 8 16:51:00 CST 2010
Not sure if this is unique to our site or not. In any event, here's some
detail:
Linux clients, using ShrewSoft 2.1.5 (compiled on each system) and using
a site profile that is used successfully by Windows clients, connect to
our gateway. The client reports a successful connect, and tap0 is
spawned with a valid IP address from our ip pool.
If the linux client attempts to ping or connect to a LAN resource, the
connection fails. Nothing passes over the tap0 interface, and no traffic
ever hits the remote side.
Details: linux clients have included Ubuntu 9.10, Fedora core 6, Fedora
core 9, Ubuntu 8.x
iked versions tried: 2.1.5, 2.1.6b4, 2.2.0a9
Gateway is a Juniper SSG350M running 6.2.0r3.0 (Firewall+VPN)
Windows clients (Vista, XP and 7, 32 and 64 bit) running 2.1.5 are able
to connect using this same site profile. Mac clients using the same
parameters connect using IPSecuritas. In other words, Linux clients fail
exclusively, which implies either a linux config issue or an iked bug
not present on Windows?
I have debug logs and pcap logs. Is there a support email that they can
be sent to? I can sanitize them to a certain extent and post them here
if anyone has any ideas. I do see log entries like:
Fairly early on (starting iked)
recv X_SPDUMP message failure ( errno = 2 )
Much later, after xauth has passed and tap0 has been configured, during
the policy add, I see
send pfkey X_SPDADD UPSPEC message
and that repeats at least 3 times. Then the policy sets up and tap0 is
enabled. Now, if I start pinging the LAN that the tunnel is attached to,
all I see are
DPDV1-R-U-THERE notification
messages over and over, every X seconds as the tunnel tries to stay
alive. Otherwise, nothing is happening on the logs or over the
interfaces. Routing is proper according to the route tables
(192.168.0.0/20 -> tap0) and, again, this profile works on windows
ShrewSoft clients.
If anyone has any ideas....I'd be happy to try just about anything.
Thanks,
jason
More information about the vpn-help
mailing list