[vpn-help] Shrew Linux fails to connect to FVS338 using known good windows config file.

Aaron Sarazan aaron.sarazan at gmail.com
Sat Jul 10 01:50:38 CDT 2010 

ModeConfig + xAuth
Shrew Linux v2.1.5->2.1.6-b10 (compiled from source)
Ubuntu Linux 10.04 LTS 2.6.32-22-generic
FVS338 (v2.0.6-25)

Hey guys, sorry I've been on a bit of a rash of problems lately, hopefully
this will be the last, as I recently got the windows config steady and
stable. All I'm trying to do now is get the linux client to behave as well.
Below you'll find all the logs I was able to gather (for some reason the
pcap stuff never actually put anything in the dump file).

Basically the connection never completes, and I see a lot of 0000000's that
look like they're probably not supposed to be 0's. Let me know if you really
need the pcap dump file, and I'll take another crack at getting it together.

>From iked.log:

> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> 10/07/10 02:37:42 DB : policy not found
>
> 10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000
>
> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> 10/07/10 02:37:42 DB : policy not found
>
> 10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000
>
> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> 10/07/10 02:37:42 DB : policy not found
>
> 10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000
>
> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> 10/07/10 02:37:42 DB : policy not found
>
> 10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000
>
> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> 10/07/10 02:37:42 DB : policy not found
>
> 10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000
>
> 10/07/10 02:37:42 K< : recv pfkey X_SPDADD UNSPEC message
>
> *10/07/10 02:37:42 DB : policy not found*
>
> *10/07/10 02:37:42 !! : unable to locate policy with sequence 0x00000000*
>
> *10/07/10 02:37:48 K< : recv pfkey ACQUIRE ESP message*
>
> 10/07/10 02:37:48 DB : policy found
>
> 10/07/10 02:37:48 DB : policy found
>
> 10/07/10 02:37:48 DB : tunnel not found
>
> 10/07/10 02:37:48 DB : peer not found
>
> 10/07/10 02:37:48 !! : unable to locate peer config for policy
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1472
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1481
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1488
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1497
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1456
>
> 10/07/10 02:37:55 K< : recv pfkey X_SPDDELETE2 UNSPEC message
>
> 10/07/10 02:37:55 DB : policy not found
>
> 10/07/10 02:37:55 !! : failed to locate policy by id 1465
>
> 10/07/10 02:38:18 K! : unhandled pfkey message type EXPIRE ( 8 )
>
>
>
And from the router's logs:

> 2010 Jul 10 02:08:44 [FVS338] [IKE] Remote configuration for identifier "
> xxxxxxxxxx.com" found_

2010 Jul 10 02:08:44 [FVS338] [IKE] Received request for new phase 1
> negotiation: xxxxxxxxxxx[500]<=>7xxxxxxxxxx[500]_

2010 Jul 10 02:08:44 [FVS338] [IKE] Beginning Aggressive mode._

2010 Jul 10 02:08:44 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt_

2010 Jul 10 02:08:44 [FVS338] [IKE] Received unknown Vendor ID_

                - Last output repeated twice -

2010 Jul 10 02:08:44 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__

2010 Jul 10 02:08:44 [FVS338] [IKE] Received unknown Vendor ID_

                - Last output repeated 2 times -

2010 Jul 10 02:08:44 [FVS338] [IKE] Received Vendor ID: DPD_

2010 Jul 10 02:08:44 [FVS338] [IKE] DPD is Enabled_

2010 Jul 10 02:08:44 [FVS338] [IKE] Received unknown Vendor ID_

                - Last output repeated 2 times -

2010 Jul 10 02:08:44 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_

2010 Jul 10 02:08:44 [FVS338] [IKE] For xxxxxxxxxxxx[500], Selected NAT-T
> version: draft-ietf-ipsec-nat-t-ike-02_

2010 Jul 10 02:08:45 [FVS338] [IKE] Setting DPD Vendor ID_

2010 Jul 10 02:08:45 [FVS338] [IKE] Floating ports for NAT-T with peer
> xxxxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:45 [FVS338] [IKE] NAT-D payload does not match for
> xxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:45 [FVS338] [IKE] NAT-D payload does not match for
> xxxxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:45 [FVS338] [IKE] NAT detected: Local is behind a NAT
> device. and alsoPeer is behind a NAT device_

2010 Jul 10 02:08:46 [FVS338] [IKE] Sending Xauth request
> toxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:46 [FVS338] [IKE] ISAKMP-SA established for
> xxxxxxxxxxxx[4500]-xxxxxxxxxxxxxxx[4500] with
> spi:5bce5eb329e24d9b:d8610baf854c96b3_

2010 Jul 10 02:08:46 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REPLY" from xxxxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:46 [FVS338] [IKE] Login succeeded for user "xxxxxxxxx"_

2010 Jul 10 02:08:46 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REQUEST" from xxxxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:46 [FVS338] [IKE] 192.168.3.70 IP address is assigned to
> remote peer xxxxxxxxxxxxxxxxx[4500]_

2010 Jul 10 02:08:46 [FVS338] [IKE] Ignored attribute 5_

2010 Jul 10 02:08:46 [FVS338] [IKE] Cannot open "/etc/motd"_

2010 Jul 10 02:08:52 [FVS338] [IKE] Responding to new phase 2
> negotiation:xxxxxxxxxxxxx[0]<=>xxxxxxxxxxxxxxxxxx[0]_

*2010 Jul 10 02:08:52 [FVS338] [IKE] Failed to get IPsec SA configuration
> for: 0.0.0.0/0<->192.168.3.70/32 from xxxxxxxxxxx.com_*

*2010 Jul 10 02:08:56 [FVS338] [IKE] Failed to get IPsec SA configuration
> for: 0.0.0.0/0<->192.168.3.70/32_*

2010 Jul 10 02:08:56 [FVS338] [IKE] DPD R-U-THERE sent to
> "xxxxxxxxxxxxxxx[4500]"_

2010 Jul 10 02:08:56 [FVS338] [IKE] DPD R-U-THERE-ACK received from
> "xxxxxxxxxxxxxxx[4500]"_

2010 Jul 10 02:08:58 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP
> and spi=5bce5eb329e24d9b:d8610baf854c96b3._

2010 Jul 10 02:08:59 [FVS338] [IKE] ISAKMP-SA deleted for
> xxxxxxxxxxxxxx[4500]-xxxxxxxxxxxxxxx[4500] with
> spi:5bce5eb329e24d9b:d8610baf854c96b3_

2010 Jul 10 02:09:00 [FVS338] [IKE] 192.168.3.70 IP address has been
> released by remote peer._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100710/9898b41f/attachment-0001.html>

More information about the vpn-help mailing list