[vpn-help] Shrew Linux fails to connect to FVS338 using known good windows config file.

Matthew Grooms mgrooms at shrew.net
Sat Jul 10 15:01:52 CDT 2010


On 7/10/2010 1:50 AM, Aaron Sarazan wrote:
> ModeConfig + xAuth
> Shrew Linux v2.1.5->2.1.6-b10 (compiled from source)
> Ubuntu Linux 10.04 LTS 2.6.32-22-generic
> FVS338 (v2.0.6-25)
>
> Hey guys, sorry I've been on a bit of a rash of problems lately,
> hopefully this will be the last, as I recently got the windows config
> steady and stable. All I'm trying to do now is get the linux client to
> behave as well. Below you'll find all the logs I was able to gather (for
> some reason the pcap stuff never actually put anything in the dump file).
>
> Basically the connection never completes, and I see a lot of 0000000's
> that look like they're probably not supposed to be 0's. Let me know if
> you really need the pcap dump file, and I'll take another crack at
> getting it together.
>

Aaron,

I just built 4 Ubuntu 10.04 VMs. Two 32bit VMs for Qt3 testing and two 
on 64bit VMs for Qt4 testing. All four VMs compiled the 2.1.6 or head 
branches and connected to our netgear appliance without any issue. The 
only special changes I made were to set the rp_filter to 0 for all 
sysctl values ...

http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html

... and made sure the policy level is set to unique in the policy tab. 
This is required as the netgear ike daemon is ipsec-tools raccon which 
advertises itself as Cisco compatible. Besides that, I'm not sure why 
your connection is failing.

Here is some output for comparison ...

Linux ubuntu-10 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 07:54:58 UTC 
2010 i686 GNU/Linu

10/07/10 14:41:19 ii : generating IPSEC security policies at UNIQUE level
10/07/10 14:41:19 ii : creating NONE INBOUND policy ANY:10.1.1.25:* -> 
ANY:10.22.200.90:*
10/07/10 14:41:19 DB : policy added ( obj count = 1 )
10/07/10 14:41:19 K> : send pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 ii : creating NONE OUTBOUND policy ANY:10.22.200.90:* 
-> ANY:10.1.1.25:*
10/07/10 14:41:19 ii : created NONE policy route for 10.1.1.25/32
10/07/10 14:41:19 DB : policy added ( obj count = 2 )
10/07/10 14:41:19 K> : send pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 ii : creating IPSEC INBOUND policy ANY:10.1.2.0/24:* 
-> ANY:10.2.25.1:*
10/07/10 14:41:19 DB : policy added ( obj count = 3 )
10/07/10 14:41:19 K> : send pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 ii : creating IPSEC OUTBOUND policy ANY:10.2.25.1:* -> 
ANY:10.1.2.0/24:*
10/07/10 14:41:19 ii : created IPSEC policy route for 10.1.2.0/24
10/07/10 14:41:19 DB : policy added ( obj count = 4 )
10/07/10 14:41:19 K> : send pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 K< : recv pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 DB : policy found
10/07/10 14:41:19 K< : recv pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 DB : policy found
10/07/10 14:41:19 ii : calling init phase2 for initial policy
10/07/10 14:41:19 DB : policy found
10/07/10 14:41:19 DB : policy not found
10/07/10 14:41:19 !! : unable to locate inbound policy for init phase2
10/07/10 14:41:19 K< : recv pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 DB : policy found
10/07/10 14:41:19 K< : recv pfkey X_SPDADD UNSPEC message
10/07/10 14:41:19 DB : policy found
10/07/10 14:41:20 K< : recv pfkey ACQUIRE ESP message
10/07/10 14:41:20 DB : policy found
10/07/10 14:41:20 DB : policy found
10/07/10 14:41:20 DB : tunnel found
10/07/10 14:41:20 DB : new phase2 ( IPSEC initiator )
10/07/10 14:41:20 DB : phase2 added ( obj count = 1 )
10/07/10 14:41:20 K> : send pfkey GETSPI ESP message
10/07/10 14:41:20 K< : recv pfkey GETSPI ESP message
10/07/10 14:41:20 DB : phase2 found
10/07/10 14:41:20 ii : updated spi for 1 ipsec-esp proposal
10/07/10 14:41:20 DB : phase1 found
10/07/10 14:41:20 >> : hash payload
10/07/10 14:41:20 >> : security association payload
10/07/10 14:41:20 >> : - proposal #1 payload
10/07/10 14:41:20 >> : -- transform #1 payload
10/07/10 14:41:20 >> : -- transform #2 payload
10/07/10 14:41:20 >> : -- transform #3 payload
10/07/10 14:41:20 >> : -- transform #4 payload
10/07/10 14:41:20 >> : -- transform #5 payload
10/07/10 14:41:20 >> : -- transform #6 payload
10/07/10 14:41:20 >> : -- transform #7 payload
10/07/10 14:41:20 >> : -- transform #8 payload
10/07/10 14:41:20 >> : -- transform #9 payload
10/07/10 14:41:20 >> : nonce payload
10/07/10 14:41:20 >> : key exchange payload
10/07/10 14:41:20 >> : identification payload
10/07/10 14:41:20 >> : identification payload
10/07/10 14:41:20 == : phase2 hash_i ( input ) ( 524 bytes )
10/07/10 14:41:20 == : phase2 hash_i ( computed ) ( 20 bytes )
10/07/10 14:41:20 == : new phase2 iv ( 8 bytes )
10/07/10 14:41:20 >= : cookies cf77c9371178b5e8:0b1187277d31f103
10/07/10 14:41:20 >= : message 1b8b06c8
10/07/10 14:41:20 >= : encrypt iv ( 8 bytes )
10/07/10 14:41:20 == : encrypt packet ( 572 bytes )
10/07/10 14:41:20 == : stored iv ( 8 bytes )
10/07/10 14:41:20 -> : send NAT-T:IKE packet 10.22.200.90:4500 -> 
10.1.1.25:4500 ( 604 bytes )
10/07/10 14:41:20 DB : phase2 resend event scheduled ( ref count = 2 )
10/07/10 14:41:20 <- : recv NAT-T:IKE packet 10.1.1.25:4500 -> 
10.22.200.90:4500 ( 292 bytes )
10/07/10 14:41:20 DB : phase1 found
10/07/10 14:41:20 ii : processing phase2 packet ( 292 bytes )
10/07/10 14:41:20 DB : phase2 found
10/07/10 14:41:20 =< : cookies cf77c9371178b5e8:0b1187277d31f103
10/07/10 14:41:20 =< : message 1b8b06c8
10/07/10 14:41:20 =< : decrypt iv ( 8 bytes )
10/07/10 14:41:20 == : decrypt packet ( 292 bytes )
10/07/10 14:41:20 <= : trimmed packet padding ( 4 bytes )
10/07/10 14:41:20 <= : stored iv ( 8 bytes )
10/07/10 14:41:20 << : hash payload
10/07/10 14:41:20 << : security association payload
10/07/10 14:41:20 << : - propsal #1 payload
10/07/10 14:41:20 << : -- transform #7 payload
10/07/10 14:41:20 << : nonce payload
10/07/10 14:41:20 << : key exchange payload
10/07/10 14:41:20 << : identification payload
10/07/10 14:41:20 << : identification payload
10/07/10 14:41:20 == : phase2 hash_r ( input ) ( 260 bytes )
10/07/10 14:41:20 == : phase2 hash_r ( computed ) ( 20 bytes )
10/07/10 14:41:20 == : phase2 hash_r ( received ) ( 20 bytes )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-aes )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-aes )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-aes )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-blowfish )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-blowfish )
10/07/10 14:41:20 ii : unmatched ipsec-esp proposal/transform
10/07/10 14:41:20 ii : crypto transform type ( esp-3des != esp-blowfish )
10/07/10 14:41:20 ii : matched ipsec-esp proposal #1 transform #7
10/07/10 14:41:20 ii : - transform    = esp-3des
10/07/10 14:41:20 ii : - key length   = default
10/07/10 14:41:20 ii : - encap mode   = udp-tunnel ( draft )
10/07/10 14:41:20 ii : - msg auth     = hmac-sha
10/07/10 14:41:20 ii : - pfs dh group = modp-1024
10/07/10 14:41:20 ii : - life seconds = 3600
10/07/10 14:41:20 ii : - life kbytes  = 0
10/07/10 14:41:20 DB : policy found
10/07/10 14:41:20 K> : send pfkey GETSPI ESP message
10/07/10 14:41:20 K< : recv pfkey GETSPI ESP message
10/07/10 14:41:20 DB : phase2 found
10/07/10 14:41:20 ii : phase2 ids accepted
10/07/10 14:41:20 ii : - loc ANY:10.2.25.1:* -> ANY:10.1.2.0/24:*
10/07/10 14:41:20 ii : - rmt ANY:10.1.2.0/24:* -> ANY:10.2.25.1:*
10/07/10 14:41:20 ii : phase2 sa established
10/07/10 14:41:20 ii : 10.22.200.90:4500 <-> 10.1.1.25:4500
10/07/10 14:41:20 == : phase2 hash_p ( input ) ( 41 bytes )
10/07/10 14:41:20 == : phase2 hash_p ( computed ) ( 20 bytes )
10/07/10 14:41:20 >> : hash payload
10/07/10 14:41:20 >= : cookies cf77c9371178b5e8:0b1187277d31f103
10/07/10 14:41:20 >= : message 1b8b06c8
10/07/10 14:41:20 >= : encrypt iv ( 8 bytes )
10/07/10 14:41:20 == : encrypt packet ( 52 bytes )
10/07/10 14:41:20 == : stored iv ( 8 bytes )
10/07/10 14:41:20 DB : phase2 resend event canceled ( ref count = 1 )
10/07/10 14:41:20 -> : send NAT-T:IKE packet 10.22.200.90:4500 -> 
10.1.1.25:4500 ( 84 bytes )
10/07/10 14:41:20 == : PFS DH shared secret ( 128 bytes )
10/07/10 14:41:20 == : spi cipher key data ( 24 bytes )
10/07/10 14:41:20 == : spi hmac key data ( 20 bytes )
10/07/10 14:41:20 K> : send pfkey UPDATE ESP message
10/07/10 14:41:20 == : spi cipher key data ( 24 bytes )
10/07/10 14:41:20 == : spi hmac key data ( 20 bytes )
10/07/10 14:41:20 K> : send pfkey UPDATE ESP message
10/07/10 14:41:20 K< : recv pfkey UPDATE ESP message
10/07/10 14:41:20 K< : recv pfkey UPDATE ESP message

-Matthew



More information about the vpn-help mailing list