[vpn-help] racoon & ike: Missing the last tiny bit ...

Clemens Perz cperz at gmx.net
Fri Mar 19 12:44:35 CDT 2010

Found some switches for logging with the iked. There it says

0/03/19 18:37:21 ## : IKE Daemon, ver 2.1.6
10/03/19 18:37:21 ## : Copyright 2009 Shrew Soft Inc.
10/03/19 18:37:21 ## : This product linked OpenSSL 0.9.8g 19 Oct 2007
10/03/19 18:37:21 K! : recv X_SPDDUMP message failure ( errno = 2 )
10/03/19 18:37:48 !! : unable to locate inbound policy for init phase2

The first error comes up when I start the daemon, the second when a 
connection is negotiated.

Is this just usual stuff or of some meaning? Anyhow, I guess its the 
creation and the setup of the tap device that is causing my trouble. Is 
there a way to debug that too?


Stefan Bauer wrote:
> Am 19.03.2010 10:53, Clemens Perz schrieb:
>> Hi all!
>> I am suffering from a lack of genius here :))
>> A debian lenny with racoon up and running serves as vpn backend. 
>> Originally, I created a working configuration using the Shrewsoft client 
>> for Windows, used that for a while and it still works perfect.
>> Now I want the same thing on Ubuntu Karmic, i.e. 9.10. First I just 
>> installed the client, imported my existing configuration and connected 
>> to the server. Everything fine, it connects, gets the config, creates 
>> the tap0, sets the routes. But when I ping one of the private hosts 
>> inside the vpn no packages find their way back and ping just says nothing.
>> When I trace the packages with tcpdump I see that all targets return the 
>> right stuff, so the ping packages are routed to the target, processed 
>> and answered. The answer package has the ip of the pinged host as 
>> source, the tap0 ip as target and should do fine. That happens with all 
>> protocols - I see the routing working, but the requesting application 
>> gets nothing.
> Do you see at the ubuntu client side any icmp-answers incoming at
> network layer?
> Does it work to ping from the vpn-server to the ubuntu client?
> Could you also please try if setting 1 or 0 to
> /proc/sys/net/ipv6/bindv6only does change anything?
> Stefan

More information about the vpn-help mailing list