[vpn-help] windows OK, linux does not connect

Matthew Grooms mgrooms at shrew.net
Thu Jan 6 18:11:17 CST 2011

On 1/6/2011 5:47 PM, Emre Erenoglu wrote:
> Dear Shrew Users,
> I have a strange problem. I'm using Shrew Soft client on my XP
> successfully, everything is working fine.
> I'm exporting the same configuration to my Linux system, it seems to
> connect fine since I get the "tunnel enabled" message and the tap0
> interface gets an address, however, the "security associations"
> "established" shows "0" and after some time "failed" startes to
> increase. Status shows "connected" and remote host shows the IP.
> Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer
> Detection shows disabled although I enabled them in the config.
> I tried to search internet, saw settings about rp_filter, so I set the
> following sysctl values and rebooted.
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> Still no luck. My iptables is empty, there are no other firewalls on the
> system. Do you have any idea why this Phase2 negotiation is failing? I'm
> pasting the logs below. Please note that I changed the shown IP
> addresses by hand, so don't mind them unless necessary.

Your phase2 negotiation is not completing successfully. As a result, you 
don't have an IPsec SA to send traffic with. The kernel is sending an 
ACQUIRE message appropriately, and the ike daemon is attempting to 
negotiate phase2 but is failing to get a response from the peer.

BTW, what is ...

ii : creating NONE INBOUND policy ANY:* -> ANY:*
K> : send pfkey X_SPDADD UNSPEC message
ii : creating NONE OUTBOUND policy ANY:* -> ANY:*
K< : recv pfkey X_SPDADD UNSPEC message
ii : created NONE policy route for

If I recall correctly, these NONE policies get created is when there is 
a route to the peer, usually a default gateway. However, your next hop 
shouldn't be at Its not even close to Do you 
have static entries in your route table for something?


More information about the vpn-help mailing list