[vpn-help] windows OK, linux does not connect
Emre Erenoglu
erenoglu at gmail.com
Thu Jan 6 18:32:36 CST 2011
On Fri, Jan 7, 2011 at 4:11 AM, Matthew Grooms <mgrooms at shrew.net> wrote:
> On 1/6/2011 5:47 PM, Emre Erenoglu wrote:
>
>> Dear Shrew Users,
>>
>> I have a strange problem. I'm using Shrew Soft client on my XP
>> successfully, everything is working fine.
>>
>> I'm exporting the same configuration to my Linux system, it seems to
>> connect fine since I get the "tunnel enabled" message and the tap0
>> interface gets an address, however, the "security associations"
>> "established" shows "0" and after some time "failed" startes to
>> increase. Status shows "connected" and remote host shows the IP.
>> Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer
>> Detection shows disabled although I enabled them in the config.
>>
>> I tried to search internet, saw settings about rp_filter, so I set the
>> following sysctl values and rebooted.
>> net.ipv4.conf.default.rp_filter = 0
>> net.ipv4.conf.all.rp_filter = 0
>>
>> Still no luck. My iptables is empty, there are no other firewalls on the
>> system. Do you have any idea why this Phase2 negotiation is failing? I'm
>> pasting the logs below. Please note that I changed the shown IP
>> addresses by hand, so don't mind them unless necessary.
>>
>>
> Your phase2 negotiation is not completing successfully. As a result, you
> don't have an IPsec SA to send traffic with. The kernel is sending an
> ACQUIRE message appropriately, and the ike daemon is attempting to negotiate
> phase2 but is failing to get a response from the peer.
>
> BTW, what is 1.2.176.8? ...
>
>
> ii : creating NONE INBOUND policy ANY:0.0.0.0:* -> ANY:1.2.176.8:*
> K> : send pfkey X_SPDADD UNSPEC message
> ii : creating NONE OUTBOUND policy ANY:1.2.176.8:* -> ANY:0.0.0.0:*
> K< : recv pfkey X_SPDADD UNSPEC message
> ii : created NONE policy route for 0.0.0.0/32
>
> If I recall correctly, these NONE policies get created is when there is a
> route to the peer, usually a default gateway. However, your next hop
> shouldn't be at 1.2.176.8. Its not even close to 192.168.1.150. Do you have
> static entries in your route table for something?
>
> -Matthew
>
No,these are addresses I made up myself not to disclose server addresses to
a public mailing list. However, if the key to the solution is them, I can
send them intact. As far as I saw, those addresses were OK, one was the
address assigned to me, other was the vpn server address.
There was one thing in the logs:
ii : received config pull response
ii : - IP4 Address = 1.2.176.8
ii : - Address Expiry = 0
ii : - IP4 Netmask = 255.255.240.0
ii : - IP4 DNS Server = 1.2.1.13
ii : - IP4 DNS Server = 1.2.1.199
ii : - IP4 Subnet = ANY:0.0.0.0/0:* ( invalid subnet ignored )
Could the last ignore be an issue? Maybe I can test the same in windows.
Any other clues?
--
Emre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110107/a08d488b/attachment-0002.html>
More information about the vpn-help
mailing list