[vpn-help] Again: Asymmetric routing between Shrewsoft 2.1.7 and OpenSwan

Erich Titl erich.titl at think.ch
Thu Sep 1 06:38:04 CDT 2011 

Hi folks

Another try on this issue......

I am trying to connect a road warrior on Windows 7 Home and a dated
OpenSwan 2.4.7 installation, using X.509 certs.

At first the connection apears to come up fine as reported by the
Shrewsoft client and also by the log from OpenSwan

Aug 25 09:05:11 gatekeeper-internal pluto[1356]: "mega"[2] 192.168.1.186
#6007066: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 25 09:05:11 gatekeeper-internal pluto[1356]: "mega"[2] 192.168.1.186
#6007066: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Aug 25 09:05:11 gatekeeper-internal pluto[1356]: "mega"[2] 192.168.1.186
#6007066: Dead Peer Detection (RFC 3706): enabled
Aug 25 09:05:11 gatekeeper-internal pluto[1356]: "mega"[2] 192.168.1.186
#6007066: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 25 09:05:11 gatekeeper-internal pluto[1356]: "mega"[2] 192.168.1.186
#6007066: STATE_QUICK_R2: IPsec SA established {ESP=>0x9c4722a6
<0x7190e0e6 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=enabled}

However, when I try to send an icmp echo request to the remote network I
see the packet coming from the configured virtual address, but
travelling in the clear, not in the tunnel. The reply though is sent
through the tunnel, but then discarded.

Please refer to

http://lists.shrew.net/pipermail/vpn-help/2011-August/003947.html

It feels like the outgoing packets do not hit the routing code in
windows 7, also I am under the impression that the tunnel only gets
established when data is passed.

Anyway, I managed to log on the client side and have some info here

11/09/01 13:23:48 ## : IKE Daemon, ver 2.1.7
11/09/01 13:23:48 ## : Copyright 2010 Shrew Soft Inc.
11/09/01 13:23:48 ## : This product linked OpenSSL 0.9.8h 28 May 2008
11/09/01 13:23:48 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
11/09/01 13:23:48 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
11/09/01 13:23:48 ii : rebuilding vnet device list ...
11/09/01 13:23:48 ii : device ROOT\VNET\0000 disabled
11/09/01 13:23:48 ii : device ROOT\VNET\0001 disabled
11/09/01 13:23:48 ii : network process thread begin ...
11/09/01 13:23:48 ii : pfkey process thread begin ...
11/09/01 13:23:48 ii : ipc server process thread begin ...
11/09/01 13:23:48 ii : ipc client process thread begin ...
11/09/01 13:23:48 <A : peer config add message
11/09/01 13:23:48 <A : proposal config message
11/09/01 13:23:48 <A : proposal config message
11/09/01 13:23:48 <A : proposal config message
11/09/01 13:23:48 <A : client config message
11/09/01 13:23:48 <A : remote cert
'C:\Users\mega\Desktop\Ruf-cacert.pem' message
11/09/01 13:23:48 <A : local cert 'C:\Users\mega\Desktop\Erich_Titl.crt'
message
11/09/01 13:23:48 <A : local key 'C:\Users\mega\Desktop\Erich Titl.key'
message
11/09/01 13:23:48 <A : remote resource message
11/09/01 13:23:48 <A : peer tunnel enable message
11/09/01 13:23:48 ii : local supports FRAGMENTATION
11/09/01 13:23:48 ii : local supports DPDv1
11/09/01 13:23:48 ii : local is SHREW SOFT compatible
11/09/01 13:23:48 ii : local is NETSCREEN compatible
11/09/01 13:23:48 ii : local is SIDEWINDER compatible
11/09/01 13:23:48 ii : local is CISCO UNITY compatible
11/09/01 13:23:48 >= : cookies 615f8164e6084210:0000000000000000
11/09/01 13:23:48 >= : message 00000000
11/09/01 13:23:48 ii : processing phase1 packet ( 124 bytes )
11/09/01 13:23:48 =< : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:48 =< : message 00000000
11/09/01 13:23:48 ii : matched isakmp proposal #1 transform #1
11/09/01 13:23:48 ii : - transform    = ike
11/09/01 13:23:48 ii : - cipher type  = aes
11/09/01 13:23:48 ii : - key length   = 256 bits
11/09/01 13:23:48 ii : - hash type    = md5
11/09/01 13:23:48 ii : - dh group     = modp-1024
11/09/01 13:23:48 ii : - auth type    = sig-rsa
11/09/01 13:23:48 ii : - life seconds = 86400
11/09/01 13:23:48 ii : - life kbytes  = 0
11/09/01 13:23:48 ii : peer supports DPDv1
11/09/01 13:23:48 >= : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:48 >= : message 00000000
11/09/01 13:23:48 ii : processing phase1 packet ( 180 bytes )
11/09/01 13:23:48 =< : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:48 =< : message 00000000
11/09/01 13:23:48 ii : nat-t is disabled locally
11/09/01 13:23:49 >= : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:49 >= : message 00000000
11/09/01 13:23:49 ii : processing phase1 packet ( 1916 bytes )
11/09/01 13:23:49 =< : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:49 =< : message 00000000
11/09/01 13:23:49 ii : phase1 id match ( cert check only )
11/09/01 13:23:49 ii : received = asn1-dn C=CH,L=Schlieren,O=Ruf
Group,OU=CA,CN=gatekeeper.ruf.ch,emailAddress=ca at ruf.ch
11/09/01 13:23:49 ii : unable to get certificate CRL(3) at depth:0
11/09/01 13:23:49 ii : subject :/C=CH/L=Schlieren/O=Ruf
Group/OU=CA/CN=gatekeeper.ruf.ch/emailAddress=ca at ruf.ch
11/09/01 13:23:49 ii : unable to get certificate CRL(3) at depth:1
11/09/01 13:23:49 ii : subject :/C=CH/L=Schlieren/O=Ruf
Group/OU=CA/CN=Ruf Certification Authority/emailAddress=ca at ruf.ch
11/09/01 13:23:49 ii : phase1 sa established
11/09/01 13:23:49 ii : 195.141.2.242:500 <-> 192.168.1.186:500
11/09/01 13:23:49 ii : 615f8164e6084210:12e05442715051ec
11/09/01 13:23:49 ii : sending peer INITIAL-CONTACT notification
11/09/01 13:23:49 ii : - 192.168.1.186:500 -> 195.141.2.242:500
11/09/01 13:23:49 ii : - isakmp spi = 615f8164e6084210:12e05442715051ec
11/09/01 13:23:49 ii : - data size 0
11/09/01 13:23:49 >= : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:49 >= : message a49b9d98
11/09/01 13:23:49 ii : configuration method is manual
11/09/01 13:23:49 ii : creating NONE INBOUND policy ANY:195.141.2.242:*
-> ANY:192.168.1.186:*
11/09/01 13:23:49 ii : creating NONE OUTBOUND policy ANY:192.168.1.186:*
-> ANY:195.141.2.242:*
11/09/01 13:23:49 ii : created NONE policy route for 195.141.2.242/32
11/09/01 13:23:49 ii : creating NONE INBOUND policy ANY:192.168.1.1:* ->
ANY:172.22.53.10:*
11/09/01 13:23:49 ii : creating NONE OUTBOUND policy ANY:172.22.53.10:*
-> ANY:192.168.1.1:*
11/09/01 13:23:49 ii : created NONE policy route for 192.168.1.1/32
11/09/01 13:23:49 ii : creating IPSEC INBOUND policy ANY:172.29.0.0/16:*
-> ANY:172.22.53.10:*
11/09/01 13:23:49 ii : creating IPSEC OUTBOUND policy ANY:172.22.53.10:*
-> ANY:172.29.0.0/16:*
11/09/01 13:23:49 ii : created IPSEC policy route for 172.29.0.0/16
11/09/01 13:23:49 ii : split DNS is disabled
11/09/01 13:23:53 >= : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:53 >= : message 673b2cbd
11/09/01 13:23:53 ii : processing phase2 packet ( 300 bytes )
11/09/01 13:23:53 =< : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:53 =< : message 673b2cbd
11/09/01 13:23:53 ii : matched ipsec-esp proposal #1 transform #1
11/09/01 13:23:53 ii : - transform    = esp-aes
11/09/01 13:23:53 ii : - key length   = 256 bits
11/09/01 13:23:53 ii : - encap mode   = tunnel
11/09/01 13:23:53 ii : - msg auth     = hmac-sha
11/09/01 13:23:53 ii : - pfs dh group = modp-1024
11/09/01 13:23:53 ii : - life seconds = 3600
11/09/01 13:23:53 ii : - life kbytes  = 0
11/09/01 13:23:53 ii : phase2 ids accepted
11/09/01 13:23:53 ii : - loc ANY:172.22.53.10:* -> ANY:172.29.0.0/16:*
11/09/01 13:23:53 ii : - rmt ANY:172.29.0.0/16:* -> ANY:172.22.53.10:*
11/09/01 13:23:53 ii : phase2 sa established
11/09/01 13:23:53 ii : 192.168.1.186:500 <-> 195.141.2.242:500
11/09/01 13:23:53 >= : cookies 615f8164e6084210:12e05442715051ec
11/09/01 13:23:53 >= : message 673b2cbd
11/09/01 13:24:04 ii : sending peer DPDV1-R-U-THERE notification
11/09/01 13:24:04 ii : - 192.168.1.186:500 -> 195.141.2.242:500
11/09/01 13:24:04 ii : - isakmp spi = 615f8164e6084210:12e05442715051ec

So this looks like an established tunel to me

Also the route tabel on the Windows 7 PC shows the route to
172.29.0.0/16 going through 172.22.53.10

Any ideas

Ercih Titl





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2182 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110901/ec3aeda6/attachment-0001.bin>

More information about the vpn-help mailing list