[vpn-help] Network communication through VPN client causes Ubuntu to freeze

Thu Sep 1 21:00:52 CDT 2011

On 08/11/2011 06:32 AM, Demelza wrote:
> Demelza Buckham<fire_keese at ...>  writes:
>
>>
>> -->Hi thereI'm not quite sure whether this is a question for Shrew Soft or
> Ubuntu, but I'll try here first.I've managed to get Shrew Soft VPN Client
> connected to my Juniper SSG 5 using this tutorial:
> http://www.shrew.net/support/wiki/HowtoJuniperSsgHowever, if I try to connect to
> any hosts, my computer immediately freezes and requires a hard reboot.  (Pinging
> a non-existant host is fine, pinging the SSG 5 using its public IP is fine,
> however, pinging or trying to connect via SSH to a host that exists within the
> remote network causes the problem.)For example:Ubuntu 11.04 (my PC) main IP =
> 10.0.0.212Ubuntu 11.04 (my PC) tunnel IP = 192.168.150.1Juniper WAN IP =
> 10.0.0.213Target IP = 192.168.10.5Non-existent IP = 192.168.10.123Pinging
> 10.0.0.213 works, pinging 192.168.10.123 gets no response (it's dropped by my
> switch), pinging 192.168.10.5 kills my PC.When I ping 192.168.10.5: Juniper does
> an ARP on the IP, and sends the ping out of the correct port, the target
> computer replies, the reply is received by Juniper and is forwarded onto my PC -
> I'm guessing it dies at this point, although I can't see why.Using:Ubuntu
> 11.04VPN Client 2.1.5ScreenOS (on SSG) 6.2.0r11.0Troubleshooting done so far:-
> I've doubled checked all of the client and Juniper settings, all are exactly as
> in the tutorial (except number of simultaneous connections to user account)-
> I've turned off ipv6- Tried disabling Ubuntu network manager- Tried using both
> eth0 and eth1 and disabling the inactive one (eth0 on-board, eth1 USB adapter)-
> Checked logs on Juniper; can't see anything- I can see the ping and the response
> on wireshark running on the target computer (it only sees one ping)- Checked
> logs on computer running the VPN client; nothing that seems relevant (both
> syslog and iked.log, which was set to log level loud)- Tried turning off NAT
> traversal on both client and Juniper- Tried manually putting in cipher and hash
> algorithms for Phase 1 and 2 rather than leaving as auto- Debugging with the
> Juniper debug command isn't showing anything relevant; and I can't see how to
> debug both the flow and IKE/tunnel together, so can't see the relationship
> between the packets being sent and the tunnel status- Uninstalled other VPN
> software from the machine (I did have OpenVPN on there)I'm not really sure what
> else to do at this stage; it looks like the Ubuntu is freezing before logging
> anything and I can't see any problems on any of the other hardware involved.This
> is what syslog shows when I connect to the VPN; although I don't think it's
> relevantNetworkManager[836]:    SCPlugin-Ifupdown: devices added (path:
> /sys/devices/virtual/net/tap0, iface: tap0)NetworkManager[836]:
> SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tap0, iface:
> tap0): no ifupdown configuration found.NetworkManager[836]:<warn>
> /sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...Any
> help with what I could do next to try and solve the issue would be appreciated.
> Thanks very much.Dee
>>
>
>
>
> UPDATE: I installed Shrew Soft version 1.7 on a Win 7 virtual machine with a
> bridged connection to Ubuntu, and that works fine.
>
> I also uninstalled 1.5 and compiled the 1.7 version on Ubuntu; getting the same
> issue as with 1.5.
>

Hi Dee,

Unfortunately, I'm not familiar with running Shrew on Ubuntu, so I may 
be of limited help.  Not only that, but I was going to suggest that you 
try running it on Windows, and you've already tried that.  At least you 
know you have a valid configuration file to run on the Ubuntu side.

I would check again to see if there's something running on Ubuntu that 
is intercepting the packets heading for Shrew - perhaps there's other 
software running that is looking for packets on UDP 500 or 
iptables/firewall does not the the IP protocol 50 packets.

You could also use Wireshark or tcpdump to examine the capture file that 
Shrew can produce (http://www.shrew.net/support/wiki/BugReportVpnUnix) 
to see if it sees the ping response.