[vpn-help] Shrew 2.2.0 OS X build does not work on OSX 10.6.8

Kevin VPN kvpn at live.com
Tue Jan 3 22:04:15 CST 2012 

On 12/21/2011 02:50 AM, Jinyan Huang wrote:
> Now have a new problem. I can connect the vpn. But can not do ssh. The
> log file is in the attachment.
>
>...
> 11/12/21 08:40:35 ii : received config pull response
> 11/12/21 08:40:35 ii : - IP4 WINS Server = 10.10.2.16
> 11/12/21 08:40:35 ii : - IP4 DNS Server = 10.10.2.16
> 11/12/21 08:40:35 ii : - IP4 Netmask = 255.255.255.0
> 11/12/21 08:40:35 ii : - Address Expiry = -1341915136
> 11/12/21 08:40:35 ii : - IP4 Address = 10.2.2.5
> ...
> 11/12/21 08:40:37 ii : matched ipsec-esp proposal #1 transform #1
> 11/12/21 08:40:37 ii : - transform    = esp-3des
> 11/12/21 08:40:37 ii : - key length   = default
> 11/12/21 08:40:37 ii : - encap mode   = udp-tunnel ( rfc )
> 11/12/21 08:40:37 ii : - msg auth     = hmac-sha1
> 11/12/21 08:40:37 ii : - pfs dh group = none
> 11/12/21 08:40:37 ii : - life seconds = 3600
> 11/12/21 08:40:37 ii : - life kbytes  = 0
> 11/12/21 08:40:37 DB : policy found
> 11/12/21 08:40:37 K>  : send pfkey GETSPI ESP message
> 11/12/21 08:40:37 ii : phase2 ids accepted
> 11/12/21 08:40:37 ii : - loc ANY:10.2.2.5:* ->  ANY:0.0.0.10/0:*
> 11/12/21 08:40:37 ii : - rmt ANY:0.0.0.10/0:* ->  ANY:10.2.2.5:*
> 11/12/21 08:40:37 ii : phase2 sa established
> ...

Hi Jinyan,

First off, congratulations on getting the VPN to connect - I see that 
both phase1 and phase2 negotiations now complete successfully!  Good 
work and great persistence!  (I'd love it if you posted a message 
explaining what you had to do to get the VPN working especially with 
details about the certificate setup.)

As for not being able to SSH, there may still be some details to work out.

1. First, I notice an odd thing with your tunnel policies.  The "loc 
ANY:10.2.2.5:* ->  ANY:0.0.0.10/0:*" policy seems off.  Because it uses 
a mask of /0, it is really a "Tunnel All" policy, since /0 will match on 
any IP address.  The standard convention for this type of policy to 
specify the net-range as 0.0.0.0/0.  I'm not sure where the 0.0.0.10 is 
coming from.  That may be a sign of a misconfiguration somewhere.

Other suggestions:

2. Are you trying to SSH to an IP address or a hostname?  Try SSHing to 
the IP address of the server directly in case DNS is not working.

3. I would check if the server you are trying to connect to is 
configured to allow connections from the VPN address range (10.2.2.x/24).

More information about the vpn-help mailing list