[vpn-help] Client 2.2.1, Linux 64bit to FritzBox: phase1 fails, negotiation timout occurred

F. Schmitt vpn-help at florian-schmitt.net
Wed Sep 4 07:44:44 CDT 2013 

Hi,

i'm trying to connect from a linux client (Mint MATE 14, 64bit, Kernel
3.5.0-39) to a FritzBox (6360 Cable) using VPN. Connecting from within
Win7 to the FritzBox works perfectly, but using linux, i receive a
"negotiation timeout". I've followed the guide mentioned in the FritzBox
howto:

https://www.shrew.net/support/Howto_Fritzbox

but it doesn't work:

---------------------------------------------------------------------
config loaded for site 'xyz'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
ipcomp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon
-------------------------------------------------------------------

Maybe anyone can tell me how to connect successfully? I've tried to set
the net.ipv4.conf.default.rp_filter and net.ipv4.conf.all.rp_filter in
/etc/sysctl.conf to 0, but that didn't change anything.

Output of uname -a:

--------------------------------------------------------------------
Linux <hostname> 3.5.0-39-generic #60-Ubuntu SMP Tue Aug 13 18:33:05 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux
--------------------------------------------------------------------

Content of /var/log/iked.log: (yyy and zzz are the correct IP adresses
of the linux client and the FritzBox respectively)
--------------------------------------------------------------------
13/09/04 14:10:00 ## : IKE Daemon, ver 2.2.1
13/09/04 14:10:00 ## : Copyright 2013 Shrew Soft Inc.
13/09/04 14:10:00 ## : This product linked OpenSSL 1.0.1c 10 May 2012
13/09/04 14:10:00 ii : opened '/var/log/iked.log'
13/09/04 14:10:00 ii : opened '/var/log/ike-encrypt.pcap'
13/09/04 14:10:00 ii : opened '/var/log/ike-decrypt.pcap'
13/09/04 14:10:00 ii : network process thread begin ...
13/09/04 14:10:00 ii : pfkey process thread begin ...
13/09/04 14:10:00 ii : ipc server process thread begin ...
13/09/04 14:10:00 K< : recv pfkey REGISTER AH message
13/09/04 14:10:00 K< : recv pfkey REGISTER ESP message
13/09/04 14:10:00 K< : recv pfkey REGISTER IPCOMP message
13/09/04 14:10:00 K! : recv X_SPDDUMP message failure ( errno = 2 )
13/09/04 14:10:21 ii : ipc client process thread begin ...
13/09/04 14:10:21 <A : peer config add message
13/09/04 14:10:21 <A : proposal config message
13/09/04 14:10:21 <A : proposal config message
13/09/04 14:10:21 <A : proposal config message
13/09/04 14:10:21 <A : client config message
13/09/04 14:10:21 <A : local id '<localid removed>' message
13/09/04 14:10:21 <A : preshared key message
13/09/04 14:10:21 <A : remote resource message
13/09/04 14:10:21 <A : peer tunnel enable message
13/09/04 14:10:21 DB : peer ref increment ( ref count = 1, obj count = 0 )
13/09/04 14:10:21 DB : peer added ( obj count = 1 )
13/09/04 14:10:21 ii : local address yyy.yyy.yyy.yyy selected for peer
13/09/04 14:10:21 DB : peer ref increment ( ref count = 2, obj count = 1 )
13/09/04 14:10:21 DB : tunnel ref increment ( ref count = 1, obj count = 0 )
13/09/04 14:10:21 DB : tunnel added ( obj count = 1 )
13/09/04 14:10:21 DB : tunnel ref increment ( ref count = 2, obj count = 1 )
13/09/04 14:10:21 DB : new phase1 ( ISAKMP initiator )
13/09/04 14:10:21 DB : exchange type is aggressive
13/09/04 14:10:21 DB : yyy.yyy.yyy.yyy:500 <-> zzz.zzz.zzz.zzz:500
13/09/04 14:10:21 DB : 346e917cd24fe0e3:0000000000000000
13/09/04 14:10:21 DB : phase1 ref increment ( ref count = 1, obj count = 0 )
13/09/04 14:10:21 DB : phase1 added ( obj count = 1 )
13/09/04 14:10:21 >> : security association payload
13/09/04 14:10:21 >> : - proposal #1 payload
13/09/04 14:10:21 >> : -- transform #1 payload
13/09/04 14:10:21 >> : -- transform #2 payload
13/09/04 14:10:21 >> : -- transform #3 payload
13/09/04 14:10:21 >> : -- transform #4 payload
13/09/04 14:10:21 >> : -- transform #5 payload
13/09/04 14:10:21 >> : -- transform #6 payload
13/09/04 14:10:21 >> : key exchange payload
13/09/04 14:10:21 >> : nonce payload
13/09/04 14:10:21 >> : identification payload
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports nat-t ( draft v00 )
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports nat-t ( draft v01 )
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports nat-t ( draft v02 )
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports nat-t ( draft v03 )
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports nat-t ( rfc )
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports FRAGMENTATION
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local supports DPDv1
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local is SHREW SOFT compatible
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local is NETSCREEN compatible
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local is SIDEWINDER compatible
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local is CISCO UNITY compatible
13/09/04 14:10:21 >> : vendor id payload
13/09/04 14:10:21 ii : local is CHECKPOINT compatible
13/09/04 14:10:21 >= : cookies 346e917cd24fe0e3:0000000000000000
13/09/04 14:10:21 >= : message 00000000
13/09/04 14:10:21 -> : send IKE packet yyy.yyy.yyy.yyy:500 ->
zzz.zzz.zzz.zzz:500 ( 796 bytes )
13/09/04 14:10:21 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/04 14:10:21 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
13/09/04 14:10:31 -> : resend 1 phase1 packet(s) [0/2]
yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
13/09/04 14:10:41 -> : resend 1 phase1 packet(s) [1/2]
yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
13/09/04 14:10:51 -> : resend 1 phase1 packet(s) [2/2]
yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
13/09/04 14:11:01 ii : resend limit exceeded for phase1 exchange
13/09/04 14:11:01 ii : phase1 removal before expire time
13/09/04 14:11:01 DB : phase1 deleted ( obj count = 0 )
13/09/04 14:11:01 DB : policy not found
13/09/04 14:11:01 DB : tunnel ref decrement ( ref count = 1, obj count = 1 )
13/09/04 14:11:01 DB : policy not found
13/09/04 14:11:01 DB : policy not found
13/09/04 14:11:01 DB : policy not found
13/09/04 14:11:01 DB : removing tunnel config references
13/09/04 14:11:01 DB : removing tunnel phase2 references
13/09/04 14:11:01 DB : removing tunnel phase1 references
13/09/04 14:11:01 DB : tunnel deleted ( obj count = 0 )
13/09/04 14:11:01 DB : peer ref decrement ( ref count = 1, obj count = 1 )
13/09/04 14:11:01 DB : removing all peer tunnel references
13/09/04 14:11:01 DB : peer deleted ( obj count = 0 )
13/09/04 14:11:01 ii : ipc client process thread exit ...
--------------------------------------------------------------------

My iked.conf file has the default values:
--------------------------------------------------------------------
daemon
{
	# bind to ports
	socket ike 500;
	socket natt 4500;

	# log output
	log_level loud;
	log_file "/var/log/iked.log";
	pcap_decrypt "/var/log/ike-decrypt.pcap";
	pcap_encrypt "/var/log/ike-encrypt.pcap";

	# retry settings
	retry_delay 10;
	retry_count 2;
}
--------------------------------------------------------------------

The file /var/log/ike-decrypt.pcap is empty.

Any help would be greatly appreciated!


Thanks in advance
florian

More information about the vpn-help mailing list