[vpn-help] Client 2.2.1, Linux 64bit to FritzBox: phase1 fails, negotiation timout occurred

Alexis La Goutte alexis.lagoutte at gmail.com
Wed Sep 4 09:19:18 CDT 2013


Hi,

Do you have check the logs of FritzBox ?

Regards,


On Wed, Sep 4, 2013 at 2:44 PM, F. Schmitt <vpn-help at florian-schmitt.net>wrote:

> Hi,
>
> i'm trying to connect from a linux client (Mint MATE 14, 64bit, Kernel
> 3.5.0-39) to a FritzBox (6360 Cable) using VPN. Connecting from within
> Win7 to the FritzBox works perfectly, but using linux, i receive a
> "negotiation timeout". I've followed the guide mentioned in the FritzBox
> howto:
>
> https://www.shrew.net/support/Howto_Fritzbox
>
> but it doesn't work:
>
> ---------------------------------------------------------------------
> config loaded for site 'xyz'
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> ipcomp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> negotiation timout occurred
> tunnel disabled
> detached from key daemon
> -------------------------------------------------------------------
>
> Maybe anyone can tell me how to connect successfully? I've tried to set
> the net.ipv4.conf.default.rp_filter and net.ipv4.conf.all.rp_filter in
> /etc/sysctl.conf to 0, but that didn't change anything.
>
> Output of uname -a:
>
> --------------------------------------------------------------------
> Linux <hostname> 3.5.0-39-generic #60-Ubuntu SMP Tue Aug 13 18:33:05 UTC
> 2013 x86_64 x86_64 x86_64 GNU/Linux
> --------------------------------------------------------------------
>
> Content of /var/log/iked.log: (yyy and zzz are the correct IP adresses
> of the linux client and the FritzBox respectively)
> --------------------------------------------------------------------
> 13/09/04 14:10:00 ## : IKE Daemon, ver 2.2.1
> 13/09/04 14:10:00 ## : Copyright 2013 Shrew Soft Inc.
> 13/09/04 14:10:00 ## : This product linked OpenSSL 1.0.1c 10 May 2012
> 13/09/04 14:10:00 ii : opened '/var/log/iked.log'
> 13/09/04 14:10:00 ii : opened '/var/log/ike-encrypt.pcap'
> 13/09/04 14:10:00 ii : opened '/var/log/ike-decrypt.pcap'
> 13/09/04 14:10:00 ii : network process thread begin ...
> 13/09/04 14:10:00 ii : pfkey process thread begin ...
> 13/09/04 14:10:00 ii : ipc server process thread begin ...
> 13/09/04 14:10:00 K< : recv pfkey REGISTER AH message
> 13/09/04 14:10:00 K< : recv pfkey REGISTER ESP message
> 13/09/04 14:10:00 K< : recv pfkey REGISTER IPCOMP message
> 13/09/04 14:10:00 K! : recv X_SPDDUMP message failure ( errno = 2 )
> 13/09/04 14:10:21 ii : ipc client process thread begin ...
> 13/09/04 14:10:21 <A : peer config add message
> 13/09/04 14:10:21 <A : proposal config message
> 13/09/04 14:10:21 <A : proposal config message
> 13/09/04 14:10:21 <A : proposal config message
> 13/09/04 14:10:21 <A : client config message
> 13/09/04 14:10:21 <A : local id '<localid removed>' message
> 13/09/04 14:10:21 <A : preshared key message
> 13/09/04 14:10:21 <A : remote resource message
> 13/09/04 14:10:21 <A : peer tunnel enable message
> 13/09/04 14:10:21 DB : peer ref increment ( ref count = 1, obj count = 0 )
> 13/09/04 14:10:21 DB : peer added ( obj count = 1 )
> 13/09/04 14:10:21 ii : local address yyy.yyy.yyy.yyy selected for peer
> 13/09/04 14:10:21 DB : peer ref increment ( ref count = 2, obj count = 1 )
> 13/09/04 14:10:21 DB : tunnel ref increment ( ref count = 1, obj count = 0
> )
> 13/09/04 14:10:21 DB : tunnel added ( obj count = 1 )
> 13/09/04 14:10:21 DB : tunnel ref increment ( ref count = 2, obj count = 1
> )
> 13/09/04 14:10:21 DB : new phase1 ( ISAKMP initiator )
> 13/09/04 14:10:21 DB : exchange type is aggressive
> 13/09/04 14:10:21 DB : yyy.yyy.yyy.yyy:500 <-> zzz.zzz.zzz.zzz:500
> 13/09/04 14:10:21 DB : 346e917cd24fe0e3:0000000000000000
> 13/09/04 14:10:21 DB : phase1 ref increment ( ref count = 1, obj count = 0
> )
> 13/09/04 14:10:21 DB : phase1 added ( obj count = 1 )
> 13/09/04 14:10:21 >> : security association payload
> 13/09/04 14:10:21 >> : - proposal #1 payload
> 13/09/04 14:10:21 >> : -- transform #1 payload
> 13/09/04 14:10:21 >> : -- transform #2 payload
> 13/09/04 14:10:21 >> : -- transform #3 payload
> 13/09/04 14:10:21 >> : -- transform #4 payload
> 13/09/04 14:10:21 >> : -- transform #5 payload
> 13/09/04 14:10:21 >> : -- transform #6 payload
> 13/09/04 14:10:21 >> : key exchange payload
> 13/09/04 14:10:21 >> : nonce payload
> 13/09/04 14:10:21 >> : identification payload
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports nat-t ( draft v00 )
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports nat-t ( draft v01 )
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports nat-t ( draft v02 )
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports nat-t ( draft v03 )
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports nat-t ( rfc )
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports FRAGMENTATION
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local supports DPDv1
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local is SHREW SOFT compatible
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local is NETSCREEN compatible
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local is SIDEWINDER compatible
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local is CISCO UNITY compatible
> 13/09/04 14:10:21 >> : vendor id payload
> 13/09/04 14:10:21 ii : local is CHECKPOINT compatible
> 13/09/04 14:10:21 >= : cookies 346e917cd24fe0e3:0000000000000000
> 13/09/04 14:10:21 >= : message 00000000
> 13/09/04 14:10:21 -> : send IKE packet yyy.yyy.yyy.yyy:500 ->
> zzz.zzz.zzz.zzz:500 ( 796 bytes )
> 13/09/04 14:10:21 DB : phase1 resend event scheduled ( ref count = 2 )
> 13/09/04 14:10:21 DB : phase1 ref decrement ( ref count = 1, obj count = 1
> )
> 13/09/04 14:10:31 -> : resend 1 phase1 packet(s) [0/2]
> yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
> 13/09/04 14:10:41 -> : resend 1 phase1 packet(s) [1/2]
> yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
> 13/09/04 14:10:51 -> : resend 1 phase1 packet(s) [2/2]
> yyy.yyy.yyy.yyy:500 -> zzz.zzz.zzz.zzz:500
> 13/09/04 14:11:01 ii : resend limit exceeded for phase1 exchange
> 13/09/04 14:11:01 ii : phase1 removal before expire time
> 13/09/04 14:11:01 DB : phase1 deleted ( obj count = 0 )
> 13/09/04 14:11:01 DB : policy not found
> 13/09/04 14:11:01 DB : tunnel ref decrement ( ref count = 1, obj count = 1
> )
> 13/09/04 14:11:01 DB : policy not found
> 13/09/04 14:11:01 DB : policy not found
> 13/09/04 14:11:01 DB : policy not found
> 13/09/04 14:11:01 DB : removing tunnel config references
> 13/09/04 14:11:01 DB : removing tunnel phase2 references
> 13/09/04 14:11:01 DB : removing tunnel phase1 references
> 13/09/04 14:11:01 DB : tunnel deleted ( obj count = 0 )
> 13/09/04 14:11:01 DB : peer ref decrement ( ref count = 1, obj count = 1 )
> 13/09/04 14:11:01 DB : removing all peer tunnel references
> 13/09/04 14:11:01 DB : peer deleted ( obj count = 0 )
> 13/09/04 14:11:01 ii : ipc client process thread exit ...
> --------------------------------------------------------------------
>
> My iked.conf file has the default values:
> --------------------------------------------------------------------
> daemon
> {
>         # bind to ports
>         socket ike 500;
>         socket natt 4500;
>
>         # log output
>         log_level loud;
>         log_file "/var/log/iked.log";
>         pcap_decrypt "/var/log/ike-decrypt.pcap";
>         pcap_encrypt "/var/log/ike-encrypt.pcap";
>
>         # retry settings
>         retry_delay 10;
>         retry_count 2;
> }
> --------------------------------------------------------------------
>
> The file /var/log/ike-decrypt.pcap is empty.
>
> Any help would be greatly appreciated!
>
>
> Thanks in advance
> florian
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130904/3d5e81f3/attachment-0001.html>


More information about the vpn-help mailing list