[vpn-help] Shrew - Racoon

Vukovics Mihaly vm at informatik.hu
Sun Dec 28 11:26:13 CST 2014 

Hi Everyone,

I am facing a strange problem, and have been debugging for days, but 
without success...

I have set up a Racoon IPSEC VPN server. There are two different 
proposals, one for Android devices and one for Shrew client.
The Android devices can connet, everything work fine, but when I connect 
from Windows clients (XP, Win7) using latest Shrew client, I can reach 
any IP addresses/services from the client, but can't reach the client(s) 
from the server side. Even PING does not work.

I have checked the traffic with Wireshark, the echo request reaches the 
client, but look like the client does not respond to this. (no response 
found!)

The is no error on both (Racoon/Shrew) side in the debug logs.

Fragments from racoon.conf

"remote anonymous
{

     exchange_mode aggressive;
     verify_identifier on;
     my_identifier keyid tag "***";
     peers_identifier keyid tag "client";
     generate_policy unique;
     ike_frag on;
     nat_traversal on;
     dpd_delay 30;
     proposal_check obey;
     lifetime time 24 hours;
     proposal
     {
         encryption_algorithm aes 256;
         hash_algorithm sha1;
         authentication_method xauth_psk_server;
         dh_group 5;
     }
}

remote anonymous
{
     exchange_mode aggressive;
     verify_identifier on;
     my_identifier keyid tag "***";
     peers_identifier keyid tag "android";
     generate_policy unique;
     ike_frag on;
     nat_traversal on;
     dpd_delay 30;
     proposal_check claim;
     lifetime time 24 hours;
     proposal
     {
         encryption_algorithm aes 128;
         hash_algorithm sha1;
         authentication_method xauth_psk_server;
         dh_group 2;
     }
}

mode_cfg
{
     network4 192.168.7.2;
     pool_size 16;
     netmask4 255.255.255.0;
     split_network include 10.1.0.0/16;
     auth_source system;
     auth_groups "vpn-user";
     group_source system;
     conf_source local;
     wins4 10.1.1.1;
     dns4 10.1.1.254;
     default_domain "***";
     banner "/etc/racoon/motd";
}

sainfo anonymous
{
         lifetime time 3600 seconds;
         encryption_algorithm aes;
         authentication_algorithm hmac_md5,hmac_sha1;
         compression_algorithm deflate;
}
"

The Shrew profile(alreadt try all possibilities):

"
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:***
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-server-type:keyid
s:ident-client-data:client
s:ident-server-data:therapia
b:auth-mutual-psk:***
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:auto
"

This is the only suspicious msg in IPSEC log in Shrew:

"14/12/28 18:12:25 !! : unable to connect to pfkey interface"

Has Anybody any idea which directions to go?

Best Regards,
Mihaly

--

More information about the vpn-help mailing list