[vpn-help] Shrew - Racoon

Vukovics Mihaly vm at informatik.hu
Mon Dec 29 09:02:39 CST 2014 

Hi Again,

I did some more debugging with wireshark:

- When I ping from the client to an internal server the src address is
the IP assigned by racoon (192.168.7.2) the dst address is the internal
server address (10.1.1.1) => the reply comes back from src 10.1.1.1 and
goes to 192.168.7.2.
- When I try to ping the client from the internal server the src address
is the EXTERNAL/INTERNET address of the VPN server, the dst is
192.168.7.2. Thus the echo reply tries to go to the EXTERNAL address not
to the internal server IP.

On the serverside the policies are(46... client external IP, 81... VPN
server external IP):

root at therex:~# setkey -D
81.182.243.141[4500] 46.107.164.103[4500]
         esp-udp mode=tunnel spi=214892320(0x0cceff20) reqid=0(0x00000000)
         E: 3des-cbc  12dcc63a 782e5782 67ea1a47 5d248b19 e50503d5 44b1c4f9
         A: hmac-md5  e9bd2963 beabf3cc 0be13c10 a89ab638
         seq=0x00000000 replay=4 flags=0x00000000 state=mature
         created: Dec 29 14:53:35 2014   current: Dec 29 14:57:07 2014
         diff: 212(s)    hard: 3600(s)   soft: 2880(s)
         last: Dec 29 14:53:36 2014      hard: 0(s)      soft: 0(s)
         current: 34059(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 423  hard: 0 soft: 0
         sadb_seq=1 pid=60610 refcnt=0
46.107.164.103[4500] 81.182.243.141[4500]
         esp-udp mode=tunnel spi=155541734(0x094560e6) reqid=0(0x00000000)
         E: 3des-cbc  c6b731bf 68c993c3 47054ace 67a9e953 6439a475 08f9a356
         A: hmac-md5  110e04e0 600b5d5b edcf3de1 b5436c93
         seq=0x00000000 replay=4 flags=0x00000000 state=mature
         created: Dec 29 14:53:35 2014   current: Dec 29 14:57:07 2014
         diff: 212(s)    hard: 3600(s)   soft: 2880(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=2 pid=60610 refcnt=0

In Shrew policy the tunnel is defined between the client internal(NAT)
address 192.168.0.212 and the VPN server EXTERNAL 81... address.

Can this mismatch cause my problem?

Best Regards,
Mihaly



Koszi:
Vuki

On 2014.12.28. 18:26, Vukovics Mihaly wrote:
> Hi Everyone,
>
> I am facing a strange problem, and have been debugging for days, but
> without success...
>
> I have set up a Racoon IPSEC VPN server. There are two different
> proposals, one for Android devices and one for Shrew client.
> The Android devices can connet, everything work fine, but when I
> connect from Windows clients (XP, Win7) using latest Shrew client, I
> can reach any IP addresses/services from the client, but can't reach
> the client(s) from the server side. Even PING does not work.
>
> I have checked the traffic with Wireshark, the echo request reaches
> the client, but look like the client does not respond to this. (no
> response found!)
>
> The is no error on both (Racoon/Shrew) side in the debug logs.
>
> Fragments from racoon.conf
>
> "remote anonymous
> {
>
>     exchange_mode aggressive;
>     verify_identifier on;
>     my_identifier keyid tag "***";
>     peers_identifier keyid tag "client";
>     generate_policy unique;
>     ike_frag on;
>     nat_traversal on;
>     dpd_delay 30;
>     proposal_check obey;
>     lifetime time 24 hours;
>     proposal
>     {
>         encryption_algorithm aes 256;
>         hash_algorithm sha1;
>         authentication_method xauth_psk_server;
>         dh_group 5;
>     }
> }
>
> remote anonymous
> {
>     exchange_mode aggressive;
>     verify_identifier on;
>     my_identifier keyid tag "***";
>     peers_identifier keyid tag "android";
>     generate_policy unique;
>     ike_frag on;
>     nat_traversal on;
>     dpd_delay 30;
>     proposal_check claim;
>     lifetime time 24 hours;
>     proposal
>     {
>         encryption_algorithm aes 128;
>         hash_algorithm sha1;
>         authentication_method xauth_psk_server;
>         dh_group 2;
>     }
> }
>
> mode_cfg
> {
>     network4 192.168.7.2;
>     pool_size 16;
>     netmask4 255.255.255.0;
>     split_network include 10.1.0.0/16;
>     auth_source system;
>     auth_groups "vpn-user";
>     group_source system;
>     conf_source local;
>     wins4 10.1.1.1;
>     dns4 10.1.1.254;
>     default_domain "***";
>     banner "/etc/racoon/motd";
> }
>
> sainfo anonymous
> {
>         lifetime time 3600 seconds;
>         encryption_algorithm aes;
>         authentication_algorithm hmac_md5,hmac_sha1;
>         compression_algorithm deflate;
> }
> "
>
> The Shrew profile(alreadt try all possibilities):
>
> "
> n:version:4
> n:network-ike-port:500
> n:network-mtu-size:1380
> n:client-addr-auto:1
> n:network-natt-port:4500
> n:network-natt-rate:15
> n:network-frag-size:540
> n:network-dpd-enable:1
> n:client-banner-enable:1
> n:network-notify-enable:1
> n:client-dns-used:1
> n:client-dns-auto:1
> n:client-dns-suffix-auto:1
> n:client-splitdns-used:1
> n:client-splitdns-auto:1
> n:client-wins-used:1
> n:client-wins-auto:1
> n:phase1-dhgroup:5
> n:phase1-life-secs:86400
> n:phase1-life-kbytes:0
> n:vendor-chkpt-enable:0
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-nailed:0
> n:policy-list-auto:1
> s:network-host:***
> s:client-auto-mode:pull
> s:client-iface:virtual
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:auth-method:mutual-psk-xauth
> s:ident-client-type:keyid
> s:ident-server-type:keyid
> s:ident-client-data:client
> s:ident-server-data:therapia
> b:auth-mutual-psk:***
> s:phase1-exchange:aggressive
> s:phase1-cipher:auto
> s:phase1-hash:auto
> s:phase2-transform:auto
> s:phase2-hmac:auto
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:-1
> s:policy-level:auto
> "
>
> This is the only suspicious msg in IPSEC log in Shrew:
>
> "14/12/28 18:12:25 !! : unable to connect to pfkey interface"
>
> Has Anybody any idea which directions to go?
>
> Best Regards,
> Mihaly
>

More information about the vpn-help mailing list