[vpn-help] windows OK, linux does not connect

[Fred Odendaal]

  > Emre Erenoglu erenoglu at gmail.com
  > Thu Jan 6 18:32:36 CST 2011
  >
  > On Fri, Jan 7, 2011 at 4:11 AM, Matthew Grooms <mgrooms at 
shrew.net> wrote:
  >
  > > On 1/6/2011 5:47 PM, Emre Erenoglu wrote:
  > >
  > >> Dear Shrew Users,
  > >>
  > >> I have a strange problem. I'm using Shrew Soft client on my XP
  > >> successfully, everything is working fine.
  > >>
  > >> I'm exporting the same configuration to my Linux system, it seems to
  > >> connect fine since I get the "tunnel enabled" message and the tap0
  > >> interface gets an address, however, the "security associations"
  > >> "established" shows "0" and after some time "failed" startes to
  > >> increase. Status shows "connected" and remote host shows the IP.
  > >> Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer
  > >> Detection shows disabled although I enabled them in the config.
  > >>
  > >> I tried to search internet, saw settings about rp_filter, so I 
set the
  > >> following sysctl values and rebooted.
  > >> net.ipv4.conf.default.rp_filter = 0
  > >> net.ipv4.conf.all.rp_filter = 0
  > >>
  > >> Still no luck. My iptables is empty, there are no other firewalls 
on the
  > >> system. Do you have any idea why this Phase2 negotiation is 
failing? I'm
  > >> pasting the logs below. Please note that I changed the shown IP
  > >> addresses by hand, so don't mind them unless necessary.
  > >>
  > >>
  > > Your phase2 negotiation is not completing successfully. As a 
result, you
  > > don't have an IPsec SA to send traffic with. The kernel is sending an
  > > ACQUIRE message appropriately, and the ike daemon is attempting to 
negotiate
  > > phase2 but is failing to get a response from the peer.
  > >
  > > BTW, what is 1.2.176.8? ...
  > >
  > >
  > > ii : creating NONE INBOUND policy ANY:0.0.0.0:* -> ANY:1.2.176.8:*
  > > K> : send pfkey X_SPDADD UNSPEC message
  > > ii : creating NONE OUTBOUND policy ANY:1.2.176.8:* -> ANY:0.0.0.0:*
  > > K< : recv pfkey X_SPDADD UNSPEC message
  > > ii : created NONE policy route for 0.0.0.0/32
  > >
  > > If I recall correctly, these NONE policies get created is when 
there is a
  > > route to the peer, usually a default gateway. However, your next hop
  > > shouldn't be at 1.2.176.8. Its not even close to 192.168.1.150. Do 
you have
  > > static entries in your route table for something?
  > >
  > > -Matthew
  > >
  >
  > No,these are addresses I made up myself not to disclose server 
addresses to
  > a public mailing list. However, if the key to the solution is them, 
I can
  > send them intact. As far as I saw, those addresses were OK, one was the
  > address assigned to me, other was the vpn server address.
  >
  > There was one thing in the logs:
  > ii : received config pull response
  > ii : - IP4 Address = 1.2.176.8
  > ii : - Address Expiry = 0
  > ii : - IP4 Netmask = 255.255.240.0
  > ii : - IP4 DNS Server = 1.2.1.13
  > ii : - IP4 DNS Server = 1.2.1.199
  > ii : - IP4 Subnet = ANY:0.0.0.0/0:* ( invalid subnet ignored )
  >
  > Could the last ignore be an issue? Maybe I can test the same in windows.
  >
  > Any other clues?
  >
  > --
  > Emre
  > On 01/03/2014 11:06 PM, vpn-help-request at lists.shrew.net wrote:

I was having the exact same problem on 64-bit Fedora18 with the 64-bit 
version 2.2.1 client. The same configuration is working on the Windows 7 
version 2.2.1 client.

Even though my Fedora18 Linux OS is 64-bit, I switched to the 32-bit 
version 2.2.1 client and it works.

Fred.