[vpn-help] VPN Client on ARM/Debian
Sebastian Schork
schork76 at web.de
Wed Sep 17 11:55:28 CDT 2014
Hello there,
first of all: Thank you for providing and maintaining this useful
software. It satisfied all my IPSec needs in the past, but now I've run
into a problem:
I'm currently trying to set up an IPSec connection on an
ARMv5/Debian-based system. I tested it on an 64 bit openSUSE 13.1, as
well as on a windows workstation before, using the same configuration
(below), and it worked just fine.
But on the ARM system it does not; the log says:
---
14/09/17 18:15:58 ## : IKE Daemon, ver 2.2.2
14/09/17 18:15:58 ## : Copyright 2013 Shrew Soft Inc.
14/09/17 18:15:58 ## : This product linked OpenSSL 1.0.1e 11 Feb 2013
14/09/17 18:15:58 ii : opened '/var/log/iked.log'
14/09/17 18:15:58 ii : ipc server process thread begin ...
14/09/17 18:15:58 ii : pfkey process thread begin ...
14/09/17 18:15:58 ii : network process thread begin ...
14/09/17 18:16:01 K< : recv pfkey REGISTER AH message
14/09/17 18:16:01 K< : recv pfkey REGISTER ESP message
14/09/17 18:16:01 K< : recv pfkey REGISTER IPCOMP message
14/09/17 18:16:01 K< : recv pfkey X_SPDDUMP UNSPEC message
14/09/17 18:16:01 ii : - id = 153
14/09/17 18:16:01 ii : - type = IPSEC
14/09/17 18:16:01 ii : - dir = OUTBOUND
14/09/17 18:16:01 ii : - src = 172.16.135.157:0/32
14/09/17 18:16:01 ii : - dst = 192.168.214.32:0/27
14/09/17 18:16:01 ii : - transform #0
14/09/17 18:16:01 ii : -- proto = 50
14/09/17 18:16:01 ii : -- level = UNIQUE
14/09/17 18:16:01 ii : -- mode = TUNNEL
14/09/17 18:16:01 ii : -- reqid = 4
14/09/17 18:16:01 ii : -- tsrc = 135.157.0.0
14/09/17 18:16:01 ii : -- tdst = 177.236.0.0
14/09/17 18:16:01 DB : policy ref increment ( ref count = 1, obj count =
0 )
14/09/17 18:16:01 DB : policy added ( obj count = 1 )
14/09/17 18:16:01 DB : policy ref decrement ( ref count = 0, obj count =
1 )
14/09/17 18:16:01 K< : recv pfkey X_SPDDUMP UNSPEC message
14/09/17 18:16:01 ii : - id = 144
14/09/17 18:16:01 ii : - type = IPSEC
14/09/17 18:16:01 ii : - dir = INBOUND
14/09/17 18:16:01 ii : - src = 192.168.214.32:0/27
14/09/17 18:16:01 ii : - dst = 172.16.135.157:0/32
14/09/17 18:16:01 ii : - transform #0
14/09/17 18:16:01 ii : -- proto = 50
14/09/17 18:16:01 ii : -- level = UNIQUE
14/09/17 18:16:01 ii : -- mode = TUNNEL
14/09/17 18:16:01 ii : -- reqid = 3
14/09/17 18:16:01 ii : -- tsrc = 177.236.0.0
14/09/17 18:16:01 ii : -- tdst = 135.157.0.0
14/09/17 18:16:01 DB : policy ref increment ( ref count = 1, obj count =
1 )
14/09/17 18:16:01 DB : policy added ( obj count = 2 )
14/09/17 18:16:01 DB : policy ref decrement ( ref count = 0, obj count =
2 )
14/09/17 18:16:01 K< : recv pfkey X_SPDDUMP UNSPEC message
14/09/17 18:16:01 ii : - id = 137
14/09/17 18:16:01 ii : - type = IPSEC
14/09/17 18:16:01 ii : - dir = OUTBOUND
14/09/17 18:16:01 ii : - src = 172.16.135.157:0/32
14/09/17 18:16:01 ii : - dst = 192.168.210.0:0/24
14/09/17 18:16:01 ii : - transform #0
14/09/17 18:16:01 ii : -- proto = 50
14/09/17 18:16:01 ii : -- level = UNIQUE
14/09/17 18:16:01 ii : -- mode = TUNNEL
14/09/17 18:16:01 ii : -- reqid = 2
14/09/17 18:16:01 ii : -- tsrc = 135.157.0.0
14/09/17 18:16:01 ii : -- tdst = 177.236.0.0
14/09/17 18:16:01 DB : policy ref increment ( ref count = 1, obj count =
2 )
14/09/17 18:16:01 DB : policy added ( obj count = 3 )
14/09/17 18:16:01 DB : policy ref decrement ( ref count = 0, obj count =
3 )
14/09/17 18:16:01 K< : recv pfkey X_SPDDUMP UNSPEC message
14/09/17 18:16:01 ii : - id = 128
14/09/17 18:16:01 ii : - type = IPSEC
14/09/17 18:16:01 ii : - dir = INBOUND
14/09/17 18:16:01 ii : - src = 192.168.210.0:0/24
14/09/17 18:16:01 ii : - dst = 172.16.135.157:0/32
14/09/17 18:16:01 ii : - transform #0
14/09/17 18:16:01 ii : -- proto = 50
14/09/17 18:16:01 ii : -- level = UNIQUE
14/09/17 18:16:01 ii : -- mode = TUNNEL
14/09/17 18:16:01 ii : -- reqid = 1
14/09/17 18:16:01 ii : -- tsrc = 177.236.0.0
14/09/17 18:16:01 ii : -- tdst = 135.157.0.0
14/09/17 18:16:01 DB : policy ref increment ( ref count = 1, obj count =
3 )
14/09/17 18:16:01 DB : policy added ( obj count = 4 )
14/09/17 18:16:01 DB : policy ref decrement ( ref count = 0, obj count =
4 )
---
The logfile on the desktop machine looked completely different; when
comparing the addresses in the tsrc and tdst fields of other messages,
like X_SPDADD, they seemed scrambled.
I already tried
https://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html,
but that doesn't seem to be the cause.
To make things more difficult, I can't run iked in gdb on the ARM
system, as it terminates with SIGILL right at the beginning. Again, this
works on the workstation.
My configuration file is:
---
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase1-keylen:256
n:phase2-keylen:256
s:network-host:xxx.xxx.xxx.xxx
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:keyid
s:ident-server-type:address
s:ident-client-data:xxxxxx.xxxxx.xxx
b:auth-mutual-psk:xxxxxxxxxxxxxx
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:unique
s:policy-list-include:192.168.210.0 / 255.255.255.0,192.168.214.32 /
255.255.255.224
---
I tried the binaries from the debian package (wheezy), as well as the
versions 2.2.0 and 2.2.2 from the repository. For compilation I used the
options -DDEBUG=YES -DQTGUI=NO -DNATT=YES -DLDAP=NO. Kernel version is
3.13.6.
Best regards,
S.Schork
More information about the vpn-help
mailing list