[vpn-help] Shrew - Racoon

Alexis La Goutte alexis.lagoutte at gmail.com
Sun Jan 4 04:45:01 CST 2015 

On Mon, Dec 29, 2014 at 4:02 PM, Vukovics Mihaly <vm at informatik.hu> wrote:

> Hi Again,
>
> I did some more debugging with wireshark:
>
> - When I ping from the client to an internal server the src address is
> the IP assigned by racoon (192.168.7.2) the dst address is the internal
> server address (10.1.1.1) => the reply comes back from src 10.1.1.1 and
> goes to 192.168.7.2.
> - When I try to ping the client from the internal server the src address
> is the EXTERNAL/INTERNET address of the VPN server, the dst is
> 192.168.7.2. Thus the echo reply tries to go to the EXTERNAL address not
> to the internal server IP.
>
> On the serverside the policies are(46... client external IP, 81... VPN
> server external IP):
>
> root at therex:~# setkey -D
> 81.182.243.141[4500] 46.107.164.103[4500]
>         esp-udp mode=tunnel spi=214892320(0x0cceff20) reqid=0(0x00000000)
>         E: 3des-cbc  12dcc63a 782e5782 67ea1a47 5d248b19 e50503d5 44b1c4f9
>         A: hmac-md5  e9bd2963 beabf3cc 0be13c10 a89ab638
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Dec 29 14:53:35 2014   current: Dec 29 14:57:07 2014
>         diff: 212(s)    hard: 3600(s)   soft: 2880(s)
>         last: Dec 29 14:53:36 2014      hard: 0(s)      soft: 0(s)
>         current: 34059(bytes)   hard: 0(bytes)  soft: 0(bytes)
>         allocated: 423  hard: 0 soft: 0
>         sadb_seq=1 pid=60610 refcnt=0
> 46.107.164.103[4500] 81.182.243.141[4500]
>         esp-udp mode=tunnel spi=155541734(0x094560e6) reqid=0(0x00000000)
>         E: 3des-cbc  c6b731bf 68c993c3 47054ace 67a9e953 6439a475 08f9a356
>         A: hmac-md5  110e04e0 600b5d5b edcf3de1 b5436c93
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Dec 29 14:53:35 2014   current: Dec 29 14:57:07 2014
>         diff: 212(s)    hard: 3600(s)   soft: 2880(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=2 pid=60610 refcnt=0
>
> In Shrew policy the tunnel is defined between the client internal(NAT)
> address 192.168.0.212 and the VPN server EXTERNAL 81... address.
>
> Can this mismatch cause my problem?
>
Hi,

Yes, it is possible
but i not sure if "Shrew" always to have traffic from Gateway to Client...

Regards,

>
> Best Regards,
> Mihaly
>
>
>
> Koszi:
> Vuki
>
>
> On 2014.12.28. 18:26, Vukovics Mihaly wrote:
>
>> Hi Everyone,
>>
>> I am facing a strange problem, and have been debugging for days, but
>> without success...
>>
>> I have set up a Racoon IPSEC VPN server. There are two different
>> proposals, one for Android devices and one for Shrew client.
>> The Android devices can connet, everything work fine, but when I
>> connect from Windows clients (XP, Win7) using latest Shrew client, I
>> can reach any IP addresses/services from the client, but can't reach
>> the client(s) from the server side. Even PING does not work.
>>
>> I have checked the traffic with Wireshark, the echo request reaches
>> the client, but look like the client does not respond to this. (no
>> response found!)
>>
>> The is no error on both (Racoon/Shrew) side in the debug logs.
>>
>> Fragments from racoon.conf
>>
>> "remote anonymous
>> {
>>
>>     exchange_mode aggressive;
>>     verify_identifier on;
>>     my_identifier keyid tag "***";
>>     peers_identifier keyid tag "client";
>>     generate_policy unique;
>>     ike_frag on;
>>     nat_traversal on;
>>     dpd_delay 30;
>>     proposal_check obey;
>>     lifetime time 24 hours;
>>     proposal
>>     {
>>         encryption_algorithm aes 256;
>>         hash_algorithm sha1;
>>         authentication_method xauth_psk_server;
>>         dh_group 5;
>>     }
>> }
>>
>> remote anonymous
>> {
>>     exchange_mode aggressive;
>>     verify_identifier on;
>>     my_identifier keyid tag "***";
>>     peers_identifier keyid tag "android";
>>     generate_policy unique;
>>     ike_frag on;
>>     nat_traversal on;
>>     dpd_delay 30;
>>     proposal_check claim;
>>     lifetime time 24 hours;
>>     proposal
>>     {
>>         encryption_algorithm aes 128;
>>         hash_algorithm sha1;
>>         authentication_method xauth_psk_server;
>>         dh_group 2;
>>     }
>> }
>>
>> mode_cfg
>> {
>>     network4 192.168.7.2;
>>     pool_size 16;
>>     netmask4 255.255.255.0;
>>     split_network include 10.1.0.0/16;
>>     auth_source system;
>>     auth_groups "vpn-user";
>>     group_source system;
>>     conf_source local;
>>     wins4 10.1.1.1;
>>     dns4 10.1.1.254;
>>     default_domain "***";
>>     banner "/etc/racoon/motd";
>> }
>>
>> sainfo anonymous
>> {
>>         lifetime time 3600 seconds;
>>         encryption_algorithm aes;
>>         authentication_algorithm hmac_md5,hmac_sha1;
>>         compression_algorithm deflate;
>> }
>> "
>>
>> The Shrew profile(alreadt try all possibilities):
>>
>> "
>> n:version:4
>> n:network-ike-port:500
>> n:network-mtu-size:1380
>> n:client-addr-auto:1
>> n:network-natt-port:4500
>> n:network-natt-rate:15
>> n:network-frag-size:540
>> n:network-dpd-enable:1
>> n:client-banner-enable:1
>> n:network-notify-enable:1
>> n:client-dns-used:1
>> n:client-dns-auto:1
>> n:client-dns-suffix-auto:1
>> n:client-splitdns-used:1
>> n:client-splitdns-auto:1
>> n:client-wins-used:1
>> n:client-wins-auto:1
>> n:phase1-dhgroup:5
>> n:phase1-life-secs:86400
>> n:phase1-life-kbytes:0
>> n:vendor-chkpt-enable:0
>> n:phase2-life-secs:3600
>> n:phase2-life-kbytes:0
>> n:policy-nailed:0
>> n:policy-list-auto:1
>> s:network-host:***
>> s:client-auto-mode:pull
>> s:client-iface:virtual
>> s:network-natt-mode:enable
>> s:network-frag-mode:enable
>> s:auth-method:mutual-psk-xauth
>> s:ident-client-type:keyid
>> s:ident-server-type:keyid
>> s:ident-client-data:client
>> s:ident-server-data:therapia
>> b:auth-mutual-psk:***
>> s:phase1-exchange:aggressive
>> s:phase1-cipher:auto
>> s:phase1-hash:auto
>> s:phase2-transform:auto
>> s:phase2-hmac:auto
>> s:ipcomp-transform:disabled
>> n:phase2-pfsgroup:-1
>> s:policy-level:auto
>> "
>>
>> This is the only suspicious msg in IPSEC log in Shrew:
>>
>> "14/12/28 18:12:25 !! : unable to connect to pfkey interface"
>>
>> Has Anybody any idea which directions to go?
>>
>> Best Regards,
>> Mihaly
>>
>>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150104/bd9e8bf1/attachment-0001.html>

More information about the vpn-help mailing list