[vpn-help] Shrew - Racoon
Alexis La Goutte
alexis.lagoutte at gmail.com
Sun Jan 4 04:45:01 CST 2015
On Mon, Dec 29, 2014 at 4:02 PM, Vukovics Mihaly <vm at informatik.hu> wrote:
> Hi Again,
>
> I did some more debugging with wireshark:
>
> - When I ping from the client to an internal server the src address is
> the IP assigned by racoon (192.168.7.2) the dst address is the internal
> server address (10.1.1.1) => the reply comes back from src 10.1.1.1 and
> goes to 192.168.7.2.
> - When I try to ping the client from the internal server the src address
> is the EXTERNAL/INTERNET address of the VPN server, the dst is
> 192.168.7.2. Thus the echo reply tries to go to the EXTERNAL address not
> to the internal server IP.
>
> On the serverside the policies are(46... client external IP, 81... VPN
> server external IP):
>
> root at therex:~# setkey -D
> 81.182.243.141[4500] 46.107.164.103[4500]
> esp-udp mode=tunnel spi=214892320(0x0cceff20) reqid=0(0x00000000)
> E: 3des-cbc 12dcc63a 782e5782 67ea1a47 5d248b19 e50503d5 44b1c4f9
> A: hmac-md5 e9bd2963 beabf3cc 0be13c10 a89ab638
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Dec 29 14:53:35 2014 current: Dec 29 14:57:07 2014
> diff: 212(s) hard: 3600(s) soft: 2880(s)
> last: Dec 29 14:53:36 2014 hard: 0(s) soft: 0(s)
> current: 34059(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 423 hard: 0 soft: 0
> sadb_seq=1 pid=60610 refcnt=0
> 46.107.164.103[4500] 81.182.243.141[4500]
> esp-udp mode=tunnel spi=155541734(0x094560e6) reqid=0(0x00000000)
> E: 3des-cbc c6b731bf 68c993c3 47054ace 67a9e953 6439a475 08f9a356
> A: hmac-md5 110e04e0 600b5d5b edcf3de1 b5436c93
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Dec 29 14:53:35 2014 current: Dec 29 14:57:07 2014
> diff: 212(s) hard: 3600(s) soft: 2880(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=2 pid=60610 refcnt=0
>
> In Shrew policy the tunnel is defined between the client internal(NAT)
> address 192.168.0.212 and the VPN server EXTERNAL 81... address.
>
> Can this mismatch cause my problem?
>
Hi,
Yes, it is possible
but i not sure if "Shrew" always to have traffic from Gateway to Client...
Regards,
>
> Best Regards,
> Mihaly
>
>
>
> Koszi:
> Vuki
>
>
> On 2014.12.28. 18:26, Vukovics Mihaly wrote:
>
>> Hi Everyone,
>>
>> I am facing a strange problem, and have been debugging for days, but
>> without success...
>>
>> I have set up a Racoon IPSEC VPN server. There are two different
>> proposals, one for Android devices and one for Shrew client.
>> The Android devices can connet, everything work fine, but when I
>> connect from Windows clients (XP, Win7) using latest Shrew client, I
>> can reach any IP addresses/services from the client, but can't reach
>> the client(s) from the server side. Even PING does not work.
>>
>> I have checked the traffic with Wireshark, the echo request reaches
>> the client, but look like the client does not respond to this. (no
>> response found!)
>>
>> The is no error on both (Racoon/Shrew) side in the debug logs.
>>
>> Fragments from racoon.conf
>>
>> "remote anonymous
>> {
>>
>> exchange_mode aggressive;
>> verify_identifier on;
>> my_identifier keyid tag "***";
>> peers_identifier keyid tag "client";
>> generate_policy unique;
>> ike_frag on;
>> nat_traversal on;
>> dpd_delay 30;
>> proposal_check obey;
>> lifetime time 24 hours;
>> proposal
>> {
>> encryption_algorithm aes 256;
>> hash_algorithm sha1;
>> authentication_method xauth_psk_server;
>> dh_group 5;
>> }
>> }
>>
>> remote anonymous
>> {
>> exchange_mode aggressive;
>> verify_identifier on;
>> my_identifier keyid tag "***";
>> peers_identifier keyid tag "android";
>> generate_policy unique;
>> ike_frag on;
>> nat_traversal on;
>> dpd_delay 30;
>> proposal_check claim;
>> lifetime time 24 hours;
>> proposal
>> {
>> encryption_algorithm aes 128;
>> hash_algorithm sha1;
>> authentication_method xauth_psk_server;
>> dh_group 2;
>> }
>> }
>>
>> mode_cfg
>> {
>> network4 192.168.7.2;
>> pool_size 16;
>> netmask4 255.255.255.0;
>> split_network include 10.1.0.0/16;
>> auth_source system;
>> auth_groups "vpn-user";
>> group_source system;
>> conf_source local;
>> wins4 10.1.1.1;
>> dns4 10.1.1.254;
>> default_domain "***";
>> banner "/etc/racoon/motd";
>> }
>>
>> sainfo anonymous
>> {
>> lifetime time 3600 seconds;
>> encryption_algorithm aes;
>> authentication_algorithm hmac_md5,hmac_sha1;
>> compression_algorithm deflate;
>> }
>> "
>>
>> The Shrew profile(alreadt try all possibilities):
>>
>> "
>> n:version:4
>> n:network-ike-port:500
>> n:network-mtu-size:1380
>> n:client-addr-auto:1
>> n:network-natt-port:4500
>> n:network-natt-rate:15
>> n:network-frag-size:540
>> n:network-dpd-enable:1
>> n:client-banner-enable:1
>> n:network-notify-enable:1
>> n:client-dns-used:1
>> n:client-dns-auto:1
>> n:client-dns-suffix-auto:1
>> n:client-splitdns-used:1
>> n:client-splitdns-auto:1
>> n:client-wins-used:1
>> n:client-wins-auto:1
>> n:phase1-dhgroup:5
>> n:phase1-life-secs:86400
>> n:phase1-life-kbytes:0
>> n:vendor-chkpt-enable:0
>> n:phase2-life-secs:3600
>> n:phase2-life-kbytes:0
>> n:policy-nailed:0
>> n:policy-list-auto:1
>> s:network-host:***
>> s:client-auto-mode:pull
>> s:client-iface:virtual
>> s:network-natt-mode:enable
>> s:network-frag-mode:enable
>> s:auth-method:mutual-psk-xauth
>> s:ident-client-type:keyid
>> s:ident-server-type:keyid
>> s:ident-client-data:client
>> s:ident-server-data:therapia
>> b:auth-mutual-psk:***
>> s:phase1-exchange:aggressive
>> s:phase1-cipher:auto
>> s:phase1-hash:auto
>> s:phase2-transform:auto
>> s:phase2-hmac:auto
>> s:ipcomp-transform:disabled
>> n:phase2-pfsgroup:-1
>> s:policy-level:auto
>> "
>>
>> This is the only suspicious msg in IPSEC log in Shrew:
>>
>> "14/12/28 18:12:25 !! : unable to connect to pfkey interface"
>>
>> Has Anybody any idea which directions to go?
>>
>> Best Regards,
>> Mihaly
>>
>>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150104/bd9e8bf1/attachment-0001.html>
More information about the vpn-help
mailing list