<div><span id="goog_108419572"></span><span id="goog_108419573"></span><a href="/"></a>All,</div><div><br></div><div>I found Mathew's original post: <a href="http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html">http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html</a> on the subject.</div>
<div><br></div><div>I edited my <span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; font-size: 12px; ">/etc/sysctl.d/10-network-security.conf as directed, even my sysctl rp_filter options are set to 0 (see below), <b>but things didn't work out</b>.</span></div>
<div><span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; font-size: 12px; "><br></span></div><div>desktop:~$ sudo sysctl -a | grep rp_filter | grep -v arp</div><div>net.ipv4.conf.all.rp_filter = 0</div>
<div>net.ipv4.conf.default.rp_filter = 0</div><div>net.ipv4.conf.lo.rp_filter = 0</div><div>net.ipv4.conf.eth0.rp_filter = 0</div><div>net.ipv4.conf.vmnet1.rp_filter = 0</div><div>net.ipv4.conf.vmnet8.rp_filter = 0</div>
<div>
net.ipv4.conf.tap0.rp_filter = 0</div><div><br></div><div><div><span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; font-size: 12px; ">I still the face the dropping of packets by the kernel even though I've set all rp_filter options to 0; I quote Mathew from the original <a href="http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html">thread</a> "<span class="Apple-style-span" style="font-family: monospace; font-size: medium; white-space: pre; ">the client can establish a connection and negotiate IPSec SAs, but return traffic <span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; white-space: normal; font-size: 12px; "><span class="Apple-style-span" style="font-family: monospace; font-size: medium; white-space: pre; ">never makes it to the userland applications...ping displays <span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; white-space: normal; font-size: 12px; "><span class="Apple-style-span" style="font-family: monospace; font-size: medium; white-space: pre; ">the following stalled output...even though you can see response packets using tcpdump<span class="Apple-style-span" style="font-family: Verdana, Arial, Tahoma; white-space: normal; font-size: 12px; ">"</span></span></span></span></span></span></span></div>
<div><br></div><div>Has anyone else run into this problem on Ubuntu 10.04?</div><div><br></div><div>I really need this to be resolved.</div><div><br></div><div>Thanks,</div><div><br></div><div>Gaurav</div></div><a href="http://pgp.mit.edu">pgp.mit.edu</a> - PubkeyID:0x1bf31eef13ee431e<br>
<br>
<br><br><div class="gmail_quote">On Thu, Apr 29, 2010 at 2:37 PM, oliver <span dir="ltr"><<a href="mailto:Oliver@triplere.com">Oliver@triplere.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff">
Hi Gaurav,<br>
<br>
i had the same problem,also 10.04. i unfortunately didnt save the
details, but there is a thread (by Mathew i think) that describes this
issue. It seems that even though the connection is established, the
packets dont get through, and that can be changed by editing
/etc/sysctl.d/10-network-security.conf
...thats as much as i can recall; keyword afair is "rp_filter"<br>
<br>
<br>
its not much of help i am afraid, but should give u an idea what to
look for <br>
<br>
Rgds<br>
Oliver<div><div></div><div class="h5"><br>
<br>
<br>
On 29/04/2010 10:44, Gaurav wrote:
</div></div><blockquote type="cite"><div><div></div><div class="h5">
<span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">
<div>Hi All,</div>
<div><br>
</div>
<div>I've raised this issue earlier. I couldn't resolve it, so I'd
like to raise it once again with all the debugging info in one place.</div>
<div><br>
</div>
<div>Hope it helps; I so don't want to want run a Windows VM just for
VPN access.</div>
<div><br>
</div>
<div><b><u>Original post:</u></b></div>
<div><b><u><br>
</u></b></div>
<div>I've been using the <span style="background-color:rgb(255, 242, 230)">Shrew</span> Soft client
for years on Windows without any problems.</div>
<div><br>
</div>
<div>I switched to Ubuntu 10.04 once and for all recently; but ran
into issues with a .pcf imported that worked flawlessly on Windows 7
recently.</div>
<div><br>
</div>
<div>Imported the sane .pcf into the <span style="background-color:rgb(255, 242, 230)">Shrew</span> Soft ver
2.1.5 on Ubuntu 10.04, managed to connect as well but just
couldn't ping/ssh my remote machines over vpn.</div>
<div><br>
</div>
<div>I've tried possible workarounds/tweaks/fixes, the little that I
could dig up around this but things didn't workout.</div>
<div><br>
</div>
<div>Any suggestions?</div>
<div><br>
</div>
<div>Prints/logs follow.</div>
<div><br>
</div>
<div><b><u>Connection prints:</u></b></div>
<div>
<div>config loaded for site 'xxxxxxxxxx.pcf'</div>
<div>attached to key daemon ...</div>
<div>peer configured</div>
<div>iskamp proposal configured</div>
<div>esp proposal configured</div>
<div>client configured</div>
<div>local id configured</div>
<div>remote id configured</div>
<div>pre-shared key configured</div>
<div>bringing up tunnel ...</div>
<div>user authentication error</div>
<div>tunnel disabled</div>
<div>detached from key daemon ...</div>
<div>attached to key daemon ...</div>
<div>peer configured</div>
<div>iskamp proposal configured</div>
<div>esp proposal configured</div>
<div>client configured</div>
<div>local id configured</div>
<div>remote id configured</div>
<div>pre-shared key configured</div>
<div>bringing up tunnel ...</div>
<div>user authentication error</div>
<div>tunnel disabled</div>
<div>detached from key daemon ...</div>
<div>attached to key daemon ...</div>
<div>peer configured</div>
<div>iskamp proposal configured</div>
<div>esp proposal configured</div>
<div>client configured</div>
<div>local id configured</div>
<div>remote id configured</div>
<div>pre-shared key configured</div>
<div>bringing up tunnel ...</div>
<div>network device configured</div>
<div>tunnel enabled</div>
</div>
<div><br>
</div>
<div><b><u>Logs:</u></b></div>
<div>desktop:~$ cat /var/log/iked.log </div>
<div>10/04/28 00:36:01 ## : IKE Daemon, ver 2.1.5</div>
<div>10/04/28 00:36:01 ## : Copyright 2009 <span style="background-color:rgb(255, 242, 230)">Shrew</span> Soft Inc.</div>
<div>10/04/28 00:36:01 ## : This product linked OpenSSL 0.9.8k 25 Mar
2009</div>
<div>10/04/28 00:36:01 K! : recv X_SPDDUMP message failure ( errno =
2 )</div>
<div>10/04/28 00:41:19 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:41:19 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:41:26 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:42:18 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:46:48 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:46:48 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:46:57 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:51:32 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:53:19 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:53:19 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:53:19 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:53:26 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:54:31 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:54:37 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:55:01 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 00:55:22 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:55:22 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:55:22 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:55:28 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:56:42 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:56:52 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:57:12 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 00:57:22 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 00:58:12 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 00:58:12 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 00:58:12 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:00:33 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 01:00:33 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:00:34 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:00:38 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:02:46 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 01:02:46 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:02:46 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:02:56 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 )</div>
<div>10/04/28 01:05:16 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:05:17 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:05:43 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:05:48 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:17:59 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 01:17:59 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:18:11 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:22:33 !! : invalid private netmask, defaulting to
class c</div>
<div>10/04/28 01:22:33 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:22:46 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
<div>10/04/28 01:22:52 !! : peer violates RFC, transform number
mismatch ( 1 != 17 )</div>
</span>
<div><br>
</div>
<div><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse"><b><u>/sbin/ifconfig
output:</u></b></span></div>
<span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">
<div>
<div>desktop:~$ /sbin/ifconfig </div>
<div>eth0 Link encap:Ethernet HWaddr 00:1f:d0:d2:d2:a4 </div>
<div> inet addr:192.168.1.2 Bcast:192.168.1.255
Mask:255.255.255.0</div>
<div> inet6 addr: fe80::21f:d0ff:fed2:d2a4/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div>
<div> RX packets:7026 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:6401 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:1000 </div>
<div> RX bytes:6469445 (6.4 MB) TX bytes:1176183 (1.1 MB)</div>
<div> Interrupt:27 </div>
<div><br>
</div>
<div>lo Link encap:Local Loopback </div>
<div>
inet addr:127.0.0.1 Mask:255.0.0.0</div>
<div> inet6 addr: ::1/128 Scope:Host</div>
<div> UP LOOPBACK RUNNING MTU:16436 Metric:1</div>
<div> RX packets:18 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:18 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:0 </div>
<div> RX bytes:1100 (1.1 KB) TX bytes:1100 (1.1 KB)</div>
<div><br>
</div>
<div>tap0 Link encap:Ethernet HWaddr f2:47:0e:c8:b6:99 </div>
<div> inet addr:192.168.20.141 Bcast:192.168.20.255
Mask:255.255.255.0</div>
<div> inet6 addr: fe80::f047:eff:fec8:b699/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MTU:1380 Metric:1</div>
<div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:500 </div>
<div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div>
<div><br>
</div>
<div>vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01 </div>
<div> inet addr:192.168.184.1 Bcast:192.168.184.255
Mask:255.255.255.0</div>
<div> inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div>
<div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:21 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:1000 </div>
<div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div>
<div><br>
</div>
<div>vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08 </div>
<div> inet addr:192.168.111.1 Bcast:192.168.111.255
Mask:255.255.255.0</div>
<div> inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div>
<div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:21 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:1000 </div>
<div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div>
</div>
<div><br>
</div>
<div><b><u>/sbin/route output:</u></b></div>
<div>
<div>desktop:~$ /sbin/route </div>
<div>Kernel IP routing table</div>
<div>Destination Gateway Genmask Flags Metric Ref
Use Iface</div>
<div>172.17.48.31 192.168.20.141 255.255.255.255 UGH 0 0
0 tap0</div>
<div>10.8.50.232 192.168.20.141 255.255.255.255 UGH 0 0
0 tap0</div>
<div>172.17.48.3 192.168.20.141 255.255.255.255 UGH 0 0
0 tap0</div>
<div>172.17.48.32 192.168.20.141 255.255.255.255 UGH 0 0
0 tap0</div>
<div>172.17.48.22 192.168.20.141 255.255.255.255 UGH 0 0
0 tap0</div>
<div>10.10.7.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.20.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>192.168.20.0 * 255.255.255.0 U 0 0
0 tap0</div>
<div>10.10.2.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.19.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>192.168.1.0 * 255.255.255.0 U 1 0
0 eth0</div>
<div>10.155.114.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>172.17.20.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.12.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>192.168.184.0 * 255.255.255.0 U 0 0
0 vmnet1</div>
<div>192.168.111.0 * 255.255.255.0 U 0 0
0 vmnet8</div>
<div>10.10.10.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.9.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.75.0 192.168.20.141 255.255.255.0 UG 0 0
0 tap0</div>
<div>10.10.96.0 192.168.20.141 255.255.252.0 UG 0 0
0 tap0</div>
<div>172.17.144.0 192.168.20.141 255.255.240.0 UG 0 0
0 tap0</div>
<div>172.17.128.0 192.168.20.141 255.255.240.0 UG 0 0
0 tap0</div>
<div>172.17.0.0 192.168.20.141 255.255.240.0 UG 0 0
0 tap0</div>
<div>172.17.32.0 192.168.20.141 255.255.240.0 UG 0 0
0 tap0</div>
<div>172.25.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>172.31.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>172.18.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>172.16.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>link-local * 255.255.0.0 U 1000 0
0 eth0</div>
<div>192.168.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>10.201.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>10.202.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>10.203.0.0 192.168.20.141 255.255.0.0 UG 0 0
0 tap0</div>
<div>default 192.168.1.1 0.0.0.0 UG 0 0
0 eth0</div>
</div>
<div><br>
</div>
<div><b><u>client configuration file :</u></b></div>
<div>
<div>desktop:~$ cat file.pcf </div>
<div>[main]</div>
<div>Description=</div>
<div>Host=<a href="http://xxx-xxxxxxx.xxxxxxxxxx.com" style="color:rgb(64, 100, 128)" target="_blank">xxx-xxxxxxx.xxxxxxxxxx.com</a></div>
<div>AuthType=1</div>
<div>GroupName=xxxxx-xxxxxxx</div>
<div>GroupPwd=</div>
<div>enc_GroupPwd=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</div>
<div>EnableISPConnect=0</div>
<div>ISPConnectType=0</div>
<div>ISPConnect=test</div>
<div>ISPPhonebook=C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Connections\Pbk\rasphone.pbk</div>
<div>ISPCommand=</div>
<div>Username=xxxxxx.xxxxxx</div>
<div>SaveUserPassword=0</div>
<div>UserPassword=</div>
<div>enc_UserPassword=</div>
<div>NTDomain=</div>
<div>EnableBackup=0</div>
<div>BackupServer=</div>
<div>EnableMSLogon=1</div>
<div>MSLogonType=0</div>
<div>EnableNat=1</div>
<div>TunnelingMode=0</div>
<div>TcpTunnelingPort=10000</div>
<div>CertStore=0</div>
<div>CertName=</div>
<div>CertPath=</div>
<div>CertSubjectName=</div>
<div>CertSerialHash=00000000000000000000000000000000</div>
<div>SendCertChain=0</div>
<div>PeerTimeout=90</div>
<div>EnableLocalLAN=0</div>
</div>
<div><br>
</div>
<div><br>
</div>
</span>Gaurav<br>
<a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a> -
PubkeyID:0x1bf31eef13ee431e<br>
<br>
</div></div><pre><fieldset></fieldset>
_______________________________________________
vpn-help mailing list
<div class="im"><a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a>
</div></pre>
</blockquote>
</div>
</blockquote></div><br>