<div dir="ltr"><div class="gmail_quote">On Fri, Jan 7, 2011 at 4:11 AM, Matthew Grooms <span dir="ltr"><<a href="mailto:mgrooms@shrew.net">mgrooms@shrew.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On 1/6/2011 5:47 PM, Emre Erenoglu wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Dear Shrew Users,<br>
<br>
I have a strange problem. I'm using Shrew Soft client on my XP<br>
successfully, everything is working fine.<br>
<br>
I'm exporting the same configuration to my Linux system, it seems to<br>
connect fine since I get the "tunnel enabled" message and the tap0<br>
interface gets an address, however, the "security associations"<br>
"established" shows "0" and after some time "failed" startes to<br>
increase. Status shows "connected" and remote host shows the IP.<br>
Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer<br>
Detection shows disabled although I enabled them in the config.<br>
<br>
I tried to search internet, saw settings about rp_filter, so I set the<br>
following sysctl values and rebooted.<br>
net.ipv4.conf.default.rp_filter = 0<br>
net.ipv4.conf.all.rp_filter = 0<br>
<br>
Still no luck. My iptables is empty, there are no other firewalls on the<br>
system. Do you have any idea why this Phase2 negotiation is failing? I'm<br>
pasting the logs below. Please note that I changed the shown IP<br>
addresses by hand, so don't mind them unless necessary.<br>
<br>
</blockquote>
<br></div>
Your phase2 negotiation is not completing successfully. As a result, you don't have an IPsec SA to send traffic with. The kernel is sending an ACQUIRE message appropriately, and the ike daemon is attempting to negotiate phase2 but is failing to get a response from the peer.<br>
<br>
BTW, what is 1.2.176.8? ...<div class="im"><br>
<br>
ii : creating NONE INBOUND policy ANY:0.0.0.0:* -> ANY:1.2.176.8:*<br></div><div class="im">
K> : send pfkey X_SPDADD UNSPEC message<br>
ii : creating NONE OUTBOUND policy ANY:1.2.176.8:* -> ANY:0.0.0.0:*<br>
K< : recv pfkey X_SPDADD UNSPEC message<br></div><div class="im">
ii : created NONE policy route for <a href="http://0.0.0.0/32" target="_blank">0.0.0.0/32</a><br>
<br></div>
If I recall correctly, these NONE policies get created is when there is a route to the peer, usually a default gateway. However, your next hop shouldn't be at 1.2.176.8. Its not even close to 192.168.1.150. Do you have static entries in your route table for something?<br>
<font color="#888888">
<br>
-Matthew<br>
</font></blockquote></div><br>No,these are addresses I made up myself not to disclose server addresses to a public mailing list. However, if the key to the solution is them, I can send them intact. As far as I saw, those addresses were OK, one was the address assigned to me, other was the vpn server address.<br>
<br>There was one thing in the logs:<br><span style="font-family: courier new,monospace;">ii : received config pull response</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ii : - IP4 Address = 1.2.176.8</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">ii : - Address Expiry = 0</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ii : - IP4 Netmask = 255.255.240.0</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">ii : - IP4 DNS Server = 1.2.1.13</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ii : - IP4 DNS Server = 1.2.1.199</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">ii : - IP4 Subnet = ANY:<a href="http://0.0.0.0/0:*" target="_blank">0.0.0.0/0:*</a> ( invalid subnet ignored )<br><br>Could the last ignore be an issue? Maybe I can test the same in windows.<br>
<br>Any other clues?<br clear="all"></span><br>-- <br>Emre<br>
</div>