[Fwknop-discuss] Mysterious fwknop Client Failures

Mon, 09 Apr 2018 10:03:07 -0700 

Greetings!

I am a longtime user of fwknop (thanks for your work Michael!), and I
have run into a problem that has been vexing me for several months.

I have two servers into which I log in via SSH after authorizing with
fwknop from two clients. Authorization from the Ubuntu client (Client 1)
works as expected. Authorization from the Arch Linux-based client
(Client 2) fails with both servers.

I have compared the contents of the SPA packets at the clients and at
the servers, and they appear to arrive correctly at the servers (using
verbose fwknop(1) output and tcpdump).

Can anyone help with troubleshooting pointers? I'm happy to provide more
details as needed.

Thanks!

  ~David Klann


Here are some version and configuration details:

  - Server 1: Current gentoo, net-firewall/fwknop version 2.6.9-r1

fwknopd --version
fwknopd server 2.6.9, compiled for firewall bin: /sbin/iptables

  - Server 2: Ubuntu 16.04, fwknop-server 2.6.0-2.2

sudo fwknopd --version
fwknopd server 2.6.0

SPA authorization from Client 1 works with both of these servers. SPA
authorization from Client 2 *fails* with both servers. Details:

  - Client 1 (working): Ubuntu 17.10, fwknop-client 2.6.9-1build1

fwknop --version
fwknop client 2.6.9, FKO protocol version 3.0.0

  - Client 2 (not working): current Arch Linux, community/fwknop 2.6.9-4

fwknop --version
fwknop client 2.6.9, FKO protocol version 2.0.2

Client and server configurations are at the following pastebins:
 - client 1 .fwknoprc: https://pastebin.com/eNL4Fskp
 - client 2 .fwknoprc: https://pastebin.com/tN5ryw83
 - server 1 fwknopd.conf: https://pastebin.com/UgiXHXMV
 - server 1 access.conf: https://pastebin.com/Jakk07gj
 - server 2 fwknopd.conf: https://pastebin.com/inxC1S6G
 - server 2 access.conf: https://pastebin.com/NGRTJqW5

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to