All, I found Mathew's original post: http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html on the subject.
I edited my /etc/sysctl.d/10-network-security.conf as directed, even my sysctl rp_filter options are set to 0 (see below), *but things didn't work out*. desktop:~$ sudo sysctl -a | grep rp_filter | grep -v arp net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.vmnet1.rp_filter = 0 net.ipv4.conf.vmnet8.rp_filter = 0 net.ipv4.conf.tap0.rp_filter = 0 I still the face the dropping of packets by the kernel even though I've set all rp_filter options to 0; I quote Mathew from the original thread<http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html>"the client can establish a connection and negotiate IPSec SAs, but return traffic never makes it to the userland applications...ping displays the following stalled output...even though you can see response packets using tcpdump" Has anyone else run into this problem on Ubuntu 10.04? I really need this to be resolved. Thanks, Gaurav pgp.mit.edu - PubkeyID:0x1bf31eef13ee431e On Thu, Apr 29, 2010 at 2:37 PM, oliver <[email protected]> wrote: > Hi Gaurav, > > i had the same problem,also 10.04. i unfortunately didnt save the details, > but there is a thread (by Mathew i think) that describes this issue. It > seems that even though the connection is established, the packets dont get > through, and that can be changed by editing > /etc/sysctl.d/10-network-security.conf ...thats as much as i can recall; > keyword afair is "rp_filter" > > > its not much of help i am afraid, but should give u an idea what to look > for > > Rgds > Oliver > > > > On 29/04/2010 10:44, Gaurav wrote: > > Hi All, > > I've raised this issue earlier. I couldn't resolve it, so I'd like to > raise it once again with all the debugging info in one place. > > Hope it helps; I so don't want to want run a Windows VM just for VPN > access. > > *Original post:* > * > * > I've been using the Shrew Soft client for years on Windows without any > problems. > > I switched to Ubuntu 10.04 once and for all recently; but ran into issues > with a .pcf imported that worked flawlessly on Windows 7 recently. > > Imported the sane .pcf into the Shrew Soft ver 2.1.5 on Ubuntu 10.04, > managed to connect as well but just couldn't ping/ssh my remote machines > over vpn. > > I've tried possible workarounds/tweaks/fixes, the little that I could dig > up around this but things didn't workout. > > Any suggestions? > > Prints/logs follow. > > *Connection prints:* > config loaded for site 'xxxxxxxxxx.pcf' > attached to key daemon ... > peer configured > iskamp proposal configured > esp proposal configured > client configured > local id configured > remote id configured > pre-shared key configured > bringing up tunnel ... > user authentication error > tunnel disabled > detached from key daemon ... > attached to key daemon ... > peer configured > iskamp proposal configured > esp proposal configured > client configured > local id configured > remote id configured > pre-shared key configured > bringing up tunnel ... > user authentication error > tunnel disabled > detached from key daemon ... > attached to key daemon ... > peer configured > iskamp proposal configured > esp proposal configured > client configured > local id configured > remote id configured > pre-shared key configured > bringing up tunnel ... > network device configured > tunnel enabled > > *Logs:* > desktop:~$ cat /var/log/iked.log > 10/04/28 00:36:01 ## : IKE Daemon, ver 2.1.5 > 10/04/28 00:36:01 ## : Copyright 2009 Shrew Soft Inc. > 10/04/28 00:36:01 ## : This product linked OpenSSL 0.9.8k 25 Mar 2009 > 10/04/28 00:36:01 K! : recv X_SPDDUMP message failure ( errno = 2 ) > 10/04/28 00:41:19 !! : invalid private netmask, defaulting to class c > 10/04/28 00:41:19 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:41:26 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:42:18 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:46:48 !! : invalid private netmask, defaulting to class c > 10/04/28 00:46:48 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:46:57 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:51:32 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:53:19 !! : invalid private netmask, defaulting to class c > 10/04/28 00:53:19 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:53:19 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:53:26 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:54:31 !! : invalid private netmask, defaulting to class c > 10/04/28 00:54:37 !! : invalid private netmask, defaulting to class c > 10/04/28 00:55:01 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 00:55:07 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 00:55:22 !! : invalid private netmask, defaulting to class c > 10/04/28 00:55:22 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:55:22 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:55:28 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:56:42 !! : invalid private netmask, defaulting to class c > 10/04/28 00:56:52 !! : invalid private netmask, defaulting to class c > 10/04/28 00:57:12 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 00:57:22 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 00:58:12 !! : invalid private netmask, defaulting to class c > 10/04/28 00:58:12 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 00:58:12 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:00:33 !! : invalid private netmask, defaulting to class c > 10/04/28 01:00:33 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:00:34 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:00:38 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:02:46 !! : invalid private netmask, defaulting to class c > 10/04/28 01:02:46 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:02:46 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:02:56 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 01:05:04 K! : unhandled pfkey message type EXPIRE ( 8 ) > 10/04/28 01:05:16 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:05:17 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:05:43 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:05:48 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:17:59 !! : invalid private netmask, defaulting to class c > 10/04/28 01:17:59 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:18:11 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:22:33 !! : invalid private netmask, defaulting to class c > 10/04/28 01:22:33 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:22:46 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > 10/04/28 01:22:52 !! : peer violates RFC, transform number mismatch ( 1 != > 17 ) > > */sbin/ifconfig output:* > desktop:~$ /sbin/ifconfig > eth0 Link encap:Ethernet HWaddr 00:1f:d0:d2:d2:a4 > inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 > inet6 addr: fe80::21f:d0ff:fed2:d2a4/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:7026 errors:0 dropped:0 overruns:0 frame:0 > TX packets:6401 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:6469445 (6.4 MB) TX bytes:1176183 (1.1 MB) > Interrupt:27 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:18 errors:0 dropped:0 overruns:0 frame:0 > TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1100 (1.1 KB) TX bytes:1100 (1.1 KB) > > tap0 Link encap:Ethernet HWaddr f2:47:0e:c8:b6:99 > inet addr:192.168.20.141 Bcast:192.168.20.255 > Mask:255.255.255.0 > inet6 addr: fe80::f047:eff:fec8:b699/64 Scope:Link > UP BROADCAST RUNNING MTU:1380 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:500 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01 > inet addr:192.168.184.1 Bcast:192.168.184.255 > Mask:255.255.255.0 > inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08 > inet addr:192.168.111.1 Bcast:192.168.111.255 > Mask:255.255.255.0 > inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > */sbin/route output:* > desktop:~$ /sbin/route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 172.17.48.31 192.168.20.141 255.255.255.255 UGH 0 0 0 > tap0 > 10.8.50.232 192.168.20.141 255.255.255.255 UGH 0 0 0 > tap0 > 172.17.48.3 192.168.20.141 255.255.255.255 UGH 0 0 0 > tap0 > 172.17.48.32 192.168.20.141 255.255.255.255 UGH 0 0 0 > tap0 > 172.17.48.22 192.168.20.141 255.255.255.255 UGH 0 0 0 > tap0 > 10.10.7.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.20.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 192.168.20.0 * 255.255.255.0 U 0 0 0 > tap0 > 10.10.2.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.19.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 192.168.1.0 * 255.255.255.0 U 1 0 0 > eth0 > 10.155.114.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 172.17.20.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.12.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 192.168.184.0 * 255.255.255.0 U 0 0 0 > vmnet1 > 192.168.111.0 * 255.255.255.0 U 0 0 0 > vmnet8 > 10.10.10.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.9.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.75.0 192.168.20.141 255.255.255.0 UG 0 0 0 > tap0 > 10.10.96.0 192.168.20.141 255.255.252.0 UG 0 0 0 > tap0 > 172.17.144.0 192.168.20.141 255.255.240.0 UG 0 0 0 > tap0 > 172.17.128.0 192.168.20.141 255.255.240.0 UG 0 0 0 > tap0 > 172.17.0.0 192.168.20.141 255.255.240.0 UG 0 0 0 > tap0 > 172.17.32.0 192.168.20.141 255.255.240.0 UG 0 0 0 > tap0 > 172.25.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 172.31.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 172.18.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 172.16.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > link-local * 255.255.0.0 U 1000 0 0 > eth0 > 192.168.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 10.201.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 10.202.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > 10.203.0.0 192.168.20.141 255.255.0.0 UG 0 0 0 > tap0 > default 192.168.1.1 0.0.0.0 UG 0 0 0 > eth0 > > *client configuration file :* > desktop:~$ cat file.pcf > [main] > Description= > Host=xxx-xxxxxxx.xxxxxxxxxx.com > AuthType=1 > GroupName=xxxxx-xxxxxxx > GroupPwd= > > enc_GroupPwd=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > EnableISPConnect=0 > ISPConnectType=0 > ISPConnect=test > ISPPhonebook=C:\Documents and Settings\All Users\Application > Data\Microsoft\Network\Connections\Pbk\rasphone.pbk > ISPCommand= > Username=xxxxxx.xxxxxx > SaveUserPassword=0 > UserPassword= > enc_UserPassword= > NTDomain= > EnableBackup=0 > BackupServer= > EnableMSLogon=1 > MSLogonType=0 > EnableNat=1 > TunnelingMode=0 > TcpTunnelingPort=10000 > CertStore=0 > CertName= > CertPath= > CertSubjectName= > CertSerialHash=00000000000000000000000000000000 > SendCertChain=0 > PeerTimeout=90 > EnableLocalLAN=0 > > > Gaurav > pgp.mit.edu - PubkeyID:0x1bf31eef13ee431e > > > _______________________________________________ > vpn-help mailing list > [email protected]http://lists.shrew.net/mailman/listinfo/vpn-help > >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
