On 1/6/2011 5:47 PM, Emre Erenoglu wrote:
Dear Shrew Users,
I have a strange problem. I'm using Shrew Soft client on my XP
successfully, everything is working fine.
I'm exporting the same configuration to my Linux system, it seems to
connect fine since I get the "tunnel enabled" message and the tap0
interface gets an address, however, the "security associations"
"established" shows "0" and after some time "failed" startes to
increase. Status shows "connected" and remote host shows the IP.
Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer
Detection shows disabled although I enabled them in the config.
I tried to search internet, saw settings about rp_filter, so I set the
following sysctl values and rebooted.
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
Still no luck. My iptables is empty, there are no other firewalls on the
system. Do you have any idea why this Phase2 negotiation is failing? I'm
pasting the logs below. Please note that I changed the shown IP
addresses by hand, so don't mind them unless necessary.
Your phase2 negotiation is not completing successfully. As a result, you
don't have an IPsec SA to send traffic with. The kernel is sending an
ACQUIRE message appropriately, and the ike daemon is attempting to
negotiate phase2 but is failing to get a response from the peer.
BTW, what is 1.2.176.8? ...
ii : creating NONE INBOUND policy ANY:0.0.0.0:* -> ANY:1.2.176.8:*
K> : send pfkey X_SPDADD UNSPEC message
ii : creating NONE OUTBOUND policy ANY:1.2.176.8:* -> ANY:0.0.0.0:*
K< : recv pfkey X_SPDADD UNSPEC message
ii : created NONE policy route for 0.0.0.0/32
If I recall correctly, these NONE policies get created is when there is
a route to the peer, usually a default gateway. However, your next hop
shouldn't be at 1.2.176.8. Its not even close to 192.168.1.150. Do you
have static entries in your route table for something?
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
