On 08/11/2011 06:32 AM, Demelza wrote:
Demelza Buckham<fire_keese@...> writes:
-->Hi thereI'm not quite sure whether this is a question for Shrew Soft or
Ubuntu, but I'll try here first.I've managed to get Shrew Soft VPN Client
connected to my Juniper SSG 5 using this tutorial:
http://www.shrew.net/support/wiki/HowtoJuniperSsgHowever, if I try to connect to
any hosts, my computer immediately freezes and requires a hard reboot. (Pinging
a non-existant host is fine, pinging the SSG 5 using its public IP is fine,
however, pinging or trying to connect via SSH to a host that exists within the
remote network causes the problem.)For example:Ubuntu 11.04 (my PC) main IP =
10.0.0.212Ubuntu 11.04 (my PC) tunnel IP = 192.168.150.1Juniper WAN IP =
10.0.0.213Target IP = 192.168.10.5Non-existent IP = 192.168.10.123Pinging
10.0.0.213 works, pinging 192.168.10.123 gets no response (it's dropped by my
switch), pinging 192.168.10.5 kills my PC.When I ping 192.168.10.5: Juniper does
an ARP on the IP, and sends the ping out of the correct port, the target
computer replies, the reply is received by Juniper and is forwarded onto my PC -
I'm guessing it dies at this point, although I can't see why.Using:Ubuntu
11.04VPN Client 2.1.5ScreenOS (on SSG) 6.2.0r11.0Troubleshooting done so far:-
I've doubled checked all of the client and Juniper settings, all are exactly as
in the tutorial (except number of simultaneous connections to user account)-
I've turned off ipv6- Tried disabling Ubuntu network manager- Tried using both
eth0 and eth1 and disabling the inactive one (eth0 on-board, eth1 USB adapter)-
Checked logs on Juniper; can't see anything- I can see the ping and the response
on wireshark running on the target computer (it only sees one ping)- Checked
logs on computer running the VPN client; nothing that seems relevant (both
syslog and iked.log, which was set to log level loud)- Tried turning off NAT
traversal on both client and Juniper- Tried manually putting in cipher and hash
algorithms for Phase 1 and 2 rather than leaving as auto- Debugging with the
Juniper debug command isn't showing anything relevant; and I can't see how to
debug both the flow and IKE/tunnel together, so can't see the relationship
between the packets being sent and the tunnel status- Uninstalled other VPN
software from the machine (I did have OpenVPN on there)I'm not really sure what
else to do at this stage; it looks like the Ubuntu is freezing before logging
anything and I can't see any problems on any of the other hardware involved.This
is what syslog shows when I connect to the VPN; although I don't think it's
relevantNetworkManager[836]: SCPlugin-Ifupdown: devices added (path:
/sys/devices/virtual/net/tap0, iface: tap0)NetworkManager[836]:
SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tap0, iface:
tap0): no ifupdown configuration found.NetworkManager[836]:<warn>
/sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...Any
help with what I could do next to try and solve the issue would be appreciated.
Thanks very much.Dee
UPDATE: I installed Shrew Soft version 1.7 on a Win 7 virtual machine with a
bridged connection to Ubuntu, and that works fine.
I also uninstalled 1.5 and compiled the 1.7 version on Ubuntu; getting the same
issue as with 1.5.
Hi Dee,
Unfortunately, I'm not familiar with running Shrew on Ubuntu, so I may
be of limited help. Not only that, but I was going to suggest that you
try running it on Windows, and you've already tried that. At least you
know you have a valid configuration file to run on the Ubuntu side.
I would check again to see if there's something running on Ubuntu that
is intercepting the packets heading for Shrew - perhaps there's other
software running that is looking for packets on UDP 500 or
iptables/firewall does not the the IP protocol 50 packets.
You could also use Wireshark or tcpdump to examine the capture file that
Shrew can produce (http://www.shrew.net/support/wiki/BugReportVpnUnix)
to see if it sees the ping response.
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
