Problem: Linux shrew 2.1.7 (as available in Ubuntu 11.10 Oneiric) could not complete phase1 negotiation to an OpenBSD 4.8/4.9 VPN gateway; it times out. Previous version of shrew in Linux dist (version 2.1.5 in Ubuntu 11.04 Natty) completes this negotiation and connects fine, and as a workaround I have kept packages of 2.1.5 installed on Oneiric (preventing upgrade to 2.1.7).
To Reproduce: Connect using shrew 2.1.7 to OpenBSD 4.8/4.9 gateway. OpenBSD Gateway configuratio uses a simple PSK setup in /etc/ipsec.conf: ike passive esp from any to $gateway_ip peer any psk $vpn_password ike passive esp from $gateway_ip to any psk $vpn_password Client Phase 1 & 2 setup: Authentication: - Method: Mutual PSK - Local Identity type: IP Address, using discovered host address - Credentials: Pre Shared Key (supplied) Phase 1: - Exchange type: main - DH Exchange: group 2 - Cipher algorithm: aes - Cipher key length: 256 Bits - Hash algorithm: sha1 Phase 2: - Transform length: aes - Transform key length: 256 Bits - HMAC algorithm: sha1 - PFS Exchange: group 2 - Compression algorithm: deflate See also attached iked.log. -- Zak B. Elep || orangeandbronze.com 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D
11/09/10 15:06:22 ## : IKE Daemon, ver 2.1.7 11/09/10 15:06:22 ## : Copyright 2010 Shrew Soft Inc. 11/09/10 15:06:22 ## : This product linked OpenSSL 1.0.0d 8 Feb 2011 11/09/10 15:06:22 ii : opened '/var/log/iked.log' 11/09/10 15:06:22 ii : pfkey process thread begin ... 11/09/10 15:06:22 ii : ipc server process thread begin ... 11/09/10 15:06:22 ii : network process thread begin ... 11/09/10 15:06:22 K< : recv pfkey REGISTER AH message 11/09/10 15:06:22 K< : recv pfkey REGISTER ESP message 11/09/10 15:06:22 K< : recv pfkey REGISTER IPCOMP message 11/09/10 15:06:22 K! : recv X_SPDDUMP message failure ( errno = 2 ) 11/09/10 15:06:41 ii : ipc client process thread begin ... 11/09/10 15:06:41 <A : peer config add message 11/09/10 15:06:41 DB : peer added ( obj count = 1 ) 11/09/10 15:06:41 ii : local address 10.141.71.41 selected for peer 11/09/10 15:06:41 DB : tunnel added ( obj count = 1 ) 11/09/10 15:06:41 <A : proposal config message 11/09/10 15:06:41 <A : proposal config message 11/09/10 15:06:41 <A : proposal config message 11/09/10 15:06:41 <A : client config message 11/09/10 15:06:41 <A : preshared key message 11/09/10 15:06:41 <A : remote resource message 11/09/10 15:06:41 <A : peer tunnel enable message 11/09/10 15:06:41 DB : new phase1 ( ISAKMP initiator ) 11/09/10 15:06:41 DB : exchange type is identity protect 11/09/10 15:06:41 DB : 10.141.71.41:500 <-> 210.213.136.182:500 11/09/10 15:06:41 DB : c79b3bf45cd76f0d:0000000000000000 11/09/10 15:06:41 DB : phase1 added ( obj count = 1 ) 11/09/10 15:06:41 >> : security association payload 11/09/10 15:06:41 >> : - proposal #1 payload 11/09/10 15:06:41 >> : -- transform #1 payload 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports nat-t ( draft v00 ) 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports nat-t ( draft v01 ) 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports nat-t ( draft v02 ) 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports nat-t ( draft v03 ) 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports nat-t ( rfc ) 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports FRAGMENTATION 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local supports DPDv1 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local is SHREW SOFT compatible 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local is NETSCREEN compatible 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local is SIDEWINDER compatible 11/09/10 15:06:41 >> : vendor id payload 11/09/10 15:06:41 ii : local is CISCO UNITY compatible 11/09/10 15:06:41 >= : cookies c79b3bf45cd76f0d:0000000000000000 11/09/10 15:06:41 >= : message 00000000 11/09/10 15:06:41 -> : send IKE packet 10.141.71.41:500 -> 210.213.136.182:500 ( 344 bytes ) 11/09/10 15:06:41 DB : phase1 resend event scheduled ( ref count = 2 ) 11/09/10 15:06:51 -> : resend 1 phase1 packet(s) 10.141.71.41:500 -> 210.213.136.182:500 11/09/10 15:07:01 -> : resend 1 phase1 packet(s) 10.141.71.41:500 -> 210.213.136.182:500 11/09/10 15:07:11 -> : resend 1 phase1 packet(s) 10.141.71.41:500 -> 210.213.136.182:500 11/09/10 15:07:21 ii : resend limit exceeded for phase1 exchange 11/09/10 15:07:21 ii : phase1 removal before expire time 11/09/10 15:07:21 DB : phase1 deleted ( obj count = 0 ) 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : policy not found 11/09/10 15:07:21 DB : tunnel stats event canceled ( ref count = 1 ) 11/09/10 15:07:21 DB : removing tunnel config references 11/09/10 15:07:21 DB : removing tunnel phase2 references 11/09/10 15:07:21 DB : removing tunnel phase1 references 11/09/10 15:07:21 DB : tunnel deleted ( obj count = 0 ) 11/09/10 15:07:21 DB : removing all peer tunnel refrences 11/09/10 15:07:21 DB : peer deleted ( obj count = 0 ) 11/09/10 15:07:21 ii : ipc client process thread exit ... 11/09/10 15:07:55 ii : halt signal received, shutting down 11/09/10 15:07:55 ii : ipc server process thread exit ... 11/09/10 15:07:55 ii : network process thread exit ... 11/09/10 15:07:55 ii : pfkey process thread exit ...
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
