Lonnie, is there a way I can debug this? it is not just ping/traceroute, I
am not able to get to a web site behind the VPN when I setup push
networks... Safari just times out, no response from server. Is there any
way I can monitor VPM requests over the network?
Syslog attached also, nothing is logged after login.
Thanks
David
Apr 27 16:06:26 pbx daemon.info racoon: [198.228.206.162] INFO:
received INITIAL-CONTACT
Apr 27 16:06:26 pbx daemon.info racoon: INFO: ISAKMP-SA established
24.128.119.26[4500]-198.228.206.162[62499]
spi:a8c182b72af51557:2099735aad9bb43c
Apr 27 16:06:27 pbx daemon.info racoon: INFO: Using port 0
Apr 27 16:06:27 pbx daemon.info racoon: INFO: verifying user from
/tmp/etc/xauthuser.txt
Apr 27 16:06:27 pbx daemon.info racoon: INFO: login succeeded for user "david"
Apr 27 16:06:27 pbx daemon.info racoon: WARNING: Ignored attribute
INTERNAL_ADDRESS_EXPIRY
Apr 27 16:06:27 pbx daemon.info racoon: WARNING: Ignored attribute 28683
Apr 27 16:06:27 pbx daemon.info racoon: INFO: respond new phase 2
negotiation: 24.128.119.26[4500]<=>198.228.206.162[62499]
Apr 27 16:06:27 pbx daemon.info racoon: INFO: no policy found, try to
generate the policy : 192.168.2.1/32[0] 192.168.1.0/24[0] proto=any
dir=in
Apr 27 16:06:27 pbx daemon.info racoon: INFO: Adjusting my encmode
UDP-Tunnel->Tunnel
Apr 27 16:06:27 pbx daemon.info racoon: INFO: Adjusting peer's encmode
UDP-Tunnel(3)->Tunnel(1)
Apr 27 16:06:27 pbx daemon.info racoon: INFO: IPsec-SA established:
ESP/Tunnel 24.128.119.26[4500]->198.228.206.162[62499]
spi=106011926(0x6519d16)
Apr 27 16:06:27 pbx daemon.info racoon: INFO: IPsec-SA established:
ESP/Tunnel 24.128.119.26[4500]->198.228.206.162[62499]
spi=230041645(0xdb6282d)
On Friday, April 27, 2012, Lonnie Abelbeck wrote:
> Hi David,
>
> After further investigation, the VPN gateway IP (192.168.2.1 in your case,
> 10.9.1.1 for me) does not respond to ICMP (or any other) requests,
> therefore the first hop of a traceroute times out. A *real* traceroute
> will then continue to the second hop and see the local LAN IP address.
>
> It seems the "Ping Lite" app stops on the first hop that reports three
> "timeout's".
>
> Lonnie
>
>
> On Apr 26, 2012, at 10:24 PM, Lonnie Abelbeck wrote:
>
> > Hi David,
> >
> > We have tested (extensively) what you want to do, and it works for us.
> >
> > Are you using iOS 5.1 ? Double check for typos, you want:
> > --
> > Push Network(s): 192.168.1.0/24
> > --
> > Are you using the "Ping Lite" app to test with ? The ping there seems to
> work, but traceroute does not for me.
> >
> > So, your problem might be just a bad app.
> >
> > When I was testing I used a web server in the local network and accessed
> it just fine with the iOS browser.
> >
> > Further detail...
> >
> > Tip, I prefer using the Remote IPv4 Base / Mask of 10.9.1.1 /
> 255.255.255.0
> > or something more odd-ball so as to be unique. The Remote IPv4 must be
> unique between remote and local networks.
> >
> > If you still can't get it to work, look at the server logs with "Info"
> logging:
> >
> > For me I have:
> > --
> > Push Network(s): 192.168.101.0/24
> > --
> > You should see the "no policy found, try to generate the policy" line:
> >
> > Apr 26 21:51:33 pbx daemon.info racoon: INFO: respond new phase 2
> negotiation: 10.10.50.62[500]<=>10.10.10.85[500]
> > Apr 26 21:51:33 pbx daemon.info racoon: INFO: no policy found, try to
> generate the policy : 10.9.1.1/32[0] <http://10.9.1.1/32%5B0%5D>
> 192.168.101.0/24[0] <http://192.168.101.0/24%5B0%5D> proto=any dir=in
> > Apr 26 21:51:33 pbx daemon.info racoon: INFO: IPsec-SA established:
> ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=163860196(0x9c44ee4)
> > Apr 26 21:51:33 pbx daemon.info racoon: INFO: IPsec-SA established:
> ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=249302327(0xedc0d37)
> >
> > Then if I delete "Push Network(s)" and restart IPsec, I see the "no
> policy found, try to generate the policy" line:
> >
> > Apr 26 22:09:22 pbx daemon.info racoon: INFO: respond new phase 2
> negotiation: 10.10.50.62[500]<=>10.10.10.85[500]
> > Apr 26 22:09:22 pbx daemon.info racoon: INFO: no policy found, try to
> generate the policy : 10.9.1.1/32[0] <http://10.9.1.1/32%5B0%5D>
> 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> proto=any dir=in
> > Apr 26 22:09:22 pbx daemon.info racoon: INFO: IPsec-SA established:
> ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=94259665(0x59e49d1)
> > Apr 26 22:09:22 pbx daemon.info racoon: INFO: IPsec-SA established:
> ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=233833350(0xdf00386)
> >
> > Lonnie
> >
> >
> > On Apr 26, 2012, at 8:05 PM, David Kerr wrote:
> >
> >> Lonnie,
> >> I need some configuration help. I have my iPhone connecting to the
> VPN and it is working. However as noted in the documentation the iPhone is
> routing ALL traffic through the VPN, not just traffic to my internal
> network. I tried the Push Network(s) setting but it fails.
> >>
> >> My internal network is 192.168.1.xx
> >> I set remote IPv4 base to 192.168.2.1 and mask to 255.255.255.0
> >>
> >> If I leave the push network(s) blank then everything works, but all
> traffic goes through the VPN (traceroute [yes there is an app for that]
> starts with the external IP address of the astlinux box).
> >>
> >> If I enter 192.168.1.0/24 into the Push Networks(s) field then nothing
> routes to any 192.168.1.xx destination. Traceroute timeouts on the first
> hop. But traceroute to anywhere else works (without going through the
> astlinux box).
> >>
> >> Am I doing something wrong with the Push Network(s) setting?
> >>
> >> Thanks
> >> David
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. <http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
