Hi David, Your logs look perfect to my eye.
Let's take this off-list for more debugging... Lonnie On Apr 27, 2012, at 3:20 PM, David Kerr wrote: > Lonnie, is there a way I can debug this? it is not just ping/traceroute, I > am not able to get to a web site behind the VPN when I setup push networks... > Safari just times out, no response from server. Is there any way I can > monitor VPM requests over the network? > > Syslog attached also, nothing is logged after login. > > Thanks > > David > > > > Apr 27 16:06:26 pbx > daemon.info > racoon: [198.228.206.162] INFO: received INITIAL-CONTACT > Apr 27 16:06:26 pbx > daemon.info > racoon: INFO: ISAKMP-SA established > 24.128.119.26[4500]-198.228.206.162[62499] > spi:a8c182b72af51557:2099735aad9bb43c > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: Using port 0 > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: verifying user from /tmp/etc/xauthuser.txt > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: login succeeded for user "david" > Apr 27 16:06:27 pbx > daemon.info > racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY > Apr 27 16:06:27 pbx > daemon.info > racoon: WARNING: Ignored attribute 28683 > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: respond new phase 2 negotiation: > 24.128.119.26[4500]<=>198.228.206.162[62499] > Apr 27 16:06:27 pbx > daemon.info racoon: INFO: no policy found, try to generate the policy : > 192.168.2.1/32[0] 192.168.1.0/24[0] > proto=any dir=in > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: IPsec-SA established: ESP/Tunnel > 24.128.119.26[4500]->198.228.206.162[62499] spi=106011926(0x6519d16) > Apr 27 16:06:27 pbx > daemon.info > racoon: INFO: IPsec-SA established: ESP/Tunnel > 24.128.119.26[4500]->198.228.206.162[62499] spi=230041645(0xdb6282d) > > > > On Friday, April 27, 2012, Lonnie Abelbeck wrote: > Hi David, > > After further investigation, the VPN gateway IP (192.168.2.1 in your case, > 10.9.1.1 for me) does not respond to ICMP (or any other) requests, therefore > the first hop of a traceroute times out. A *real* traceroute will then > continue to the second hop and see the local LAN IP address. > > It seems the "Ping Lite" app stops on the first hop that reports three > "timeout's". > > Lonnie > > > On Apr 26, 2012, at 10:24 PM, Lonnie Abelbeck wrote: > > > Hi David, > > > > We have tested (extensively) what you want to do, and it works for us. > > > > Are you using iOS 5.1 ? Double check for typos, you want: > > -- > > Push Network(s): 192.168.1.0/24 > > -- > > Are you using the "Ping Lite" app to test with ? The ping there seems to > > work, but traceroute does not for me. > > > > So, your problem might be just a bad app. > > > > When I was testing I used a web server in the local network and accessed it > > just fine with the iOS browser. > > > > Further detail... > > > > Tip, I prefer using the Remote IPv4 Base / Mask of 10.9.1.1 / 255.255.255.0 > > or something more odd-ball so as to be unique. The Remote IPv4 must be > > unique between remote and local networks. > > > > If you still can't get it to work, look at the server logs with "Info" > > logging: > > > > For me I have: > > -- > > Push Network(s): 192.168.101.0/24 > > -- > > You should see the "no policy found, try to generate the policy" line: > > > > Apr 26 21:51:33 pbx daemon.info racoon: INFO: respond new phase 2 > > negotiation: 10.10.50.62[500]<=>10.10.10.85[500] > > Apr 26 21:51:33 pbx daemon.info racoon: INFO: no policy found, try to > > generate the policy : 10.9.1.1/32[0] 192.168.101.0/24[0] proto=any dir=in > > Apr 26 21:51:33 pbx daemon.info racoon: INFO: IPsec-SA established: > > ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=163860196(0x9c44ee4) > > Apr 26 21:51:33 pbx daemon.info racoon: INFO: IPsec-SA established: > > ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=249302327(0xedc0d37) > > > > Then if I delete "Push Network(s)" and restart IPsec, I see the "no policy > > found, try to generate the policy" line: > > > > Apr 26 22:09:22 pbx daemon.info racoon: INFO: respond new phase 2 > > negotiation: 10.10.50.62[500]<=>10.10.10.85[500] > > Apr 26 22:09:22 pbx daemon.info racoon: INFO: no policy found, try to > > generate the policy : 10.9.1.1/32[0] 0.0.0.0/0[0] proto=any dir=in > > Apr 26 22:09:22 pbx daemon.info racoon: INFO: IPsec-SA established: > > ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=94259665(0x59e49d1) > > Apr 26 22:09:22 pbx daemon.info racoon: INFO: IPsec-SA established: > > ESP/Tunnel 10.10.50.62[500]->10.10.10.85[500] spi=233833350(0xdf00386) > > > > Lonnie > > > > > > On Apr 26, 2012, at 8:05 PM, David Kerr wrote: > > > >> Lonnie, > >> I need some configuration help. I have my iPhone connecting to the VPN > >> and it is working. However as noted in the documentation the iPhone is > >> routing ALL traffic through the VPN, not just traffic to my internal > >> network. I tried the Push Network(s) setting but it fails. > >> > >> My internal network is 192.168.1.xx > >> I set remote IPv4 base to 192.168.2.1 and mask to 255.255.255.0 > >> > >> If I leave the push network(s) blank then everything works, but all > >> traffic goes through the VPN (traceroute [yes there is an app for that] > >> starts with the external IP address of the astlinux box). > >> > >> If I enter 192.168.1.0/24 into the Push Networks(s) field then nothing > >> routes to any 192.168.1.xx destination. Traceroute timeouts on the first > >> hop. But traceroute to anywhere else works (without going through the > >> astlinux box). > >> > >> Am I doing something wrong with the Push Network(s) setting? > >> > >> Thanks > >> David > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
