On Fri, Jan 7, 2011 at 4:11 AM, Matthew Grooms <[email protected]> wrote:
> On 1/6/2011 5:47 PM, Emre Erenoglu wrote: > >> Dear Shrew Users, >> >> I have a strange problem. I'm using Shrew Soft client on my XP >> successfully, everything is working fine. >> >> I'm exporting the same configuration to my Linux system, it seems to >> connect fine since I get the "tunnel enabled" message and the tap0 >> interface gets an address, however, the "security associations" >> "established" shows "0" and after some time "failed" startes to >> increase. Status shows "connected" and remote host shows the IP. >> Transport used is NAT-T / IKE / ESP. Fragmentation and Dead Peer >> Detection shows disabled although I enabled them in the config. >> >> I tried to search internet, saw settings about rp_filter, so I set the >> following sysctl values and rebooted. >> net.ipv4.conf.default.rp_filter = 0 >> net.ipv4.conf.all.rp_filter = 0 >> >> Still no luck. My iptables is empty, there are no other firewalls on the >> system. Do you have any idea why this Phase2 negotiation is failing? I'm >> pasting the logs below. Please note that I changed the shown IP >> addresses by hand, so don't mind them unless necessary. >> >> > Your phase2 negotiation is not completing successfully. As a result, you > don't have an IPsec SA to send traffic with. The kernel is sending an > ACQUIRE message appropriately, and the ike daemon is attempting to negotiate > phase2 but is failing to get a response from the peer. > > BTW, what is 1.2.176.8? ... > > > ii : creating NONE INBOUND policy ANY:0.0.0.0:* -> ANY:1.2.176.8:* > K> : send pfkey X_SPDADD UNSPEC message > ii : creating NONE OUTBOUND policy ANY:1.2.176.8:* -> ANY:0.0.0.0:* > K< : recv pfkey X_SPDADD UNSPEC message > ii : created NONE policy route for 0.0.0.0/32 > > If I recall correctly, these NONE policies get created is when there is a > route to the peer, usually a default gateway. However, your next hop > shouldn't be at 1.2.176.8. Its not even close to 192.168.1.150. Do you have > static entries in your route table for something? > > -Matthew > No,these are addresses I made up myself not to disclose server addresses to a public mailing list. However, if the key to the solution is them, I can send them intact. As far as I saw, those addresses were OK, one was the address assigned to me, other was the vpn server address. There was one thing in the logs: ii : received config pull response ii : - IP4 Address = 1.2.176.8 ii : - Address Expiry = 0 ii : - IP4 Netmask = 255.255.240.0 ii : - IP4 DNS Server = 1.2.1.13 ii : - IP4 DNS Server = 1.2.1.199 ii : - IP4 Subnet = ANY:0.0.0.0/0:* ( invalid subnet ignored ) Could the last ignore be an issue? Maybe I can test the same in windows. Any other clues? -- Emre
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
