Well,
I dig a little bit in the packets exchange and in the client source code
as well and I have found that the problem is with the protocol change.
I really do not know why primarily I've got the packets with 'ERR' just
after password checking since during my tests it turned out the the real
problem is protocol.
I tried to use client v. 3.0.1 (and next 3.0.2) and the server v. 2.6.
The failure appeared after <TaKE> message (precisely: after 'E' which in
new protocol version should be followed with a number).
So I go back to the client v. 2.6 and the problem disappeared.
Apart from explaining the reason and solving the problem I am a little
bit disappointed with ChangeLog content because there is no information
about protocol incompatibility.
It can be only deduced on major version number change (2.x -> 3.x) but
in my opinion such important change should be reported in ChangeLog.
Anyway thanks a for assistance.
Regards,
Dorian
> Dorian,
>
> This is just off the top of my head, I didn't really look at the packet
> captures... but if the vtun client is compiled with OpenSSL and the
> server without it, or vise-versa, it will fail with that error message
> and nothing more informative. If you want to test for that, here are a
> few little patches to 3.0.1:
>
> error log to syslog for password or SSL mismatch:
>
> diff -rupN vtun-3.0.1-orig/auth.c vtun/auth.c
> --- vtun-3.0.1-orig/auth.c 2006-12-11 02:55:06.000000000 -0500
> +++ vtun/auth.c 2010-03-03 09:16:21.000000000 -0500
> @@ -352,8 +352,10 @@ struct vtun_host * auth_server(int fd)
> break;
> }
> print_p(fd,"OK FLAGS: %s\n", bf2cf(h));
> - } else
> - h = NULL;
> + } else {
> + vtun_syslog(LOG_ERR, "authentication challenge failed -
> password mismatch or SSL mismatch.");
> + h = NULL;
> + }
> }
> break;
> }
>
> adds log message with remote host IP when session is closed:
>
> diff -rupN vtun-3.0.1-orig/server.c vtun/server.c
> --- vtun-3.0.1-orig/server.c 2006-12-11 02:55:06.000000000 -0500
> +++ vtun/server.c 2010-03-03 09:17:59.000000000 -0500
> @@ -85,8 +85,7 @@ void connection(int sock)
> sa.sa_flags=SA_NOCLDWAIT;;
> sigaction(SIGHUP,&sa,NULL);
>
> - vtun_syslog(LOG_INFO,"Session %s[%s:%d] opened", host->host, ip,
> - ntohs(cl_addr.sin_port) );
> + vtun_syslog(LOG_INFO,"Session %s[%s:%d] opened", host->host, ip,
> ntohs(cl_addr.sin_port) );
> host->rmt_fd = sock;
>
> host->sopt.laddr = strdup(inet_ntoa(my_addr.sin_addr));
> @@ -97,13 +96,12 @@ void connection(int sock)
> /* Start tunnel */
> tunnel(host);
>
> - vtun_syslog(LOG_INFO,"Session %s closed", host->host);
> + vtun_syslog(LOG_INFO,"Session %s[%s:%d] closed", host->host, ip,
> ntohs(cl_addr.sin_port) );
>
> /* Unlock host. (locked in auth_server) */
> unlock_host(host);
> } else {
> - vtun_syslog(LOG_INFO,"Denied connection from %s:%d", ip,
> - ntohs(cl_addr.sin_port) );
> + vtun_syslog(LOG_INFO,"Denied connection from %s:%d", ip,
> ntohs(cl_addr.sin_port) );
> }
> close(sock);
>
> Adds "with[out] SSL" to startup message
>
> diff -rupN vtun-3.0.1-orig/server.c vtun/server.c
> --- vtun-3.0.1-orig/server.c 2006-12-11 02:55:06.000000000 -0500
> +++ vtun/server.c 2010-03-03 09:17:59.000000000 -0500
> @@ -184,8 +182,11 @@ void server(int sock)
> sigaction(SIGPIPE,&sa,NULL);
> sigaction(SIGUSR1,&sa,NULL);
>
> - vtun_syslog(LOG_INFO,"VTUN server ver %s (%s)", VTUN_VER,
> - vtun.svr_type == VTUN_INETD ? "inetd" : "stand" );
> +#ifdef HAVE_SSL
> + vtun_syslog(LOG_INFO,"VTUN server ver %s (%s) with SSL", VTUN_VER,
> vtun.svr_type == VTUN_INETD ? "inetd" : "stand" );
> +#else
> + vtun_syslog(LOG_INFO,"VTUN server ver %s (%s) without SSL",
> VTUN_VER, vtun.svr_type == VTUN_INETD ? "inetd" : "stand" );
> +#endif
>
> switch( vtun.svr_type ){
> case VTUN_STAND_ALONE:
>
> -Jason Antman
> Rutgers University
>
> dorian wrote:
>
>> Hi all,
>> I am using VTun for over half a year.
>> I have two Linksys routers running WhiteRussian 0.9 with vtun (+some
>> required libraries) installed from *.ipk packages.
>> Up to now everything was ok.
>>
>> But last days I've tried to recompile the firmware one of my Linksys
>> using Kamikadze.
>> Additionally i wanted to customize it having VTun included and exclude
>> not interesting stuff.
>>
>> After that the VTun connetion problem appeared.
>>
>> On the Linksys side I see:
>> #vtund -n -f /tmp/vtund.conf MySession XXX.XXX.XXX.XXX
>> vtund[617]: VTun client ver 3.X 05/01/2010 started
>> vtund[617]: Connecting to XXX.XXX.XXX.XXX
>> vtund[617]: Connection denied by XXX.XXX.XXX.XXX
>>
>> On the server side:
>> [vtund] Denied connection from
>> YYY.YYY.YYY.YYY:2049
>>
>>
>>
>> Running tcpdump at server I see:
>> #tcpdump -n -i eth1 host YYY.YYY.YYY.YYY and port 5000 -s 1500 -A
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth1, link-type EN10MB (Ethernet), capture size 1500
>> bytes
>> 14:53:47.158288 IP YYY.YYY.YYY.YYY.2051 > XXX.XXX.XXX.XXX.5000: S
>> 1616526116:1616526116(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
>> e.....@.<.=5MO....7.....`Z;$........q!..............
>>
>>
>> 14:53:47.158314 IP XXX.XXX.XXX.XXX.5000 > YYY.YYY.YYY.YYY.2051: S
>> 2318711996:2318711996(0) ack 1616526117 win 5840 <mss
>> 1460,nop,nop,sackOK,nop,wscale 6>
>> e.....@.@.
>>
>>
>> ...7.MO.......4..`Z;%....*...............
>>
>>
>> 14:53:47.172165 IP YYY.YYY.YYY.YYY.2051 > XXX.XXX.XXX.XXX.5000: . ack 1
>> win
>> 5840
>>
>> E..(....@.<[email protected].....`z;%.4..P...j.........
>>
>>
>> 14:53:47.172426 IP XXX.XXX.XXX.XXX.5000 > YYY.YYY.YYY.YYY.2051: P
>> 1:51(50) ack 1 win
>> 92
>> e.....@[email protected][..7.MO.......4..`Z;%P..\0j..VTUN server ver 12/04/2009
>> A
>>
>>
>> ....................
>>
>>
>> 14:53:47.180773 IP YYY.YYY.YYY.YYY.2051 > XXX.XXX.XXX.XXX.5000: . ack 51
>> win
>> 5840
>> E..(....@.<.=?MO....7.....`Z;%.4..P...j.........
>>
>>
>> 14:53:47.180791 IP YYY.YYY.YYY.YYY.2051 > XXX.XXX.XXX.XXX.5000: P
>> 1:51(50) ack 51 win
>> 5840
>> e.....@.<.=.MO....7.....`Z;%.4..P...S_..HOST: MySession
>>
>>
>>
>> ...............................
>>
>>
>> 14:53:47.180799 IP XXX.XXX.XXX.XXX.5000 > YYY.YYY.YYY.YYY.2051: . ack 51
>> win
>> 92
>> E..(.&@[email protected]..`z;WP..\....
>>
>>
>> 14:53:47.181110 IP XXX.XXX.XXX.XXX.5000 > YYY.YYY.YYY.YYY.2051: P
>> 51:101(50) ack 51 win
>> 92
>> E..Z.'@[email protected]..`z;WP..\0j..OK CHAL:
>> <inbkfagjkeldbpanjholnjmendojfofm>
>>
>>
>> ......
>> 14:53:47.192302 IP YYY.YYY.YYY.YYY.2051 > XXX.XXX.XXX.XXX.5000: P
>> 51:101(50) ack 101 win 5840
>> e.....@.<.=.MO....7.....`Z;W.4.!P.......CHAL:
>> <cobbhfcjieabidkcbiiihofnghljdkei>
>> .........
>> 14:53:47.192392 IP XXX.XXX.XXX.XXX.5000 > YYY.YYY.YYY.YYY.2051: P
>> 101:151(50) ack 101 win 92
>> E..Z.(@[email protected].!`z;.P..\0j..ERR
>>
>> So the problem concerns password checking (at least it looks like).
>> But I used exactly the same config files both for server (here nothing
>> has been changed)
>> and for newly compiled Linksys client (the client config has worked with
>> WhiteRussian powered router).
>>
>> Probably I missed something (not compiled) in Kamikadze configuration.
>>
>> Any ideas will be appreciated.
>>
>> Regards,
>> Dorian
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Vtun-Users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/vtun-users
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Vtun-Users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/vtun-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Vtun-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/vtun-users
