[Openswan Users] Windows 7 IKEv2 no reaction at all

Kevin Keane subscription at kkeane.com
Mon Aug 8 22:23:05 EDT 2011 

I haven't followed this discussion, so if I repeat something you already tried, forgive me.

Check what program is actually listening on UPD ports 50, 500 and 4500:

Netstat -lunp

Also check that openswan is listening on all IP addresses.

Make sure that there are not two copies of openswan running.

Check and see if there is any other security software (selinux etc.) running and preventing openswan from reading configuration files.

Add a logging statement in iptables to log accepted packets on port 50, 500 and 4500. With your logging, you only have the negative proof that the packets aren't dropped - but you don't have proof positive that the packets ever arrive.

Check ARP resolution to see if maybe the packets are sent off into the great beyond instead of to openswan.

Kevin Keane
The NetTech
http://www.4nettech.com

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> On Behalf Of Roland Plüss
> Sent: Monday, August 08, 2011 5:32 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Windows 7 IKEv2 no reaction at all
> 
> On 08/08/2011 10:05 PM, Paul Wouters wrote:
> > On Mon, 8 Aug 2011, Roland Plüss wrote:
> >
> >>> We're at 2.6.35, so that's kinda old....
> >> 2.6.29 is the second-latest untested in GenToo. 2.6.31 the latest
> >> untested. 2.6.31 crashes though if a connection is initiated so I had
> >> to revert to 2.6.29 .
> >
> > -rw-r--r--    1 0        0        11663568 Sep 27  2010
> > openswan-2.6.29.tar.gz
> > -rw-r--r--    1 0        0        11677821 Oct 18  2010
> > openswan-2.6.31.tar.gz
> >
> > That's a year old, so for IKEv2 and Win7 stuff, that's a bit dated.
> > (though I dont think that is actually your problem right now)
> That's unfortunately a little with of a problem doing it the GenToo way.
> That said Ubuntu isn't blistering bleeding edge neither.
> >> Using this Windows Agile VPN thing or how it is called hence pure
> >> IPSec without l2tp. Used guides to set it up including a strongswan
> >> based one which should be equal for the windows side.
> >
> > Yeah so that should cause IKE packets to flow, but it does not.
> >
> >> On the openswan side I use
> >> the same conn I use for connecting using Un*x machines. Anything
> >> particular one has to do there to get it working?
> >
> > That part does not matter yet, if openswan doesnt receive a single
> > packet.
> >
> > I assume you did disable all firewalling so you're not filtering
> > packets the
> > win7 machine sends?
> No, that should not be the problem. For testing purpose I disabled the
> W7 firewall to be sure without a change. Also the tcpdump I ran on the server
> directly (the output I posted). Furthermore I have as last rule before dropping a
> log rule so if a package would be dropped it would show up in the drop-log.
> There is though no such dropped package so the three sent packages are from
> the W7 machine arriving at the server machine. As an interesting side note
> using 2.4.x (stable under GenToo) the packages did arrive at openswan but it
> logged a warning as IKEv2 is not supported. Upgrading to 2.6.29 made the
> warning log message vanish but as mentioned no reaction from openswan. This
> leads me to the conclusion that openswan gets the packet but somehow totally
> ignores it.
> Unfortunately I've no idea how to debug this further. I even tried with
> plutodebug enabled but no trace in the logs of openswan processing the
> packets. If I use with the very same laptop a Linux and connect with the very
> same certificate and server address I get the connection up and running. So the
> firewall on the server is for sure not the problem and the configuration in
> openswan also not. Could it be openswan doesn't understand the packet send
> by W7 and drops it without saying anything?
> 
> --
> Yours sincerely
> Plüss Roland
> 
> Leader and Head Programmer
> - Game: Epsylon ( http://www.indiedb.com/games/epsylon ,
> http://epsylon.rptd.ch )
> - Game Engine: Drag[en]gine ( http://www.indiedb.com/engines/dragengine
> , http://dragengine.rptd.ch )
> - Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php
> ) and others

More information about the Users mailing list