[Openswan Users] Windows 7 IKEv2 no reaction at all

Roland Plüss roland at rptd.ch
Tue Aug 9 16:20:41 EDT 2011


> I haven't followed this discussion, so if I repeat something you already tried, forgive me.
>
> Check what program is actually listening on UPD ports 50, 500 and 4500:
>
> Netstat -lunp
With 50: nothing

With 500:
udp        0      0 127.0.0.1:500          
0.0.0.0:*                           8281/pluto         
udp        0      0 192.168.0.2:500        
0.0.0.0:*                           8281/pluto         
udp        0      0 192.168.3.2:500        
0.0.0.0:*                           8281/pluto         
udp        0      0 192.168.1.10:500       
0.0.0.0:*                           8281/pluto         
udp6       0      0 ::1:500                
:::*                                8281/pluto         

With 4500: nothing

This is the same result as with 2.4.x . The connection IP for the laptop
is 192.168.3.2 in this case (3 eths).
> Also check that openswan is listening on all IP addresses.
Seems to be the case as with a Linux client it works but not with W7 on
the same laptop.
> Make sure that there are not two copies of openswan running.
Runs only once.
> Check and see if there is any other security software (selinux etc.) running and preventing openswan from reading configuration files.
GrSec in use but openswan can read the files properly.
> Add a logging statement in iptables to log accepted packets on port 50, 500 and 4500. With your logging, you only have the negative proof that the packets aren't dropped - but you don't have proof positive that the packets ever arrive.
>
> Check ARP resolution to see if maybe the packets are sent off into the great beyond instead of to openswan.
Used tcpdump to check if the packets arrive at the server. They do but
no reaction if it's W7 but connects if it's Linux on the client end.
>> -----Original Message-----
>> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
>> On Behalf Of Roland Plüss
>> Sent: Monday, August 08, 2011 5:32 PM
>> To: users at openswan.org
>> Subject: Re: [Openswan Users] Windows 7 IKEv2 no reaction at all
>>
>> On 08/08/2011 10:05 PM, Paul Wouters wrote:
>>> On Mon, 8 Aug 2011, Roland Plüss wrote:
>>>
>>>>> We're at 2.6.35, so that's kinda old....
>>>> 2.6.29 is the second-latest untested in GenToo. 2.6.31 the latest
>>>> untested. 2.6.31 crashes though if a connection is initiated so I had
>>>> to revert to 2.6.29 .
>>> -rw-r--r--    1 0        0        11663568 Sep 27  2010
>>> openswan-2.6.29.tar.gz
>>> -rw-r--r--    1 0        0        11677821 Oct 18  2010
>>> openswan-2.6.31.tar.gz
>>>
>>> That's a year old, so for IKEv2 and Win7 stuff, that's a bit dated.
>>> (though I dont think that is actually your problem right now)
>> That's unfortunately a little with of a problem doing it the GenToo way.
>> That said Ubuntu isn't blistering bleeding edge neither.
>>>> Using this Windows Agile VPN thing or how it is called hence pure
>>>> IPSec without l2tp. Used guides to set it up including a strongswan
>>>> based one which should be equal for the windows side.
>>> Yeah so that should cause IKE packets to flow, but it does not.
>>>
>>>> On the openswan side I use
>>>> the same conn I use for connecting using Un*x machines. Anything
>>>> particular one has to do there to get it working?
>>> That part does not matter yet, if openswan doesnt receive a single
>>> packet.
>>>
>>> I assume you did disable all firewalling so you're not filtering
>>> packets the
>>> win7 machine sends?
>> No, that should not be the problem. For testing purpose I disabled the
>> W7 firewall to be sure without a change. Also the tcpdump I ran on the server
>> directly (the output I posted). Furthermore I have as last rule before dropping a
>> log rule so if a package would be dropped it would show up in the drop-log.
>> There is though no such dropped package so the three sent packages are from
>> the W7 machine arriving at the server machine. As an interesting side note
>> using 2.4.x (stable under GenToo) the packages did arrive at openswan but it
>> logged a warning as IKEv2 is not supported. Upgrading to 2.6.29 made the
>> warning log message vanish but as mentioned no reaction from openswan. This
>> leads me to the conclusion that openswan gets the packet but somehow totally
>> ignores it.
>> Unfortunately I've no idea how to debug this further. I even tried with
>> plutodebug enabled but no trace in the logs of openswan processing the
>> packets. If I use with the very same laptop a Linux and connect with the very
>> same certificate and server address I get the connection up and running. So the
>> firewall on the server is for sure not the problem and the configuration in
>> openswan also not. Could it be openswan doesn't understand the packet send
>> by W7 and drops it without saying anything?
>>
>> --
>> Yours sincerely
>> Plüss Roland
>>
>> Leader and Head Programmer
>> - Game: Epsylon ( http://www.indiedb.com/games/epsylon ,
>> http://epsylon.rptd.ch )
>> - Game Engine: Drag[en]gine ( http://www.indiedb.com/engines/dragengine
>> , http://dragengine.rptd.ch )
>> - Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php
>> ) and others
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://www.indiedb.com/games/epsylon ,
http://epsylon.rptd.ch )
- Game Engine: Drag[en]gine ( http://www.indiedb.com/engines/dragengine
, http://dragengine.rptd.ch )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php
) and others

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110809/5fc12802/attachment.bin 


More information about the Users mailing list