help setting up an IPSEC vpn from my linux box
- by robthewolf
I have an office with a router and a remote server (Linux - Ubuntu 10.10). Both locations need to connect to a data supplier through a VPN. The VPN is an IPSEC gateway. I was able to configure my Linksys rv42 router to create a VPN connection successfully and now I need to do the same for Linux server. I have been messing around with this for too long. First I tried OpenVPN, but that is SSL and not IPSEC. Then I tried Shrew. I think I have the settings correct but I haven't been able to create the connection. It maybe that I have to use something else like a direct IPSEC config or something like that.
If someone knows of a way to turn the following settings that I have been given below into a working IPSEC VPN connection I would be very grateful.
Here are the settings I was given that must be used to connect to my supplier:
Local destination network: 192.168.4.0/24
Local destination hosts: 192.168.4.100
Remote destination network: 192.167.40.0/24
Remote destination hosts: 192.168.40.27
VPN peering point: xxx.xxx.xxx.xxx
Then they have given me the following details:
IPSEC/ISAKMP Phase 1 Parameters:
Authentication method: pre shared secret
Diffie Hellman group: group 2
Encryption Algorithm: 3DES
Lifetime in seconds:28800
Phase 2 parameters:
IPSEC security: ESP
Encryption algortims: 3DES
Authentication algorithms: MD5
lifetime in seconds: 28800
pfs: disabled
Here are the settings from my attempt to use shrew:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
n:client-dns-used:1
b:auth-mutual-psk:YjJzN2QzdDhyN2EyZDNpNG42ZzQ=
n:phase1-dhgroup:2
n:phase1-keylen:0
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:0
n:phase2-pfsgroup:-1
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
n:client-dns-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:client-dns-addr:0.0.0.0
s:client-dns-suffix:
s:network-host:xxx.xxx.xxx.xxx
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:192.168.4.0
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-client-data:192.168.4.0
s:ident-server-type:address
s:ident-server-data:192.168.40.0
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
Finally here is the debug output from the shrew log:
10/12/22 17:22:18 ii : ipc client process thread begin ...
10/12/22 17:22:18 < A : peer config add message
10/12/22 17:22:18 DB : peer added ( obj count = 1 )
10/12/22 17:22:18 ii : local address 217.xxx.xxx.xxx selected for peer
10/12/22 17:22:18 DB : tunnel added ( obj count = 1 )
10/12/22 17:22:18 < A : proposal config message
10/12/22 17:22:18 < A : proposal config message
10/12/22 17:22:18 < A : client config message
10/12/22 17:22:18 < A : local id '192.168.4.0' message
10/12/22 17:22:18 < A : remote id '192.168.40.0' message
10/12/22 17:22:18 < A : preshared key message
10/12/22 17:22:18 < A : peer tunnel enable message
10/12/22 17:22:18 DB : new phase1 ( ISAKMP initiator )
10/12/22 17:22:18 DB : exchange type is aggressive
10/12/22 17:22:18 DB : 217.xxx.xxx.xxx:500 <- 206.xxx.xxx.xxx:500
10/12/22 17:22:18 DB : c1a8b31ac860995d:0000000000000000
10/12/22 17:22:18 DB : phase1 added ( obj count = 1 )
10/12/22 17:22:18 : security association payload
10/12/22 17:22:18 : - proposal #1 payload
10/12/22 17:22:18 : -- transform #1 payload
10/12/22 17:22:18 : key exchange payload
10/12/22 17:22:18 : nonce payload
10/12/22 17:22:18 : identification payload
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports nat-t ( draft v00 )
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports nat-t ( draft v01 )
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports nat-t ( draft v02 )
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports nat-t ( draft v03 )
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports nat-t ( rfc )
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local supports DPDv1
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local is SHREW SOFT compatible
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local is NETSCREEN compatible
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local is SIDEWINDER compatible
10/12/22 17:22:18 : vendor id payload
10/12/22 17:22:18 ii : local is CISCO UNITY compatible
10/12/22 17:22:18 = : cookies c1a8b31ac860995d:0000000000000000
10/12/22 17:22:18 = : message 00000000
10/12/22 17:22:18 - : send IKE packet 217.xxx.xxx.xxx:500 - 206.xxx.xxx.xxx:500 ( 484 bytes )
10/12/22 17:22:18 DB : phase1 resend event scheduled ( ref count = 2 )
10/12/22 17:22:18 ii : opened tap device tap0
10/12/22 17:22:28 - : resend 1 phase1 packet(s) 217.xxx.xxx.xxx:500 - 206.xxx.xxx.xxx:500
10/12/22 17:22:38 - : resend 1 phase1 packet(s) 217.xxx.xxx.xxx:500 - 206.xxx.xxx.xxx:500
10/12/22 17:22:48 - : resend 1 phase1 packet(s) 217.xxx.xxx.xxx:500 - 206.xxx.xxx.xxx:500
10/12/22 17:22:58 ii : resend limit exceeded for phase1 exchange
10/12/22 17:22:58 ii : phase1 removal before expire time
10/12/22 17:22:58 DB : phase1 deleted ( obj count = 0 )
10/12/22 17:22:58 ii : closed tap device tap0
10/12/22 17:22:58 DB : tunnel stats event canceled ( ref count = 1 )
10/12/22 17:22:58 DB : removing tunnel config references
10/12/22 17:22:58 DB : removing tunnel phase2 references
10/12/22 17:22:58 DB : removing tunnel phase1 references
10/12/22 17:22:58 DB : tunnel deleted ( obj count = 0 )
10/12/22 17:22:58 DB : removing all peer tunnel refrences
10/12/22 17:22:58 DB : peer deleted ( obj count = 0 )
10/12/22 17:22:58 ii : ipc client process thread exit ...
