Shrewsoft VPN wont connect

4play · 09-28-2018, 02:25 AM

I'm trying to connect to my office VPN that's running pfsense and using ipsec using shrewsoft vpn but it refuses to connect. The same exact config works perfectly on windows but just doesn't connect on fedora 28.

Tried with selinux off, firewall off turned on debug and no errors in the log (which is below, ike-decrypt.pcap is empty). Have tried other vpn clients still nothing.

Any suggestions on how to find the issue here ?

Code:

18/09/28 07:57:40 ## : IKE Daemon, ver 2.2.1
18/09/28 07:57:40 ## : Copyright 2013 Shrew Soft Inc.
18/09/28 07:57:40 ## : This product linked OpenSSL 1.0.2o-fips  27 Mar 2018
18/09/28 07:57:40 ii : opened '/var/log/iked.log'
18/09/28 07:57:40 ii : opened '/var/log/iked/ike-decrypt.pcap'
18/09/28 07:57:40 ii : pfkey process thread begin ...
18/09/28 07:57:40 ii : ipc server process thread begin ...
18/09/28 07:57:40 ii : network process thread begin ...
18/09/28 07:57:40 K< : recv pfkey REGISTER AH message
18/09/28 07:57:40 K< : recv pfkey REGISTER ESP message
18/09/28 07:57:40 K< : recv pfkey REGISTER IPCOMP message
18/09/28 07:57:40 K! : recv X_SPDDUMP message failure ( errno = 2 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K! : unhandled pfkey message type X_SPDUPDATE ( 13 )
18/09/28 07:57:50 K< : recv pfkey REGISTER AH message ( ignored )
18/09/28 07:57:50 K< : recv pfkey REGISTER ESP message ( ignored )
18/09/28 07:57:50 K< : recv pfkey REGISTER IPCOMP message ( ignored )
18/09/28 08:13:41 ii : ipc client process thread begin ...
18/09/28 08:13:41 <A : peer config add message
18/09/28 08:13:41 <A : proposal config message
18/09/28 08:13:41 <A : proposal config message
18/09/28 08:13:41 <A : client config message
18/09/28 08:13:41 <A : xauth username message
18/09/28 08:13:41 <A : xauth password message
18/09/28 08:13:41 <A : local id 'XXXXXXX' message
18/09/28 08:13:41 <A : preshared key message
18/09/28 08:13:41 <A : peer tunnel enable message
18/09/28 08:13:41 DB : peer added ( obj count = 1 )
18/09/28 08:13:41 ii : local address 192.168.1.147 selected for peer
18/09/28 08:13:41 DB : tunnel added ( obj count = 1 )
18/09/28 08:13:41 DB : new phase1 ( ISAKMP initiator )
18/09/28 08:13:41 DB : exchange type is aggressive
18/09/28 08:13:41 DB : 192.168.1.147:500 <-> 195.188.XX.XX:500
18/09/28 08:13:41 DB : e521c92d2cb30079:0000000000000000
18/09/28 08:13:41 DB : phase1 added ( obj count = 1 )
18/09/28 08:13:41 >> : security association payload
18/09/28 08:13:41 >> : - proposal #1 payload 
18/09/28 08:13:41 >> : -- transform #1 payload 
18/09/28 08:13:41 >> : key exchange payload
18/09/28 08:13:41 >> : nonce payload
18/09/28 08:13:41 >> : identification payload
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports XAUTH
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports nat-t ( draft v00 )
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports nat-t ( draft v01 )
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports nat-t ( draft v02 )
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports nat-t ( draft v03 )
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports nat-t ( rfc )
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local supports DPDv1
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local is SHREW SOFT compatible
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local is NETSCREEN compatible
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local is SIDEWINDER compatible
18/09/28 08:13:41 >> : vendor id payload
18/09/28 08:13:41 ii : local is CISCO UNITY compatible
18/09/28 08:13:41 >= : cookies e521c92d2cb30079:0000000000000000
18/09/28 08:13:41 >= : message 00000000
18/09/28 08:13:41 -> : send IKE packet 192.168.1.147:500 -> 195.188.XX.XX:500 ( 523 bytes )
18/09/28 08:13:41 DB : phase1 resend event scheduled ( ref count = 2 )
18/09/28 08:13:51 -> : resend 1 phase1 packet(s) [0/2] 192.168.1.147:500 -> 195.188.254.61:500
18/09/28 08:14:01 -> : resend 1 phase1 packet(s) [1/2] 192.168.1.147:500 -> 195.188.254.61:500
18/09/28 08:14:11 -> : resend 1 phase1 packet(s) [2/2] 192.168.1.147:500 -> 195.188.254.61:500
18/09/28 08:14:21 ii : resend limit exceeded for phase1 exchange
18/09/28 08:14:21 ii : phase1 removal before expire time
18/09/28 08:14:21 DB : phase1 deleted ( obj count = 0 )
18/09/28 08:14:21 DB : policy not found
18/09/28 08:14:21 DB : policy not found
18/09/28 08:14:21 DB : removing tunnel config references
18/09/28 08:14:21 DB : removing tunnel phase2 references
18/09/28 08:14:21 DB : removing tunnel phase1 references
18/09/28 08:14:21 DB : tunnel deleted ( obj count = 0 )
18/09/28 08:14:21 DB : removing all peer tunnel references
18/09/28 08:14:21 DB : peer deleted ( obj count = 0 )
18/09/28 08:14:21 ii : ipc client process thread exit ...

4play · 09-28-2018, 01:04 PM

Guessing it was to do with packets being slightly too large and they have the do not fragment bit set so get dropped upstream.

This fixed it

Code:

echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo "net.ipv4.ip_no_pmtu_disc = 1" >> /etc/sysctl.conf