This may not help you. But this is what I did to get it working against our OpenBSD isakmpd VPN server. If you’re not using precisely the same configuration we are, this is going to be dead wrong. If you are using ‘Mutual RSA’ authentication, this might be suitable.
We have a nice CGI at work which takes your client hostname and spits out a zip file containing the SSL certs needed, the VPN.VPN site configuration file for a ShrewSoft client and some helper batch scripts. So that all works for Windows. Assuming that you’ve got all those pieces or the local equivalent, and you got Shrew Soft working from Windows, these are the frobs to turn for doing this on Ubuntu 10.04.
Here’s the catch for doing this on Ubuntu 10.04. You can’t do it with the packaged Shrew Soft client (packages named ike*) because that version doesn’t support the PolicyGeneration option you need to set. So uninstall any that you have installed.
Then go grab version 2.1.6-release or newer (depending upon degree of daring) from
http://www.shrew.net/download/ike
Compile it. This will require you to install the cmake, build-essential, flex, bison and libssl-dev packages. Maybe some others, but those are the big ones. The README.TXT in the ike source is helpful.
Import your VPN.VPN configuration.
Copy the contents of certs into ~/.ike/certs so the agent can find them.
Start ‘iked’ by running it with sudo. Add the -F switch if you want to keep it foregrounded. (Until you’ve got it working, you want to keep it foregrounded.)
Start ‘ikea’. Edit your imported connection. Make these configuration changes:
- Name Resolution tab: uncheck Obtain Automatically, add a DNS server/suffix. There’s possibly something wrong with the handling of DHCP, this should just work. I set a single DNS server and search domain explicitly and that worked well enough.
- Authentication tab, Remote Identity subtab: change Identification type to Fully Qualified Domain Name, FQDN String is whatever your VPN endpoint thinks its name is. This was ipv4-address in my configuration, the iked log output helped me fix this one. If you see messages from iked about it getting fqdn when it wanted ipv4 or vice-versa, this tab is where you fix expectations.
- Policy Tab, Policy Generation: shared. This is the connection option which was key and before 2.1.6, unavailable. The docs say this allows it to emulate some kind of wacky Cisco mode. I guess that’s what we need.
You may need to pound on various rp_filter sysctls but I’m not convinced that did anything in my case. If you packet capture and see reply traffic coming to you but never seeming to be received by your running clients, it may well be you need to set some rp_filter sysctl or other to 0.
