[vpnc-devel] I always have to run vpnc twice

Nico Sabbi nicola.sabbi at poste.it
Mon Jul 25 15:31:03 CEST 2011 

Hi,
since the veri first time I used vpnc I had to run a first time, wait a 
couple of seconds, ^C
and run it a second time.
This is the only way to make vpnc connect to the other end.

I gathered the logs obtained with --debug 2. Can anyone explain why I have
to do this mess? Is there a way to run it only once? Moreover, the vpnc 
plugin
in network-manager doesn't connect, most likely for the very same reason.
Thanks.


The config file reads:

Noninteractive
IPSec ID ******
IPSec gateway 1.2.3.4
IPSec secret SECRETPASSWORD

IKE Authmode psk
Xauth username ***********
Xauth password SECRETPASSWORD


$ vpnc Provider
vpnc version 0.5.3

S1 init_sockaddr
  [2011-07-25 15:13:58]

S2 make_socket
  [2011-07-25 15:13:58]

S3 setup_tunnel
  [2011-07-25 15:13:58]
    using interface tun0

S4 do_phase1_am
  [2011-07-25 15:13:58]

S4.1 create_nonce
  [2011-07-25 15:13:58]

S4.2 dh setup
  [2011-07-25 15:13:58]

S4.3 AM packet_1
  [2011-07-25 15:13:58]

S4.4 AM_packet2
  [2011-07-25 15:13:58]
    (Cisco Unity)
    (Xauth)
    (DPD)
    (Nat-T 02N)
    (unknown)
    (unknown)
    got ike lifetime attributes: 2147483 seconds
    IKE SA selected psk-3des-md5
    peer is DPD capable (RFC3706)
    peer is NAT-T capable (draft-02)\n
    peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery 
payloads
    peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery 
payloads
    NAT status: this end behind NAT? YES -- remote end behind NAT? no

S4.5 AM_packet3
  [2011-07-25 15:13:58]
    NAT-T mode, adding non-esp marker
vpnc: no response from target

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ hangs here, ^C



##SECOND TIME

linux-6znh:~ # vpnc --debug 2 Provider

vpnc version 0.5.3

S1 init_sockaddr
  [2011-07-25 15:14:40]

S2 make_socket
  [2011-07-25 15:14:40]

S3 setup_tunnel
  [2011-07-25 15:14:40]
    using interface tun0

S4 do_phase1_am
  [2011-07-25 15:14:40]

S4.1 create_nonce
  [2011-07-25 15:14:40]

S4.2 dh setup
  [2011-07-25 15:14:40]

S4.3 AM packet_1
  [2011-07-25 15:14:40]

S4.4 AM_packet2
  [2011-07-25 15:14:40]
    (Cisco Unity)
    (Xauth)
    (DPD)
    (Nat-T 02N)
    (unknown)
    (unknown)
    got ike lifetime attributes: 2147483 seconds
    IKE SA selected psk-3des-md5
    peer is DPD capable (RFC3706)
    peer is NAT-T capable (draft-02)\n
    peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery 
payloads
    peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery 
payloads
    NAT status: this end behind NAT? YES -- remote end behind NAT? no

S4.5 AM_packet3
  [2011-07-25 15:14:40]
    NAT-T mode, adding non-esp marker

S4.6 cleanup
  [2011-07-25 15:14:40]

S6 do_phase2_config [2]
  [2011-07-25 15:14:40]

S6.1 phase2_config send modecfg
  [2011-07-25 15:14:40]
    NAT-T mode, adding non-esp marker

S6.2 phase2_config receive modecfg
  [2011-07-25 15:14:40]
    got save password setting: 0
    got 16 acls for split include
    acl 0:    addr: 10.11.10.224/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 1:    addr: 10.11.10.223/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 2:    addr: 10.11.10.226/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 3:    addr: 10.11.10.227/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 4:    addr: 10.11.10.228/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 5:    addr: 10.254.27.65/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 6:    addr: 10.254.27.66/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 7:    addr: 10.254.44.19/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 8:    addr: 10.11.10.229/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 9:    addr: 10.11.10.225/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 10:    addr: 10.11.13.186/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 11:    addr: 10.11.13.187/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 12:    addr: 10.11.13.188/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 13:    addr: 10.11.13.189/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 14:    addr: 10.11.13.183/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    acl 15:    addr: 10.254.44.44/   255.255.255.255    (32),    
protocol: 0,    sport: 0,    dport: 0
    got pfs setting: 0
    Remote Application Version:    Cisco Systems, Inc PIX-525 Version 
7.0(7) built by builders on Fri 06-Jul-07 10:37
    got address 10.254.60.62

S7 setup_link (phase 2 + main_loop)
  [2011-07-25 15:14:40]

S7.0 run interface setup script
  [2011-07-25 15:14:40]

S7.1 QM_packet1
  [2011-07-25 15:14:40]

S7.2 QM_packet2 send_receive
  [2011-07-25 15:14:40]
    NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
  [2011-07-25 15:14:40]
    got ike lifetime attributes: 86400 seconds

S7.5 QM_packet2 check reject offer
  [2011-07-25 15:14:40]

S7.6 QM_packet2 check and process proposal
  [2011-07-25 15:14:40]
    got ipsec lifetime attributes: 2147483 seconds
    IPSEC SA selected aes256-sha1
    got ipsec lifetime attributes: 28800 seconds
    NAT-T mode, adding non-esp marker

S7.7 QM_packet3 sent
  [2011-07-25 15:14:40]

S7.8 setup ipsec tunnel
  [2011-07-25 15:14:40]

S7.9 main loop (receive and transmit ipsec packets)
  [2011-07-25 15:14:40]
    remote -> local spi: 0x...
    local -> remote spi: 0x...
VPNC started in background (pid: 18062)...

More information about the vpnc-devel mailing list