Anyone else using Linksys WRV54G IPSec with OS X
 

I recently threw together a script to automate the VPN setup between MacOS X (10.4.1) and a WRV54G IPSec router + Access Point. With one command, it does the 'wget' to make a https connection to the router and download the pre-shared key for the IPSec session. It then sets up the racoon config and starts IPSec.

If anyone else is interested in this, let me know and I can clean up the script a bit for others to use.

Please note - the changes in this scripts specifically address the WRV54G's method for user authentication. This would not apply to other VPN devices.

shell-script for interfacing PBG4 with WRV54G
 

Hi tji..

I would like to have sent you an email about this, but I am a new user here, so my privileges are limited. I have been trying to get this router (WRV54G) to work with my Powerbook ever since I bought it six months ago.

I've read your explanation outlining how you've managed to retrieve the passphrase through an HTTPS get. Though my knowledge of VPN protocols are limited. Do you think you could share with me a shell-script that could make this work for me? Would I be correct to assume that with this shell-script, it would eliminate the need to for me to do this via IPSecuritas?

Any help would be appreciated! Thank you sooo much.

fmcosta [at] yahoo [dot] com

Do you have this script posted anywhere?
 

Why not give a link to where this script lives? I would like a copy! Thanks /Andy

Hi there. I'd love to see that script too. Would there be any chance of posting it? Or emailing it if I send you my address?

Thanks.

i too would Love to check this out if you could please post or email it.

Sorry for not responding earlier.. I meant to post the script, but it slipped through the cracks.


There should be a zip file attached to this post, wrv_mac.zip. I zipped it, because that was one of the acceptable file types for attachments.

In the zip is a file called wrvinit.sh. You'll need to edit that file to include your user and addressing information.

Two caveats:
- The script must be run with admin privileges, since it needs to start the IKE app "racoon", which needs admin privileges. Also, you might want to set permissions on the wrvinit.sh file so that only you can read it, because your password will be saved in the file. (e.g. "chmod 700 wrvinit.sh").

- You need to have "wget" installed to use this. wget is a command-line tool for downloading things from the web. It is used in this script for connecting to the WRV54G and getting your IPSec shared key. I've been meaning to modify the script to use 'curl' instead, because it's included with MacOS. But, I haven't gotten around to that. (wget: http://www.versiontracker.com/dyn/mo...3923&vid=59439 )


Also, I have found that I occasionally need to reset my ipsec user password on the wrv54g. I'm not sure if this is something to do with the wrv54g, or a symptom of using it with an unsupported client.

Please post questions or feedback on any successes/failures here.

-Todd

Success
 

Success! Worked like a champ first time through. Though, thought I'd pass on to those that perhaps don't know. If you have a terminal icon in aqua thingy, you can CTRL-click it and enter a 'new command'. At which poing, you might try "sudo sh home.sh" and voila!, instand VPN access to your WRV54G. The WRV54G Status Page successfully shows my user connected, as well.

Thanks to this great author for such a fine script and working solution..actually quite elegant at the end of the day....better than futzing with VPN tracker all day long!

Thanks for the feedback shagghie, I'm glad to see it works for others.


I made a quick update to the script, to use "curl" rather than "wget". curl is included in MacOS by default, so this should be easier to use.. no additional software install is needed. It turned out to be very easy to use curl (I was just familiar with wget, from my years of Linux use). I just had to add the "--insecure" option, to tell curl not to try and verify the wrv's certificate, since the wrv uses a self signed cert, rather than one generated by a known CA, like Verisign.

curl outputs some network stats while it is getting your PSK, there is probably a way to tell it not to do this, but I just left this ON since racoon outputs a bunch of debugging info anyway.

Racoon can be run in background mode, so it executes & runs in the background. This may be useful if you're sure everything is working right. I just left it in verbose/debug mode to aid in connection debugging. I usually just run it in a tab in iTerm, and let it spew debug output as it runs.

Okay, one more quick update.. Now that I started messing around with this script again, I looked into my to-do list. An update to allow hostname, rather than IP address, of the gateway turned out to be very easy.

The wrv54g supports dynamic dns, so if the IP address it gets from the ISP changes, it will automatically register that with the dynamic DNS service. So, allowing hostnames in the script means that in the event that the IP address changes, it will be automatically accounted for in the IPSec connection.

O.K. I just bought one of these WRV54G routers, and downloaded the script, but thus far have been unable to get it to connect to the router. Wireless, and wired configuration seem to function just fine, my problem is strictly with the VPN.

What configuration should be used on the router to allow this script to connect?

My router is updated with the 2.37 firmware, and I'm trying to connect from OS X 10.4.3

What settings should I select from the Security -> VPN page?
Do I need to change anything on the Advanced VPN Tunnel Setup page?

I've managed to get several D-Link DFL200's configured for remote access from my macs, and they are pretty much effortless (they work fine with the OS X VPN client) but this thing (WRV54G) is considerably more complicated.

Any hints as to the router side configuration would be very helpful

Thanks

OS X's GUI VPN client uses microsoft-ish PPTP+IPsec. The WRV54G uses pure IPSec, and it uses an extra step of negotiating a pre-shared-key via the SSL connection. The wrvinit.sh script sets up the IPSec connection directly, using the pre-shared key it gets via SSL. If you have access to a Windows PC, you might try using the Linksys VPN client to connect & verify eveything is set up correctly. Also, the WRV54G can provide a lot of logging/debugging information via syslog if you set up a syslog server on your internal network.


The Security->VPN page is mainly for network to network VPN setups (as opposed to client remote access), so I'm not really sure how much of this is necessary. But, here are the settings on mine:

IPSec Passthrough: ON (Should work either ON/OFF)
PPTP Passthrough: OFF (Should work either ON/OFF)
L2TP Passthrough: OFF (Should work either ON/OFF)

VPN Tunnel: Enabled
VPN Gateway: Disabled (this puts all traffic through the VPN tunnel, breaking communications in most situations.)

Local Secure Group: Subnet
IP Addr: 10.19.17.0 (This should be the network you are using for your PCs behind the gateway, in my case it's 10.19.17.*, 192.168.1.* is common)
Mask: 255.255.255.0

Remote Secure Group: ANY

Encryption: 3DES
Authentication: MD5

Key Mgmnt: IKE
PFS: Disabled
Key Lifetime: 28000 seconds


Advanced Settings:
Phase 1: Main Mode, 3DES, MD5, 1024-bit, 28000
Phase 2: 3DES, MD5, Disabled, 1024-bit, 28000
Options: only Anti-Replay enabled.


The more relevant settings are in:
Access Restrictions->VPN Client Access

Add a Username and Password on that page. That user/passwd needs to match whatever you configure in the IPSec setup script.

TJI,

I am so glad to hear someone succeeded in doing this. I downloaded, changed the script to my settings, set up my router as suggested. I ran the script on the mac... but then what do I do. Do I run the script then connect using the typical VPN of the mac?? What settings should I use because I couldn't get it to work from there. If I am using the VPN of the mac why is the script asking me for the same stuff?? Thanks again for the script and your explainations!!

The MacOS VPN GUI is not needed. The script is used instead of the MacOS VPN applet. It gets the right config settings, and starts IPSec. So, just run the script in a terminal window, and if everything worked right, you should be able to access systems through your VPN tunnel.


When you furst run the script, it will set everything up, outputting a bunch of junk about AH, ESP, policy.c, etc.. Then, when you try to connect to something behind your WRV54G, it will spew a bunch more messages with information on the IPSec session negotiation. Hopefully it will have messages about phase 2 completing, which means the VPN tunnel is up. Or, without trying to decipher those messages, you can see if your connection succeeded, if so the IPec tunnel worked.

Wow! After trying to setup this router for VPN in vain, I gave up one year ago. Your script and explanations worked without any problems. Thanks a lot for this help!

Not working anymore :-(

It worked fine and I could access the file server without problems. Then the second time it doesn't work anymore. I don't know what the problem could be. For sure nobody changed anything at the server side. I did restart the WRV54G modem. No change. Indeed I can see in the status tab that I am connected through vpn, but I can't contact any server and also the internal IP for the WRV54G doesn't work.
Do you have any suggestions?

TIA
Thierry
(the IP behind the vpn should be 192.168.1.0, the remote IP is 10....)
this is the terminal output:
2006-02-22 09:31:39: DEBUG: isakmp.c:1592:isakmp_open(): 10.21.0.3[500] used as isakmp port (fd=7)
2006-02-22 09:31:39: DEBUG: isakmp.c:1610:isakmp_open(): 10.21.0.3[4500] used as nat-t isakmp port (fd=8)
2006-02-22 09:31:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2006-02-22 09:31:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2006-02-22 09:31:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff700: 192.168.1.0/32[0] 10.21.0.3/32[0] proto=any dir=in
2006-02-22 09:31:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306928: 192.168.1.0/32[0] 10.21.0.3/32[0] proto=any dir=in
2006-02-22 09:31:39: ERROR: pfkey.c:2205:pk_recvspddump(): such policy already exists. anyway replace it: 192.168.1.0/32[0] 10.21.0.3/32[0] proto=any dir=in
2006-02-22 09:31:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2006-02-22 09:31:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff700: 10.21.0.3/32[0] 192.168.1.0/32[0] proto=any dir=out
2006-02-22 09:31:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306928: 192.168.1.0/32[0] 10.21.0.3/32[0] proto=any dir=in
2006-02-22 09:31:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2006-02-22 09:31:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff700: 10.21.0.3/32[0] 192.168.1.0/32[0] proto=any dir=out
2006-02-22 09:31:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306928: 192.168.1.0/32[0] 10.21.0.3/32[0] proto=any dir=in
2006-02-22 09:31:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff700: 10.21.0.3/32[0] 192.168.1.0/32[0] proto=any dir=out
2006-02-22 09:31:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306b68: 10.21.0.3/32[0] 192.168.1.0/32[0] proto=any dir=out
2006-02-22 09:31:39: ERROR: pfkey.c:2205:pk_recvspddump(): such policy already exists. anyway replace it: 10.21.0.3/32[0] 192.168.1.0/32[0] proto=any dir=out
2006-02-22 09:31:54: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2006-02-22 09:31:57: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2006-02-22 09:32:03: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting

and up again :-))
 

Ok, the problem was solved.
It was a silly problem.
First I tried the script at work, where it didn't work - the firewall blocks the packets. Then going home it didn't work at home, although it had just 2 days ago. I checked everything, IP-number, gateway IP and so on.... Nothing changed.
Then in a desperate attempt ;-) I unplugged the ADSL router and restartet it. Everything fine afterwards! So definitively not a problem with the script, but my router did not have a good day I guess.

So everything fine and runing!

Thierry

Well, this worked the first time I tried it. Given the trouble this router seems to be giving a lot of people that's pretty near magical. Thank you for the script and setup information.

One question: the WRV54G has a Status/VPN panel where you can disconnect the VPN session, and you can make that the last action of a session. Is there a way to bring the session down at the remote (far from the router) end without metaphorically snaking your finger down the connection, or can you trust the key lifetime to limit the life of the connection as far as the router's concerned? I've just been pressing Ctrl-C in the window where the script is running, and the status in the router doesn't change when the script shuts down.

Hi Tji,
I have read your postings. You seem to be an expert!!! I have a similar problem - perhaps you can help me too. I am trying to get a VPN Connection to my university with MacOSX 10.4.6 (PPC). They use a Cisco VPN 3000. To my mind it uses pure IPSEC. Yesterday Apple improved the built in VPN Client and my hope is that it now is able to connect to the Cisco VPN 3000. But with the built in GUI from Apple it does not work (for me). My university offers a .pcf file for the Cisco VPN Client (which I don´t like to install) and they offer a tutorial for the Cisco VPN Client (http://web.uni-marburg.de/hrz/mac/vpn/) (anything in German language but a lot of screenshots...).Do you know if it is possible to get a connection with the built in software?

This worked great, thank you very much tji.

I always get the same message that was previously posted...
grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting

I run the script and after ERROR: pfkey.c:2205k_recvspddump(): such policy already exists. anyway replace it: the terminal doesn't advance any further, so I try to connect to a server behind the VPN and then the msg 5 not interesting messages start coming out.

I reset my DSL modem as a previous poster suggested, but that didn't help me.

Here are my VPN settings on the router:

-----------------------
IPSec Passthrough: ENABLED
PPTP Passthrough: DISABLED
L2TP Passthrough: DISABLED
----
VPN Tunnel: ENABLED
VPN Gateway: DISABLED
----
Local Secure Group: Subnet
IP Address: 192.168.0.0
Mask: 255.255.255.0
----
Remote Secure Group: Any
----
Remote Secure Gateway: Any
----
Encryption: 3DES
Authentication: MD5
----
Key Exchange Method: Auto(IKE)
PFS: DISABLED
Pre-Shared Key (ENABLED): 123456 (I've tried various things here)
RSA Signature (DISABLED): Please enter RSA!
Key Lifetime: 28000
----
ADVANCED SETUP
Phase 1
Operation Mode: Main
Encryption: 3DES
Authentication: MD5
Group: 1024-bit
Key Life Time: 28000

Phase 2
Encryption 3DES
Authentication: Disable (I tried to put this to "MD5" but it changes itself back to "Disable", is this the problem?)
PFS: Disabled
Group: 1024-bit
Key Life Time: 28000
----
NetBIOS broadcast: DISABLED
Anti-replay: ENABLED
Keep Alive: DISABLED
If IKE failed more than...: DISABLED
-----------------------

I'd sure like this to work, can anyone suggest what I should be doing next?

I'm using OS 10.4.6, and a WRV54G on firmware 2.37.

Sorry, I didn't see this earlier.. My script would not apply to Cisco IPSec, as it doesn't use the same proprietary connection as the Linksys.

As you mention, Cisco has a Mac VPN client. That's probably the best supported option. Other than that, the Mac OS VPN client might work, depending on how the cisco is set up. Some great VPN client GUIs to try are IPSecuritas and VPN Tracker. IPSecuritas is free and works with many VPNs, VPN Tracker works with even more, but costs money.

BTW, in my wrvinit.sh file I have these as my settings...

UserID=******
Passwd=******
VPNGW=66.15.XXX.XXX
PNET=192.168.0.0/24

The PNET is the one that concerns me.

Does the Linksys show that the client is connected in its VPN client status view?
Are you sure the router you're connecting through allows IPSec to pass? I have ran into several that filter out IPSec.


I put up a www page with the script, and a bit more information here:

http://ignasiak.googlepages.com/macosxipsectowrv54g

That is a reasonable setting.. The first admin page on your router shows the correct settings as "Local IP Address" and "Subnet Mask". On that same page, at the top in the "Internet Connection Type" area it should show the external IP address of your router, which should match the VPNGW setting.

Your settings would be 192.168.0.{something} and 255.255.255.0
and, all the systems on your LAN would have addresses like 192.168.0.*

No, it shows me disconnected.


I am currently testing this while I am behind a WRV54G at home, trying to connect to the WRV54G at the office. I don't necessarily want to set up a network to network VPN because I want to set up my laptop to access the office from wherever I am.


Maybe the problem is in the Phase 2 setting that won't stay at MD5? I was going to upgrade the firmware on the router, but I'm remote from the office today trying to get this working.

I think this means that the initial SSL session for user authentication failed. Make sure the username/password are correct on your work router that you're connecting to (re-enter them to make sure).

If possible, try connecting from a Windows machine with Linksys QuickVPN, as a sanity check.

I've double-checked. Attached to this post is a text file showing my last attempt to connect. I ran the script, then I tried to connect to a server behind the VPN.


I thought of that yesterday, unfortunately I lost the CDs that came with the routers and I couldn't find the software on Linksys' web site.

Thank you, btw, for taking the time to help me.

The connection log shows phase 2 was cancelled because of phase 1 timeout (i.e. no response to phase 1). This could be because of improper credentials or because of the connection being filtered. I use tcpdump to see if there are any response packets from the VPN gateway.

A google search turned up this link for QuickVPN: ftp://ftp.linksys.com/pub/network/Li...ckVPN_1028.exe

Thank you!

Sure enough even the QuickVPN fails. I've verified the username and password, though, and the server address is certainly correct, I also turned off the Windows firewall. Tomorrow I'll try this out not from home to see if my home WRV54G router is causing the problem.

Maybe I need to contact Linksys too.

I just wanted to update this thread that I cannot get QuickVPN to connect to my router. I've turned on syslog and I don't get anything appearing there when I try to log in but QuickVPN reports that the "remote gateway is not responding".

I'm going to contact Linksys support and see if they can help me.

Has anyone tried the script or other software to connect to the new Linksys WRVS4400N?

tji or others, have you any good links or book recommendations for reading about IPSec?
Thx,

Can not get script to run.
 

Well i was very happy to have found that I was the only one not able to connect to the Linksys VPN. I downloaded your latest file and tried to run it. But not luck. If I run it without sude I get "Permisions Denied" which i expect. When i run it with Sudo I get "Command not found." Any ideas? Maybe I am running sudo wrong. I have tried many ways and none seem to work.

It's hard to say what's wrong without more debugging information.


All that should be required is:

- Customize the file with your settings

- run it with the command "sudo ./wrvinit.sh"

good luck.

I am trying right now with no luck. Kudos to the original autor of the script for the work and putting up the nice web link with more details.

I'm trying to get a MacBook Pro to VPN into a Linksys WRVS4400N. I've got an added complication in that I am trying to get in via a cell phone connection, so the script appears to run into trouble right at the beginning when it tries to determine the local ip address to use.

For testing purposes I edited the script to force the ip address on _en1 with what Network Utility reports.

That gets me past the no ipaddress to feed into the variable further down the script, but then I get:

line 3: syntax error at [.255.255.0].

I managed to get past that by changing the PNET to 192.168.0.1/24.

Next issue, which I think is the deal killer here is that it appears Linksys may have changed the format for the connection url or something along those lines. I had to turn off the -q in the wget command to open the connection. The resulting output ends in: "Unsupported scheme."

I'm a real novice at this, so really just shooting in the dark. Manually putting in my local ip on the cellular modem connection isn't a big deal, but I'm not even sure I'm going down the right path with that problem. The unsupported scheme can probably be figured out, but how do you go find the format QuickVPN is using with the new 4400N device

Here's the output I am getting out of the script after my modifications...below that I'll post the output before I modified anything other than the required personal values:

sudo ./wrvinit.sh
Password:
Using the wireless ethernet, en1. Local Address: XX.XXX.XXX.XXX
https://MYNAME:MYPASSWORD@XX.XX.XX.X...X?USER=MYNAME: Unsupported scheme.
Foreground mode.
2007-03-24 17:09:11: INFO: main.c:176:main(): @(#)racoon 20001216 20001216 sakane@kame.net
2007-03-24 17:09:11: INFO: main.c:177:main(): @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
2007-03-24 17:09:11: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for AH
2007-03-24 17:09:11: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for ESP
2007-03-24 17:09:11: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for IPCOMP
2007-03-24 17:09:11: DEBUG: cftoken.l:567:yycf_set_buffer(): reading config file /etc/racoon/wrv_racoon.conf
2007-03-24 17:09:11: DEBUG: pfkey.c:2292:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2007-03-24 17:09:11: ERROR: isakmp.c:1559:isakmp_setup_socket(): failed to bind (Can't assign requested address).
2007-03-24 17:09:11: ERROR: isakmp.c:1646:isakmp_open(): no address could be bound.

Here's the ouput showing no ip address obtained on e1 or e0 automatically:

sudo ./wrvinit2.sh
Password:
Using the wired ethernet port, en0. Local Address:
Using the wireless ethernet, en1. Local Address:
line 3: syntax error at [32]
parse failed, line 3.
Foreground mode.
2007-03-24 17:26:42: INFO: main.c:176:main(): @(#)racoon 20001216
20001216 sakane@kame.net
2007-03-24 17:26:42: INFO: main.c:177:main(): @(#)This product linked
OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
2007-03-24 17:26:42: DEBUG: pfkey.c:371:pfkey_init(): call
pfkey_send_register for AH
2007-03-24 17:26:42: DEBUG: pfkey.c:371:pfkey_init(): call
pfkey_send_register for ESP
2007-03-24 17:26:42: DEBUG: pfkey.c:371:pfkey_init(): call
pfkey_send_register for IPCOMP
2007-03-24 17:26:42: DEBUG: cftoken.l:567:yycf_set_buffer(): reading
config file /etc/racoon/wrv_racoon.conf
2007-03-24 17:26:42: ERROR: cftoken.l:484:yyerror():
/etc/racoon/wrv_racoon.conf:42: "32" syntax error
2007-03-24 17:26:42: ERROR: cfparse.y:1394:cfparse(): fatal parse
failure (1 errors)
racoon: failed to parse configuration file.

Sound like you don't have wget program installed...?

After giving this more thought, I think I'm down the wrong path with that. Does anyone know the adapter name of a modem connection? Scrolling through my Network Utility I don't see any that give the proper ip_address for my mobile cell connection.

I've tried getting ipconfig getifaddr on all the en and ppp adapters listed in Netstat routing tables.

"ifconfig" will show a listing of all your interface names and addresses.

You might be better off trying to simplify the testing first. Such as, trying the VPN connection through a WiFi connection first, then trying the cellular modem once you confirm the basics are working.

Thanks for the response. I actually tried to find an open wifi other than my own network to test it just that way, but no luck in my neighborhood, and hadn't had a chance to work on this more this week.

i did just try ifconfig (thanks for that tip) and I think it confirmed what I suspected (ppp0) is what I want to bind to, but modifying the script to look at ppp0 instead of en0 produces a syntax error and parse failed error in line 3.

Here's the output from ifconfig for the only adapter that doesn't list as closed or inactive:

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 75.xxx.xxx.20 --> 66.xx.xx.69 netmask 0xff000000

I'll keep looking for another network to get in on and make sure everything else is copacetic, but I'm in trouble if I can't get past this inability to log in via cellular. May have to get a new VPN router. Darn hard finding anything that works nicely with a MAC that isn't just passthrough or pptp.


EDIT: I tried the script as is (with just my personal information edited into it) from behind work's router - I can't connect, but that surely is a firewall issue. As far as the script running and binding to the adapter properly, all goes well, no error messages, no parse failure messages. Seems for sure trying to bind to the ppp0 is the problem.

I'll still look for an open wifi (wardriving anyone?) just to test my router setup works.

I was finally able to do this, and not working. That was frustrating. The Linksys site implies that QuickVPN is the same for all its routers that support it, so I fully expected no problems. QuickVPN client from a Virtual Machine (Parallels) does connect successfully, even over cellular modem. If you have any ideas, I'd really appreciate it.

The script appears to run flawlessly using Wifi, attaching to en1 and sending off information to the router, but then eventually times out with no phase 1 response from the router. The router even logs some activity on the VPN, but never responds to negotiation.

Are the ports here accurate (ie, 500? I thought QuickVPN did something on 443.) Also, totally unrelated to the script, but reading the QuickVPN FAQ on Linksys, it claims that QuickVPN changes the internal lan ip addresses to 10.x.x.x, which will mess up internal devices on the lan with fixed ips. Is that your experience?

Here's the router log sample (ip addresses changed to protect the innocent):

Apr 2 14:35:51 - [VPN Log]: packet from 17.255.240.94:4865: received Vendor ID payload [RFC 3947] method set to=109
Apr 2 14:35:51 - [VPN Log]: packet from 17.255.240.94:4865: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Apr 2 14:35:51 - [VPN Log]: packet from 17.255.240.94:4865: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr 2 14:35:51 - [VPN Log]: packet from 17.255.240.94:4865: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr 2 14:35:51 - [VPN Log]: packet from 17.255.240.94:4865: initial Main Mode message received on 92.124.23.44:500 but no connection has been authorized

Here's the output from wrvinit (note, the times are off by an hour, but it's the same session - looks the router has not adjusted for time change):

sudo ./wrvinit2.sh
Password:
Using the wireless ethernet, en1. Local Address: 10.232.23.83
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:02:30 --:--:-- 0
curl: (52) Empty reply from server
Foreground mode.
2007-04-02 15:31:21: INFO: main.c:176:main(): @(#)racoon 20001216 20001216 sakane@kame.net
2007-04-02 15:31:21: INFO: main.c:177:main(): @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
2007-04-02 15:31:21: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for AH
2007-04-02 15:31:21: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for ESP
2007-04-02 15:31:21: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for IPCOMP
2007-04-02 15:31:21: DEBUG: cftoken.l:567:yycf_set_buffer(): reading config file /etc/racoon/wrv_racoon.conf
2007-04-02 15:31:21: DEBUG: pfkey.c:2292:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2007-04-02 15:31:21: DEBUG: isakmp.c:1611:isakmp_open(): 10.232.23.83[500] used as isakmp port (fd=7)
2007-04-02 15:31:21: DEBUG: isakmp.c:1629:isakmp_open(): 10.232.23.83[4500] used as nat-t isakmp port (fd=8)
2007-04-02 15:31:21: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2007-04-02 15:31:21: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message
2007-04-02 15:31:21: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff8c8: 10.232.23.83/32[0] 192.168.1.0/24[0] proto=any dir=out
2007-04-02 15:31:21: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306db8: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in
2007-04-02 15:33:42: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message
2007-04-02 15:33:42: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable outbound SP found: 10.232.23.83/32[0] 192.168.1.0/24[0] proto=any dir=out.
2007-04-02 15:33:42: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff8b4: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in
2007-04-02 15:33:42: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306db8: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in
2007-04-02 15:33:42: DEBUG: pfkey.c:1583:pk_recvacquire(): suitable inbound SP found: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in.
2007-04-02 15:33:42: DEBUG: pfkey.c:1622:pk_recvacquire(): new acquire 10.232.23.83/32[0] 192.168.1.0/24[0] proto=any dir=out
2007-04-02 15:33:42: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2007-04-02 15:33:42: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=1)
2007-04-02 15:33:42: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 92.124.23.44.
2007-04-02 15:33:42: INFO: isakmp.c:2047:isakmp_post_acquire(): IPsec-SA request for 92.124.23.44 queued due to no phase1 found.
2007-04-02 15:33:42: DEBUG: isakmp.c:1028:isakmp_ph1begin_i(): ===
2007-04-02 15:33:42: INFO: isakmp.c:1033:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 10.232.23.83[500]<=>92.124.23.44[500]
2007-04-02 15:33:42: INFO: isakmp.c:1038:isakmp_ph1begin_i(): begin Identity Protection mode.
2007-04-02 15:33:42: DEBUG: isakmp.c:2359:isakmp_newcookie(): new cookie:
d7977a86364fa7c0
2007-04-02 15:33:42: DEBUG: isakmp.c:2476:set_isakmp_payload(): add payload of len 48, next type 13
2007-04-02 15:33:42: DEBUG: isakmp.c:2476:set_isakmp_payload(): add payload of len 16, next type 13
2007-04-02 15:33:42: DEBUG: isakmp.c:2476:set_isakmp_payload(): add payload of len 16, next type 13
2007-04-02 15:33:42: DEBUG: isakmp.c:2476:set_isakmp_payload(): add payload of len 16, next type 13
2007-04-02 15:33:42: DEBUG: isakmp.c:2476:set_isakmp_payload(): add payload of len 16, next type 0
2007-04-02 15:33:42: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:33:42: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:33:42: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:33:42: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:33:42: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:33:42: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:33:53: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2007-04-02 15:33:56: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2007-04-02 15:34:02: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:34:02: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:34:02: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:34:02: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:34:02: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:34:02: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:34:02: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2007-04-02 15:34:13: ERROR: isakmp.c:2139:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 92.124.23.44->10.232.23.83
2007-04-02 15:34:13: INFO: isakmp.c:2144:isakmp_chkph1there(): delete phase 2 handler.
2007-04-02 15:34:14: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2007-04-02 15:34:14: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message
2007-04-02 15:34:14: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable outbound SP found: 10.232.23.83/32[0] 192.168.1.0/24[0] proto=any dir=out.
2007-04-02 15:34:14: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff8b4: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in
2007-04-02 15:34:14: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306db8: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in
2007-04-02 15:34:14: DEBUG: pfkey.c:1583:pk_recvacquire(): suitable inbound SP found: 192.168.1.0/24[0] 10.232.23.83/32[0] proto=any dir=in.
2007-04-02 15:34:14: DEBUG: pfkey.c:1622:pk_recvacquire(): new acquire 10.232.23.83/32[0] 192.168.1.0/24[0] proto=any dir=out
2007-04-02 15:34:14: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2007-04-02 15:34:14: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=1)
2007-04-02 15:34:14: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 92.124.23.44.
2007-04-02 15:34:14: INFO: isakmp.c:2066:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2007-04-02 15:34:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:34:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:34:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:34:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:34:22: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:34:22: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:34:38: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting
2007-04-02 15:34:38: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message
2007-04-02 15:34:38: DEBUG: pfkey.c:1551:pk_recvacquire(): ignore the acquire because ph2 found
2007-04-02 15:34:42: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:34:42: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:34:42: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:34:42: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:34:42: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:34:42: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:34:45: ERROR: isakmp.c:2139:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 92.124.23.44->10.232.23.83
2007-04-02 15:34:45: INFO: isakmp.c:2144:isakmp_chkph1there(): delete phase 2 handler.
2007-04-02 15:35:02: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:35:02: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:35:02: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:35:02: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:35:02: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:35:02: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:35:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.232.23.83[500]
2007-04-02 15:35:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.232.23.83[500]
2007-04-02 15:35:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 92.124.23.44[500]
2007-04-02 15:35:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 160 bytes message will be sent to 10.232.23.83[500]
2007-04-02 15:35:22: DEBUG: plog.c:199:plogdump():
d7977a86 364fa7c0 00000000 00000000 01100200 00000000 000000a0 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2
0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 cd604643
35df21f8 7cfdb2fc 68b6a448 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
2007-04-02 15:35:22: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet d7977a86364fa7c0:0000000000000000
2007-04-02 15:35:42: ERROR: isakmp.c:1791:isakmp_ph1resend(): phase1 negotiation failed due to time up. d7977a86364fa7c0:0000000000000000
^C2007-04-02 15:40:31: INFO: session.c:331:check_sigreq(): caught signal 2
2007-04-02 15:40:31: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message
2007-04-02 15:40:32: DEBUG: pfkey.c:271:pfkey_dump_sadb(): call pfkey_send_dump
2007-04-02 15:40:32: INFO: session.c:199:close_session(): racoon shutdown

Well, I'm not quite ready to give up on this script, since it seems like it should work, and it bugs me when things that should work don't.

BUT, for those looking to get their Macs connected to the WRVS4400N, good news. Despite past failures with both IPSecuritas IPSecuritas and VPNTracker, I've managed to get them working now. It must have been user error on my first attempts.

To get either working, forget about the QuickVPN tab in your Router completely. You must set up full IPSec tunnel. In VPNTracker, you need to create a new device under the Other tab, you can't use the LinkSys tab, none of the devices there will work. Once you've created the new device, then just set up each part of the connection tab to match all the settings on the basic IPSec Tunnel page, AND the ADVANCED button for Phase1 and Phase2 negotiations. Works perfectly. Same basic setup in IPSecuritas (which I recommend, because it's Free/Donationware). I also like that IPSecuritas has a widget and menu bar icon for quick connections.

Back to this script we've been posting about, I'm able to setup IPSec VPN over my cellphone modem with both the above programs; so there still seems to be a major roadblock with this script's handling of binding to the proper ipaddress which is ppp(0), but which is also reflected in Network Utilitiy as rolling into both en(1) and en(2).

Testing this out from a hotel room and I get:

Any idea why curl is erroring out?

How do I add the script
 

Hello, I downloaded the script, however I have know idea where to put it on my mac. Please send me some procedures in order to make this happen.

thank you:(

Please Help - wrvinit.sh not working.
 

I have tried and tried. seems to connect, but I cannot connect to remote resource, here is what I get..question will follow:


cs:~ csalzman$ cd Desktop
cs:Desktop csalzman$ sudo sh wrvinitc.sh
Password:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 152 0 152 0 0 24 0 --:--:-- 0:00:06 --:--:-- 38
line 3: syntax error at [any]
parse failed, line 3.
Foreground mode.
2008-09-16 13:38:23: [18831] INFO: ***** racoon started: pid=18831 started by: 18818
2008-09-16 13:38:23: [18831] INFO: @(#) racoon / IPsec-tools
2008-09-16 13:38:23: [18831] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
2008-09-16 13:38:23: [18831] DEBUG: call pfkey_send_register for AH
2008-09-16 13:38:23: [18831] DEBUG: call pfkey_send_register for ESP
2008-09-16 13:38:23: [18831] DEBUG: call pfkey_send_register for IPCOMP
2008-09-16 13:38:23: [18831] DEBUG: ===== parse config
2008-09-16 13:38:23: [18831] DEBUG: reading config file /etc/racoon/wrv_racoon.conf
2008-09-16 13:38:23: [18831] WARNING: /etc/racoon/wrv_racoon.conf:31: "support_mip6" it is obsoleted. use "support_proxy".
2008-09-16 13:38:23: [18831] ERROR: /etc/racoon/wrv_racoon.conf:42: "32" syntax error
2008-09-16 13:38:23: [18831] ERROR: fatal parse failure (1 errors)
racoon: failed to parse configuration file.
cs:Desktop csalzman$

A couple of things: I am running Leopard.

sudo /.wrvinit.sh does not work, but sudo sh wrvinit.sh does.
I cannot connect to remote resource, which is a Windows box, off of my WRV54G running 2.39.2 firmware.

Please, any help appreciated. If I log onto my router, it says I have a connection, but I cannot connect to a shared resource, or even see the remote box.


Thanks

0.93 - Couple of udpates to the Curl wrvinit.sh version
 

# 0.93 01/25/09 - Switched to ifconfig for linux compatibility
# - Added lookup for USB WAN card (ppp0 interface)
# - Tested with WRV200 and WRV54G
# - Hardware Version: WRTR-147G_V02
# - Software Version: 1.0.39
# - Update by Andrew Purcell zpurcey@gmail.com

Download here:
http://sites.google.com/a/signature-...attredirects=0

I am running 2.39.2 software on the WRV54G. See above for details for the hw/sw on the WRV200.

Thanks to the original author Todd Ignasiak and other contributing!

Cheers,

Andrew.

Hi.. I originally started this thread & made the script. I had switched to a different VPN device a long time ago, which recently failed and I put the old WRV54G back into action.

I'm wondering if anyone else is still using this script?

I upgraded the firmware in my WRV45G to 2.39.2e, and found that it will no longer complete IPSec sessions when the client is passing through a NAT gateway. I could swear it worked through NAT before.

Description of what I'm seeing, for others debugging problems:
When I look at the firewall logs, I see the WRV54G dropping the IKE packet. The IPSec spec said IKE was supposed to have both Source and Destination port of 500.. I have no clue why they would require that, but the WRV54G appears to enforce it. It drops any IKE packet without a source port of 500. If I connect via a connection that is not NAT'd, my IKE packets have SRC and DST port 500 and it works fine.

Hi
 

Sorry if i'm in the wrong place, however i am new to this and am trying to learn. I am hopeing someone can help. I think someone has been accessing my macbook with unix. I found this in the in the register. It looks to me like someone has been accessing it from a local address. Can anyone tell me what they see?


Routing tables

Internet*:‬
Destination* ‬Gateway* ‬Flags* ‬Refs* ‬Use* ‬Netif Expire
default* ‬home* ‬UGSc* ‬25* ‬14* ‬en1
127* ‬localhost* ‬UCS* ‬0* ‬0* ‬lo0
localhost* ‬localhost* ‬UH* ‬0* ‬1497* ‬lo0
169.254* ‬link#4* ‬UCS* ‬0* ‬0* ‬en1
192.168.1* ‬link#4* ‬UCS* ‬3* ‬0* ‬en1
192.168.1.65* ‬localhost* ‬UHS* ‬2* ‬516* ‬lo0
192.168.1.73* ‬0:26:4a:cb:bc:72* ‬UHLW* ‬0* ‬43* ‬en1* ‬479
home* ‬0:23:51:34*:‬b8:81* ‬UHLW* ‬36* ‬184* ‬en1* ‬1184
192.168.1.255* ‬link#4* ‬UHLWb* ‬3* ‬233* ‬en1

Internet6*:‬
Destination* ‬Gateway* ‬Flags* ‬Netif Expire
localhost* ‬link#1* ‬UHL* ‬lo0
fe80*::%‬lo0* ‬localhost* ‬Uc* ‬lo0
localhost* ‬link#1* ‬UHL* ‬lo0
fe80*::%‬en1* ‬link#4* ‬UC* ‬en1
melody-sneeds-imac 0:23:12:1b:c3*:‬a8* ‬UHL* ‬lo0
ff01*:: ‬localhost* ‬U* ‬lo0
ff02*:: ‬localhost* ‬UC* ‬lo0
ff02*:: ‬link#4* ‬UC* ‬en1