VPN Bug Report Unix

From Shrew Soft Inc
Jump to: navigation, search


This guide describes what information should be included when submitting a VPN Client for Linux/BSD bug report to the vpn-help mailing list. Please read this information carefully as the likelihood of getting a problem corrected is usually directly related to the quality of the bug report being submitted.

Describe Your Problem Clearly

Please describe the problem symptoms and the circumstance under which the problem occurs. It is also very important to note how the problem can be re-produced.

Include Your Client and Gateway Information

Please include your client and gateway information with each new problem report. The following information should be stated.

  • VPN Client Version
  • Linux or BSD OS Version
  • Gateway Make/Model
  • Gateway OS Version ( if known )

Include Debug Output if Requested

After posting your initial problem report to the vpn-help mailing list, we may request that you provide additional information. The Shrew Soft VPN Client has several options that can be enabled which produce valuable debug output. This information is often essential to help isolate and resolve a reported problem. To gather this information, perform the following steps.

Enable IKE Daemon Debug Output

To enable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to debug and specifying a custom log output file path. Also specify a path for the pcap_decrypt option ( if requested ).

    socket ike 500;
    socket natt 4500;

    log_level debug;
    log_file "/var/log/iked.log";

    pcap_decrypt "/var/log/dump-ike-decrypt.cap";

Restart the IKE daemon. If your platform provides a Linux init script or BSD rc script, use it to restart the daemon.

# /etc/init.d/iked restart

To manually restart the service, first locate the iked process id and use the kill utility to stop the daemon. Afterwords you can restart the daemon. You will need root equivalent privileges to perform these steps.

# ps aux | grep iked
root    54252  0.0  1.1  4536  2896  ??  Ss    7:53PM   0:00.01 iked
# kill 54252
# iked

Reproduce Your Problem

While reproducing your problem, the VPN Client will capture debug output to be submitted with your bug report.

Copy IKE Daemon Debug Output Files

To make a copy of the IKE daemon debug output, perform the following steps.

  • Make sure the IKE daemon is not running
  • Copy the following files to a temporary directory
    • /var/log/iked.log
    • /var/log/dump-ike-decrypt.cap

For example:

mkdir ~/ikedebug
cp /var/log/iked.log ~/ikedebug/
cp /var/log/dump-ike-decrypt.cap ~/ikedebug/

Disable IKE Daemon Debug Output

To disable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to none. Also remove or comment out the pcap_decrypt option. Afterwards you can restart the daemon.

Archive the Debug Output

Use the tar utility to store the debug output files in a compressed archive.

For example:

cd ~
tar zcvf ikedebug.tgz ikedebug

If you plan to post debug output to the vpn-help mailing list, please be sure to remove sensitive information from log files such as your gateway IP address. Alternately, you can send your archive attachment directly to your Shrew Soft contact in a separate email.

NOTE: Never post decrypted binary packet dump information to the mailing list. Also, never post log output using a level higher than debug. This output may include information that could be used to compromise the security of your gateway.

Example Bug Report


The VPN client fails to connect to my gateway when I have firmware
version 3.7 installed. After clicking connect, the client reports
it has received an invalid message from the gateway. Downgrading
my gateway firmware to version 3.6 allows me to connect again.

To Reproduce:

Connect to any SuperEX 1510 VPN Gateway using firmware revision 3.7.

VPN Client Version = 2.1.0 RC1
Unix OS Version = FreeBSD 6.3-RELEASE
Gateway Make/Model = SuperEX 1510
Gateway OS Version = 3.7

ikedebug.tgz [attachment]
 ikedebug\dump-ike-decrypt.cap ( if requested )