Detached from key daemon ошибка

В этой статье я расскажу об одном из вариантов настройки сервера удаленного доступа IPSec VPN на базе OpenSwan. Для клиентского подключения будут использоваться GreenBow VPN Client и Shrew VPN. Аутентификация с использованием Preshared Key.

Итак у нас имеется сервер с CentOS 5.5 один из интерфейсов смотрит в интернет и имеет внешний IP 10.10.11.10 и шлюз 10.10.11.1 (адреса IP и шлюза взяты исключительно для данного примера и не имеют отношения к внешним адресам), другой интерфейс имеет IP 192.168.0.1 и является шлюзом для корпоративной подсети 192.168.0.0/24. Виртуальная подсеть для VPN клиентов 192.168.10.0/24 – ее использование в данном случае упрощает ограничение доступа для удаленных пользователей к ресурсам организации. Ну и пара клиентских компьютеров как показано на рисунке ниже.

1. Установка OpenSwan

OpenSwan есть в стандартном репозитории CentOS, однако версия 2.6.21 увы не поддерживает множественные подключения с различными ключевыми фразами в агрессивном режиме (здесь по-моему просто теряется смысл использования менее защищенного агрессивного режима). Поэтому берем более новую версию с сайта openswan.org и устанавливаем:

Для нормальной работы скриптов необходимо установить which и lsof:

Открываем файл /etc/sysctl.conf и меняем значение net.ipv4.ip_forward c 0 на 1, тем самым разрешая форвардинг пакетов и дописываем две строчки запрещающие ICMP send redirects и ICMP accept redirects:

Применяем сделанные изменения

2. Настройка подключений

На данном этапе я не буду углубляться в упрощение описания за счет использования директив also и %default или расположения описаний подключений в отдельных файлах – по моему главное сделать максимально простой и работоспособный пример.

Открываем файл /etc/ipsec.conf и приводим его к следующему виду.

Открываем файл /etc/ipsec.secrets

Добавляем в iptables

Добавляем сервис ipsec в автозапуск и запускаем

3. Настройка VPN клиентов

Описание настройки VPN клиентов напишу немножко позже, и думаю лучше всего будет перенести это описание в отдельную статью. На сегодняшний день из более-менее живых и стабильных клиентов я вижу всего два:

1. GreenBow VPN Client (ZyWALL VPN Client) – очень удобная штука, правда платная стоит приближенно 50$.

2. Shrew VPN – бесплатный, имеет огромное количество настроек, в которых иногда бывает трудно найти то что нужно.

Если кто-то использует альтернативные варианты подключения – с удовольствием рассмотрю их.

11 Коммент. : “OpenSwan как сервер удаленного доступа”

Search This Blog

Friday, October 21, 2016

ShrewSoft VPN failed to attach to key daemon error

If you are using ShrewSoft VPN client and suddenly it does not connect with error «failed to attach to key daemon», then most likely one or all of the ShrewSoft services are not working.
Start theses services to solve the issue:

• ShrewSoft DNS Proxy Daemon
• ShrewSoft IKE Daemon
• ShrewSoft IPSEC Daemon

Please let me know if you’re looking for a article writer for your site. You have some really great posts and I feel I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some material for your blog in exchange for a link back to mine. Please send me an email if interested. Thank you!

how do you «Start services» ?

Start — Run — Services.msc — find service — right-click — Start

I have the Shrew Soft VPN Access Manager program, and I do not know where that «Start» is, can you tell?

Hi Irene,
the «start» is the «start menu» on your desktop (the bottom left button on windows), here you can find a command named «run», select it and follow the instructions of the admin.

So you go to the start menu, you find «run» and write «services.msc». A window will appear and you can search for «Shrewsoft . » and start them with right-click + start.

I hope that I’m clear !

This helped me — needed a more step by step guide. Thanks!

I’m trying to use Shrew Soft to connect to my school VPN. But as you can see here, it says

failed to connect to key daemon

I searched for the solution and people who use Shrew Soft Trace Utility and easily solved this on Windows OS as seen here.

Yet, I don’t know how to solve this on Ubuntu 14.04.

Also, is there a substitute application for Shrew Soft VPN for Ubuntu? Thanks!

3 Answers 3

You can always check it if it’s running by using the following command:

if you get a result, it means the process is running

if not run the below command:

it starts service

I had the same problem. I found out that iked service was not running. I solved it by opening a terminal emulator and issued the command:

I later found out that the Shrew installation on Ubuntu does not add this script to start up at all (shame on the guys and girls from Shrew ;-)). To do this yourself do the following:

In a terminal issue the command:

Type your root password and add the following line just before the last line (which normally says exit 0)

Save and close it.

Next time you restart your computer the service will be active and the error should never bother you again.

• If I remember he last time I had that issue, I had to recreate the config file that I imported to the clients.

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  Merryworks wrote:

  If I remember he last time I had that issue, I had to recreate the config file that I imported to the clients.

  I have tried that — unfortunately to no avail. :/

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  Interesting. We are using Shrew
  on ~80-100 laptops connecting to an ASA 5515X and I have not heard about any issues. This client is not running any Win10 v1803 systems, but it must be working on Win10 v1709 / Win8.1 / Win7 machines or we would have had lots of tickets opened by now.

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  I know in the past we have occasionally had to uninstall and re-install the Shrew client when it stops working on a random machine, but those are always isolated incidents. If you are seeing this across all PCs it would lead me to believe there is an issue with the firewall/VPN server. Have you checked the logs on your firewall(or whatever is acting as the VPN server)?

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  gb5102 wrote:

  I know in the past we have occasionally had to uninstall and re-install the Shrew client when it stops working on a random machine, but those are always isolated incidents. If you are seeing this across all PCs it would lead me to believe there is an issue with the firewall/VPN server. Have you checked the logs on your firewall(or whatever is acting as the VPN server)?

  Thanks so much for your response. As far as re-installing the client goes we have done that in the past and it has worked efficiently. As you said, these are always isolated incidents. I am the Help Desk tech for the company I work for and I don’t have firewall creds, but I will ask my supervisor to take a look at that when he gets here today.

  I have also checked out the .pcf profile(s) that we use and have found an inconsistency in them so I am going to try switching them out with a user to test and see if that might be the issue… although I honestly doubt it.

  I know my supervisor has been working on the ASA for our site to site — so it is possible that something got monkeyed with in there.

  
  Was this post helpful?
  thumb_up
  thumb_down
  

Ok, so I couldn’t get Cisco’s VPN client to work for Windows 7 64 bit. So I went in search of another VPN client.

(UPDATE: I got ShrewSoft’s VPN Client working, so keep reading down below.)

I came across ShrewSoft’s VPN Client a while ago, but it originally blue screened my Windows 7 box, but it was a version that didn’t support Windows 7. However they have a new version that is out that is for Windows 7 64 bit. Actually they now have a release version on their download site but there is a beta of the next version (Update 3/05/2010)2.1.6-beta-6 that your may want to use (or a later version if you are reading this well after I wrote or updated it). See the comments on why.

I installed it and it requested a reboot so I rebooted, and the first good news is that I didn’t blue screen when my workstation booted up. Horray!!!

After installing, I tested undocking my laptop from its docking station and then docking my laptop, and again, no blue screens, so I think it is good to go. Now I just have to figure out how to configure it to connect here at work.

I like the license, they say:

The Shrew Soft Client for Windows is free for both commercial and private use. Please read below for complete license details. Click here…

Stay tuned for more testing….

Ok…I am back for more notes.

At work we are using a Cisco VPN solution, so it turns out that when my Cisco VPN would install on a 32 bit machine, it used a .pcf file. Well, guess what is awesome about ShrewSoft’s VPN Client? It can import a .pcf file.

I imported the .pcf file and I appear to connect, then disconnect. Not sure what is going on. I am at work, but I should be able to connect to the VPN while at work, at least that is what my IT staff said.

So hopefully it connects when I am at home.

Here is my log:

config loaded for site ‘MyConfig.pcf’
configuring client settings …
attached to key daemon …
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel …
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon …

I will try to debug later…

All right I am back again and I am trying to debug. I found this post:
http://lists.shrew.net/pipermail/vpn-help/2009-October/002282.html

There is a program under Start | All Programs | Shrew Soft VPN Client called “Trace Utility” that is installed with the Shrew Soft VPN Client can be used for debugging. However, it wouldn’t work for me. The buttons weren’t enabled.

I had to right-click on the “Trace Utility” shortcut and choose “Run as administrator” then I was able to turn on debugging.

Positives for Shrew Soft VPN Client
– It has a debugging utility.
– It supports Windows 7 64 bit
– It imports cisco .pcf files.
– There is a lot of documentation.

Negatives for Shrew Soft VPN Client
– I don’t have it working yet
– There is not really any clear failure reason for a user.

So I will keep at it. I think I am about going to email the developer, but I sure don’t want to bug him.

Hopefully for some of you, it worked first time for you when you imported the .pcf file.

Got it working

Another positive. The developer has a mailing list, as you saw with one of my links above. I found this link:
http://lists.shrew.net/pipermail/vpn-help/2009-October/002275.html

The key piece of information I needed was this:

If it gets to the ‘tunnel enabled’ point, that means you completed phase1, Xauth and modecfg negotiations. Its probably a phase2 option. As I mentioned to others on the list, try playing with the PFS setting or enabling the cisco-udp NAT-T option.

In the tool, after importing my .pcf file, I only had to make one configuration change. I had to change the PFS setting to “group 2”. See this screen shot.

So I have this working now.

I have to say that I am very impressed with Shrew Soft. It took me some time to figure it out, but it works. Now the only question time will tell is how stable it is. Expect an update in a week or two about whether I think the Shrew Soft VPN Client is stable.

The steps are easy for me to connect to my VPN at work. Now every VPN is different so I am sorry if these steps don’t work for you:

1. Use the correct (and latest) version: 2.1.6-beta-6 or later
2. Install Shrew Soft VPN Client
3. Reboot.
4. Import the .pcf file.
5. Modify the configuration and change the PFS setting to “group 2”.
6. Apply the configuration.
7. Click connect.
8. Enter your domain user and password and you will connect.

Success!!!!

Also, I exported my configuration as a Shrew Soft VPN Client export, which is a .VPN file. When I import it, I don’t have to make a configuration change like I did with the Cisco .pcf file.

Key words: cisco vpn window 7 64 bit