[vpn-help] Problem Connecting to Commercial Gateway ...

Matthew Grooms mgrooms at shrew.net
Sat Mar 4 17:47:42 CST 2006 

Kimmo Koivisto wrote:
> Yep, hopely Shrew VPN will work against other VPNs too :)
> 

We are much closer now than when we started :) Thanks very much for 
being persistent.

If anyone else reading this list has a commercial vpn gateway they would 
like Shrew Soft client to interoperate with, please submit a problem 
report and I will do what I can to get it working.

> and after this I pinged and ipsecd dies.

The ipsec daemon crashing is an error condition that should obviously 
never happen. I will do my best to track this down.

> I know that it does not understand, but why are we sending it? I have 
> configured all settings as fixed and there is nothing to get with mode 
> config. Is there any option to prevent mode config?

I wasn't aware you were configuring all the client properties as well as 
the policies manually. In this scenario it should not be sent and could 
just be erroneous log output. I will look into it.

> But it is not the problem, I can see from the remote gateway that it 
> established the phase2 sa, problem is that ipsecd dies when I try to ping 
> host which is defined to the sa.

I don't think an SA should be considered established by the ipsec 
responder until the liveliness proof hash is received and verified. This 
happens using the third packet of the phase2 exchange which we never get 
to because the initiator ( the client software ) is rejecting the hash 
in the second packet.

Could you please try again using this new build and send me the output 
using the following debug options which are described in the howto. 
Please send the output privately ( off-list ).

http://www.shrew.net/download/vpn-client-1.0-beta-4.exe

1) the logfile output the 'decode' loglevel
2) the ike pcap packet dump

It would be helpful if you could shutdown the service, copy the debug 
output and restart between attempts so that the dubug data will not overlap.

> Notification payload should be only for phase2 lifetime, at least I can see 
> that when I use openswan as a client.
> 

The notification is for the phase2 lifetime as the spi sent with the 
notification is an ipsec spi ( ipsec-esp spi = 0xdd106b1b ).

I have enabled the lifetime kilobytes options in the VPN Access Manager 
application so that the parameter will be used ( if not set to 0 ) 
during negotiations ( but not enforced for now ). Could you please 
provide the requested output with and without this option set to match 
your vpn gateway config.

> Best Regards
> Kimmo
> 

Thanks again,

-Matthew

More information about the vpn-help mailing list