[vpn-help] Can't connect to server

Matthew Grooms mgrooms at shrew.net
Sun Sep 10 10:59:07 CDT 2006 

Noach Sumner wrote:
> I took a look at the Shrew VPN client and was really impressed with the 
> feature set. I looked at greenbow which is decent but it lacks a couple 
> key features to me (split DNS, and the ability to (specifically) define 
> the remote network(s)).
> 

Thanks for trying out the client. I'm sure with a little effort, we can 
get it working with your appliance.

>  
> 
> However I am unable to get Shrew to connect to my server (a Fortigate 
> unit). At first I couldn't connect at all and after a short while get a 
> message that Shrew is closing my connection. I changed the fortigate 
> unit to use aggressive authentication (instead of "Main (ID 
> Protection)"). This changed things such that I don't get disconnected 
> (or it takes a long time) but I never establish the connection. I am of 
> course not connecting to a FreeBSD unit so the response might be to go 
> fly a kite but I believe the developer is hoping to make it more 
> compatible with commercial units.
> 

I am definitely interested in multi-vendor compatibility. Does your VPN 
appliance have the ability to output detailed log files? If main mode 
isn't working, it would be helpful to see what the log files are saying 
as well as the client debug output when the main mode connection fails.

[ LOGFILE2.TXT ]

> ii : tunnel enable message received
> DB : new phase1 sa ( ISAKMP initiator )
> DB : exchange type is aggressive
> DB : 192.168.17.105:500 <-> 199.203.55.140:500
> DB : c0f8a374dc55bd70:0000000000000000
> DB : phase1 sa added

Here the client received a tunnel enable/disable message from the client 
connect application to start the communications.


> ii : tunnel enable message received
> ii : bringing down tunnel ...
> DB : removing all tunnel refrences
> DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
> ii : client ctrl thread exit ...
> 

The ipsec daemon received a tunnel enable/disable message from the 
client connection application to stop communications. This should only 
happen when the disconnect button is pressed. Are you doing this or is 
the client disconnecting on its own?

[ LOGFILE1.TXT ]

> ii : tunnel enable message received
> DB : new phase1 sa ( ISAKMP initiator )
> DB : exchange type is aggressive
> DB : 192.168.17.105:500 <-> 199.203.55.140:500
> DB : 7484ce963f4bb32d:0000000000000000
> DB : phase1 sa added

This file is also for an aggressive mode exchange. Are you sure you sent 
the right one?

Thanks,

-Matthew

More information about the vpn-help mailing list