[vpn-help] Can't connect to server
Matthew Grooms
mgrooms at shrew.net
Sun Sep 10 10:59:07 CDT 2006
Noach Sumner wrote:
> I took a look at the Shrew VPN client and was really impressed with the
> feature set. I looked at greenbow which is decent but it lacks a couple
> key features to me (split DNS, and the ability to (specifically) define
> the remote network(s)).
>
Thanks for trying out the client. I'm sure with a little effort, we can
get it working with your appliance.
>
>
> However I am unable to get Shrew to connect to my server (a Fortigate
> unit). At first I couldn't connect at all and after a short while get a
> message that Shrew is closing my connection. I changed the fortigate
> unit to use aggressive authentication (instead of "Main (ID
> Protection)"). This changed things such that I don't get disconnected
> (or it takes a long time) but I never establish the connection. I am of
> course not connecting to a FreeBSD unit so the response might be to go
> fly a kite but I believe the developer is hoping to make it more
> compatible with commercial units.
>
I am definitely interested in multi-vendor compatibility. Does your VPN
appliance have the ability to output detailed log files? If main mode
isn't working, it would be helpful to see what the log files are saying
as well as the client debug output when the main mode connection fails.
[ LOGFILE2.TXT ]
> ii : tunnel enable message received
> DB : new phase1 sa ( ISAKMP initiator )
> DB : exchange type is aggressive
> DB : 192.168.17.105:500 <-> 199.203.55.140:500
> DB : c0f8a374dc55bd70:0000000000000000
> DB : phase1 sa added
Here the client received a tunnel enable/disable message from the client
connect application to start the communications.
> ii : tunnel enable message received
> ii : bringing down tunnel ...
> DB : removing all tunnel refrences
> DB : tunnel dereferenced ( ref count = 0, tunnel count = 1 )
> ii : client ctrl thread exit ...
>
The ipsec daemon received a tunnel enable/disable message from the
client connection application to stop communications. This should only
happen when the disconnect button is pressed. Are you doing this or is
the client disconnecting on its own?
[ LOGFILE1.TXT ]
> ii : tunnel enable message received
> DB : new phase1 sa ( ISAKMP initiator )
> DB : exchange type is aggressive
> DB : 192.168.17.105:500 <-> 199.203.55.140:500
> DB : 7484ce963f4bb32d:0000000000000000
> DB : phase1 sa added
This file is also for an aggressive mode exchange. Are you sure you sent
the right one?
Thanks,
-Matthew
More information about the vpn-help
mailing list