[Vpn-help] Shrew 2.1.0-alpha4 on Ubuntu Feisty against Sidewinder VPN

[Matthew Grooms]

Don Seiler wrote:
> Hullo.  Matthew suggested I try shrew-2.1.0-alpha after having come up
> against some unfinished code in racoon.  I can connect via racoon, but
> 3600 second lifetime renegotiation fails, so I can only stay connected
> for 1 hour.
> 
> I seem to be tantalizing close, but so far I'm getting "unable to
> verify remote peer certificate" error in the shrew log when I try to
> connect.
> 
> I'm not sure exactly where to start debugging this.  Here's the
> nuggets of my config.  I've tried to configure this to match my
> racoon.conf.
> 
> Authentication:
> My auth mode is Mutual RSA + Xauth, both local and remote ID are
> asn1dn.  Credentials are via 3 .pem files supplied by my company.
> 
> Phase 1: (taken from remote section of racoon.conf)
> Exchange type is aggressive.  My racoon.conf has "aggressive, main".
> * Note, when I use "main", I get "missing required xauth password
> attribute", which makes less sense to me
> DH exchange is "group 2", racoon.conf has modp1024, which the man page
> says is group 2.
> Cypher algorithm is 3des
> Hash algorithm is sha1
> Key life time Lim is 3600 secs (per our Sidewinder config)
> 
> Phase 2: (taken from sainfo section of racoon.conf)
> Transformation algorithm is 3des
> HMAC algorithm is sha1
> PFS Exchange remains disabled (didn't see a corresponding value in racoon.conf)
> Compression algorithm is deflate
> Key life time lim is 700 secs (per our Sidewinder config)
> 
> If any kind soul can see me straight through this, it will truly be a
> merry Christmas.
> 

Don,

Are you using ikea to configure the tunnel or are you editing the 
iked.conf directly? User authentication modes currently require that you 
use the gui front ends to operate.

Sorry this is such a short email but I am getting ready to jump on a 
plane for the Christmas holiday. However, I will be checking email 
sporadically and will do what I can to help.

Thanks,

-Matthew