[Vpn-help] Shrew 2.1.0-alpha4 on Ubuntu Feisty against Sidewinder VPN

Don Seiler don at seiler.us
Sat Dec 22 14:41:25 CST 2007


I'm using the ikea GUI.  When I hit "Connect", it launches a new
window (ikec?), I enter my username password as I had used in racoon.

One note:  In racoon, I had to specify a pre_shared_key file that
contained the username/password in a single line.  Then in the remote
config I used xauth_login to refer to this line.  The
authentication_method was still xauth_rsa_client.

Another question, does shrew support pkcs12 files directly?  The
online docs indicate that you do, but the file browser to select certs
didn't list .p12 as a suffix.  I had been converting my .p12 private
key to a .pem file.  The other certs were supplied by MIS as .pem
already.

Don.

On Dec 22, 2007 2:35 PM, Matthew Grooms <mgrooms at shrew.net> wrote:
>
> Don Seiler wrote:
> > Hullo.  Matthew suggested I try shrew-2.1.0-alpha after having come up
> > against some unfinished code in racoon.  I can connect via racoon, but
> > 3600 second lifetime renegotiation fails, so I can only stay connected
> > for 1 hour.
> >
> > I seem to be tantalizing close, but so far I'm getting "unable to
> > verify remote peer certificate" error in the shrew log when I try to
> > connect.
> >
> > I'm not sure exactly where to start debugging this.  Here's the
> > nuggets of my config.  I've tried to configure this to match my
> > racoon.conf.
> >
> > Authentication:
> > My auth mode is Mutual RSA + Xauth, both local and remote ID are
> > asn1dn.  Credentials are via 3 .pem files supplied by my company.
> >
> > Phase 1: (taken from remote section of racoon.conf)
> > Exchange type is aggressive.  My racoon.conf has "aggressive, main".
> > * Note, when I use "main", I get "missing required xauth password
> > attribute", which makes less sense to me
> > DH exchange is "group 2", racoon.conf has modp1024, which the man page
> > says is group 2.
> > Cypher algorithm is 3des
> > Hash algorithm is sha1
> > Key life time Lim is 3600 secs (per our Sidewinder config)
> >
> > Phase 2: (taken from sainfo section of racoon.conf)
> > Transformation algorithm is 3des
> > HMAC algorithm is sha1
> > PFS Exchange remains disabled (didn't see a corresponding value in racoon.conf)
> > Compression algorithm is deflate
> > Key life time lim is 700 secs (per our Sidewinder config)
> >
> > If any kind soul can see me straight through this, it will truly be a
> > merry Christmas.
> >
>
> Don,
>
> Are you using ikea to configure the tunnel or are you editing the
> iked.conf directly? User authentication modes currently require that you
> use the gui front ends to operate.
>
> Sorry this is such a short email but I am getting ready to jump on a
> plane for the Christmas holiday. However, I will be checking email
> sporadically and will do what I can to help.
>
> Thanks,
>
> -Matthew
>



-- 
Don Seiler
http://seilerwerks.wordpress.com
ultimate: http://www.mufc.us



More information about the vpn-help mailing list