[Vpn-help] Zywal > Shrew Client

Oliver Meister oliver.meister at students.fhnw.ch
Tue May 1 09:25:39 CDT 2007 

Hello Matthew

Thank you for your quick answer.

Indeed those links are refereeing to an obviously working solution.
Although the authors are using a slightly different model of Zywal, I am
using exactly the same set-up (beside the domain name).

My current suspicion is my particular model of the firewall itself: it is
sometimes a bit buggy.

To your questions:

1.) I am using version 2.0 beta.
2.) I see the following messages in the log (level: loud).
## : IKE Daemon, ver 2.0.0
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8d 28 Sep 2006
ii : opened D:\System\VPN Client\debug\iked.log'
ii : opened D:\System\VPN Client/debug/dump-ike.cap'
ii : opened D:\System\VPN Client/debug/dump-pub.cap'
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer ref increment ( ref count = 1, peer count = 0 )
DB : peer added
ii : local address 192.168.10.131:500 selected for peer
DB : tunnel ref increment ( ref count = 1, tunnel count = 0 )
DB : peer ref increment ( ref count = 2, peer count = 1 )
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'BlaBla' message
<A : remote id 'doomain.gotdns.org' message
<A : preshared key message
<A : remote resource message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 192.168.10.131:500 <-> 217.162.138.175:500
DB : a294ab6e44c921be:0000000000000000
DB : phase1 ref increment ( ref count = 1, phase1 count = 0 )
DB : tunnel ref increment ( ref count = 2, tunnel count = 1 )
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload 
>> : -- transform #1 payload 
>> : -- transform #2 payload 
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet 192.168.10.131:500 -> 217.162.138.175:500 ( 382 bytes )
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet 217.162.138.175:500 -> 192.168.10.131:500 ( 56 bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : notification payload
ii : received peer NO-PROPOSAL-CHOSEN notification
ii : - 217.162.138.175:500 -> 192.168.10.131:500
ii : - isakmp spi = a294ab6e44c921be:3a67449f9fbbef95
ii : - data size 0
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
ii : resending 1 exchange packet(s)
<- : recv IKE packet 217.162.138.175:500 -> 192.168.10.131:500 ( 56 bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : notification payload
ii : received peer NO-PROPOSAL-CHOSEN notification
ii : - 217.162.138.175:500 -> 192.168.10.131:500
ii : - isakmp spi = a294ab6e44c921be:5c4a1c972ce0d39b
ii : - data size 0
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
ii : resending 1 exchange packet(s)
<- : recv IKE packet 217.162.138.175:500 -> 192.168.10.131:500 ( 56 bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : notification payload
ii : received peer NO-PROPOSAL-CHOSEN notification
ii : - 217.162.138.175:500 -> 192.168.10.131:500
ii : - isakmp spi = a294ab6e44c921be:5ee554ae778423b7
ii : - data size 0
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
ii : exchange packet resend limit exceeded
DB : policy not found
DB : policy not found
ii : removed IPSEC policy route for 192.168.3.0/24
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : tunnel ref decrement ( ref count = 1, tunnel count = 1 )
ii : adapter ROOT\VNET\0000 already disabled
DB : removing all tunnel refrences
DB : tunnel deleted ( tunnel count = 0 )
DB : peer ref decrement ( ref count = 1, peer count = 1 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...

3.) The IKE Log from Zywal:

1	05/01/2007 15:15:57 	Send:[NOTFY:NO_PROP_CHOSEN]
217.162.xxx.xxx	84.73.79.147 	IKE
2 	05/01/2007 15:15:57 	!! No proposal chosen 	84.73.79.147
217.162.xxx.xxx	IKE
3	05/01/2007 15:15:57 	Recv:[SA][KE][NONCE][ID][VID][VID][
84.73.79.147 	217.162.xxx.xxx	IKE
4	05/01/2007 15:15:57 	Recv Aggressive Mode request from
[84.73.79.147] 	84.73.79.147	217.162.xxx.xxx	IKE
5	05/01/2007 15:15:47 	Send:[NOTFY:NO_PROP_CHOSEN]
217.162.xxx.xxx	84.73.79.147 	IKE


Regarding the log from the daemon and the Zywal, I guess that the Zywal does
not enter Phase1 successfully.
Guessing that received peer "NO-PROPOSAL-CHOSEN" notification causes the
failure (?).
What proposal is it looking for, after phase1? 

Suggestions would be very welcome. :-)

Regards from Switzerland,
Oliver



-----Ursprüngliche Nachricht-----
Von: Matthew Grooms [mailto:mgrooms at shrew.net] 
Gesendet: Dienstag, 1. Mai 2007 15:14
An: oliver.meister at students.fhnw.ch
Cc: vpn-help at lists.shrew.net
Betreff: Re: [Vpn-help] Zywal > Shrew Client

Oliver Meister wrote:
> Hello everybody
> 
> I have difficulties to get the shrew client working with a Zywal 10.
> 
> The connection dialog looks like this:
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> ipcomp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> gateway not responding
> tunnel disabled
> detached from key daemon ...
> 
> Does anybody have experience whit the Zywal setup and may lend me an
helping
> hand?
> 

Oliver,

      Thanks for trying out the client. I know there have been some 
postings on the Zyxel mailing lists where people claim to have gotten 
this working. At least thats what the altavista bablefish told me ( I 
think the text is in German ).

Here are a few of the links ...

http://www.zyxel.ch/forum/forum/messageview.cfm?catid=4&threadid=2055&entert
hread=y
http://www.zyxel.ch/forum/forum/messageview.cfm?catid=4&threadid=2084&entert
hread=y

As for getting help with the client, I need to know a bit more 
information ...

1) What version of the client are you using?
2) What does the client IKE Daemon debug level output say?
3) What does the debug output from the zywall say?

Thanks,

-Matthew

More information about the vpn-help mailing list