[Vpn-help] Zywal > Shrew Client

Matthew Grooms mgrooms at shrew.net
Tue May 1 03:15:16 CDT 2007

On 5/1/2007, "Oliver Meister" <oliver.meister at students.fhnw.ch> wrote:

Hello again,

>I am a bit further now:
>I figured out, that obviously my Zywal and the shrew client do not have the
>same undestanding of SH1 algorithm.
>After changing algorithm to MD5 on both sides, I can enter phase1 now - and
>that’s where I stick now.

Hmm, this is interesting ...

><< : identification payload
>!! : phase1 id mismatch ( src != trg )
>!! : src = fqdn doomain.gotdns.org
>!! : trg = fqdn doomain.gotdns.org
>ii : sending peer INVALID-ID-INFORMATION notification
>ii : - ->
>ii : - isakmp spi = c352d9351285b87d:3649d62c3dd32dcd
>ii : - data size 0
>>> : notification payload
>-> : send IKE packet -> ( 84 bytes )

It would appear that the Client is rejecting the servers FQDN ID value
although it looks like it should be a match from the output. Could you
restart the ike daemon, try a single connection attempt, stop the daemon
and then send me the ike.pcap file in a private email? If the IDs are
indeed the same ( not some white space we cant see causing a mismatch ),
then I may have introduced a bug in the client recently that needs to be
corrected. This authentication setup is tested pretty regularly but may
have missed something :|

Thanks again,


More information about the vpn-help mailing list