[Vpn-help] Zywal > Shrew Client
Matthew Grooms
mgrooms at shrew.net
Tue May 1 03:15:16 CDT 2007
On 5/1/2007, "Oliver Meister" <oliver.meister at students.fhnw.ch> wrote:
>Hi
>
Hello again,
>I am a bit further now:
>I figured out, that obviously my Zywal and the shrew client do not have the
>same undestanding of SH1 algorithm.
>After changing algorithm to MD5 on both sides, I can enter phase1 now - and
>that’s where I stick now.
>
Hmm, this is interesting ...
><< : identification payload
>!! : phase1 id mismatch ( src != trg )
>!! : src = fqdn doomain.gotdns.org
>!! : trg = fqdn doomain.gotdns.org
>ii : sending peer INVALID-ID-INFORMATION notification
>ii : - 192.168.10.131:500 -> 217.162.138.175:500
>ii : - isakmp spi = c352d9351285b87d:3649d62c3dd32dcd
>ii : - data size 0
>>> : notification payload
>-> : send IKE packet 192.168.10.131:500 -> 217.162.138.175:500 ( 84 bytes )
It would appear that the Client is rejecting the servers FQDN ID value
although it looks like it should be a match from the output. Could you
restart the ike daemon, try a single connection attempt, stop the daemon
and then send me the ike.pcap file in a private email? If the IDs are
indeed the same ( not some white space we cant see causing a mismatch ),
then I may have introduced a bug in the client recently that needs to be
corrected. This authentication setup is tested pretty regularly but may
have missed something :|
Thanks again,
-Matthew
More information about the vpn-help
mailing list