[Vpn-help] Commercial IPSec Gateway (ZyWall 1050)
Matthew Grooms
mgrooms at shrew.net
Wed Oct 3 09:55:09 CDT 2007
Stephen Cohoon wrote:
> Greetings,
>
Hi there. Thanks for trying out the VPN client. For what its worth, I
have seen several posts on different mailing lists where others have
been successful at using the Shrew Soft Client with the Zywall products.
I am more than willing to help trouble shoot this with you as I would
like to retain the ability to interoperate :)
> I've tried configuring the Shrew Soft VPN client 2.0.1 to work with my
> zywall 1050 to no avail. I can't get pasted phase 1 it seems and the
> client is replying to the gateway with invalid spi. Am I missing
> something? Any help is welcomed.
>
There appears to be several exchanges going on here as the isakmp
cookies are different. However, in a normal phase1 exchange the
initiator will generate its half ( first 8 bytes ) of the isakmp cookie
and transmit the second half as NULL in its packet. The responder will
generate its half ( second 8 bytes ) of isakmp cookie and transmit the
completed value back to the initiator in its packet. In both cases, this
value would be transmitted as a full 16 bytes.
> << : security association payload
> << : - propsal #1 payload
> !! : invalid spi size of 8 for protocol isakmp
> XX : warning, unprocessed payload data !!!
> ii : sending peer INVALID-SPI notification
> ii : - 192.168.119.10:500 -> 65.213.209.34:500
> ii : - isakmp spi = bbdebab4f9553e7b:4e8270e2c1299bef
> ii : - data size 0
> >> : notification payload
> -> : send IKE packet 192.168.119.10:500 -> 65.213.209.34:500 ( 84 bytes )
I'm not sure why the Zywall would be sending 8 bytes during an isakmp
negotiation. My only guess is that the gateway is trying to initiate a
tunnel with the client ( not good ) and they are interpreting the RFC
differently than every other vendor on the planet. In other words, they
send a ...
spi = bbdebab4f9553e7b ( 8 bytes )
... instead of a ...
spi = bbdebab4f9553e7b:0000000000000000 ( 16 bytes )
... during phase1 negotiations.
If you could, please enable the IKE packet dump feature and send me an
output of the exchange between the Client and the Zywall. If its doing
something really strange, I may be able to work around it in the code
somehow.
Thanks,
-Matthew
More information about the vpn-help
mailing list