[Vpn-help] Commercial IPSec Gateway (ZyWall 1050)

Matthew Grooms mgrooms at shrew.net
Wed Oct 3 09:55:09 CDT 2007


Stephen Cohoon wrote:
> Greetings,
> 

Hi there. Thanks for trying out the VPN client. For what its worth, I 
have seen several posts on different mailing lists where others have 
been successful at using the Shrew Soft Client with the Zywall products. 
I am more than willing to help trouble shoot this with you as I would 
like to retain the ability to interoperate :)

> I've tried configuring the Shrew Soft VPN client 2.0.1 to work with my 
> zywall 1050 to no avail. I can't get pasted phase 1 it seems and the 
> client is replying to the gateway with invalid spi. Am I missing 
> something? Any help is welcomed.
> 

There appears to be several exchanges going on here as the isakmp 
cookies are different. However, in a normal phase1 exchange the 
initiator will generate its half ( first 8 bytes ) of the isakmp cookie 
and transmit the second half as NULL in its packet. The responder will 
generate its half ( second 8 bytes ) of isakmp cookie and transmit the 
completed value back to the initiator in its packet. In both cases, this 
value would be transmitted as a full 16 bytes.

 > << : security association payload
 > << : - propsal #1 payload
 > !! : invalid spi size of 8 for protocol isakmp
 > XX : warning, unprocessed payload data !!!
 > ii : sending peer INVALID-SPI notification
 > ii : - 192.168.119.10:500 -> 65.213.209.34:500
 > ii : - isakmp spi = bbdebab4f9553e7b:4e8270e2c1299bef
 > ii : - data size 0
 >  >> : notification payload
 > -> : send IKE packet 192.168.119.10:500 -> 65.213.209.34:500 ( 84 bytes )

I'm not sure why the Zywall would be sending 8 bytes during an isakmp 
negotiation. My only guess is that the gateway is trying to initiate a 
tunnel with the client ( not good ) and they are interpreting the RFC 
differently than every other vendor on the planet. In other words, they 
send a ...

spi = bbdebab4f9553e7b ( 8 bytes )

... instead of a ...

spi = bbdebab4f9553e7b:0000000000000000 ( 16 bytes )

... during phase1 negotiations.

If you could, please enable the IKE packet dump feature and send me an 
output of the exchange between the Client and the Zywall. If its doing 
something really strange, I may be able to work around it in the code 
somehow.

Thanks,

-Matthew



More information about the vpn-help mailing list