[Vpn-help] Connecting to Linksys RV042
Matthew Grooms
mgrooms at shrew.net
Mon Oct 8 19:32:20 CDT 2007
Marc Goldburg wrote:
> Hello,
>
> I'm trying to connect to a "Group VPN" on a Linksys RV042 using the
> ShrewSoft client v 2.0.1. The VPN is set up to authenticate based on a
> client FQDN and shared secret, and the router's LAN-side subnet is
> included in the client's Policy tab for that connection. Phase 1 and
> Phase 2 are Diffie-Hellman Group 2/AES-256/MD5 with perfect forward
> secrecy on phase 2.
>
> I've attached a router log and an IKE log from the client for a
> connection attempt below. It looks like Phase 1 is completing
> successfully, but the router and client hang at the start (?) of Phase 2
> with the router saying "Received informational payload, type
> IPSEC_INITIAL_CONTACT" and the client saying"phase 2 not found." Any
> suggestions for how to debug this or for alternate configurations would
> be greatly appreciated. Thanks in advance!
>
Yes. The Shrew Soft client uses modecfg between phase1 and phase2 to
handle automatic configuration. It can also work with a Gateway that
doesn't support modecfg but configuring it to do so can be a bit tricky.
In the upcoming 2.1 release, a strictly manual configuration mode has
been added to make the client easier to use with Linksys and other
gateways that don't support this functionality. DHCP over IPsec support
has also been added to work better with gateways such as Fortinet /
Fortigate. I also have a Juniper gateway on order which I plan to add
full support for in the future.
> DB : config added
> ii : xauth is not required
> ii : building config attribute list
> ii : excluding unity attribute set
> ii : - IP4 DNS Server
> ii : sending config pull request
In the above log output, the client has determined it should attempt to
autoconfigure the DNS server address. It does this by sending a config
pull request which the Linksys router never responds to. What you need
to do is uncheck the "Enable DNS" option in the Name Resolution tab so
that the modecfg exchange will be skipped. Alternately, if you have a
DNS server that hosts a private zone behind the gateway you can specify
its address manually after unchecking the "Obtain Automatically" option.
This should get you up and running. Let me know if you have any more
questions.
-Matthew
More information about the vpn-help
mailing list