[Vpn-help] Connecting to Linksys RV042

Matthew Grooms mgrooms at shrew.net
Mon Oct 8 19:32:20 CDT 2007 

Marc Goldburg wrote:
> Hello,
> 
> I'm trying to connect to a "Group VPN" on a Linksys RV042 using the 
> ShrewSoft client v 2.0.1.  The VPN is set up to authenticate based on a 
> client FQDN and shared secret, and the router's LAN-side subnet is 
> included in the client's Policy tab for that connection.  Phase 1 and 
> Phase 2 are Diffie-Hellman Group 2/AES-256/MD5 with perfect forward 
> secrecy on phase 2. 
> 
> I've attached a router log and an IKE log from the client for a 
> connection attempt below.  It looks like Phase 1 is completing 
> successfully, but the router and client hang at the start (?) of Phase 2 
> with the router saying "Received informational payload, type 
> IPSEC_INITIAL_CONTACT" and the client saying"phase 2 not found."  Any 
> suggestions for how to debug this or for alternate configurations would 
> be greatly appreciated.  Thanks in advance!
> 

Yes. The Shrew Soft client uses modecfg between phase1 and phase2 to 
handle automatic configuration. It can also work with a Gateway that 
doesn't support modecfg but configuring it to do so can be a bit tricky. 
In the upcoming 2.1 release, a strictly manual configuration mode has 
been added to make the client easier to use with Linksys and other 
gateways that don't support this functionality. DHCP over IPsec support 
has also been added to work better with gateways such as Fortinet / 
Fortigate. I also have a Juniper gateway on order which I plan to add 
full support for in the future.

>     DB : config added
>     ii : xauth is not required
>     ii : building config attribute list
>     ii : excluding unity attribute set
>     ii : - IP4 DNS Server
>     ii : sending config pull request

In the above log output, the client has determined it should attempt to 
autoconfigure the DNS server address. It does this by sending a config 
pull request which the Linksys router never responds to. What you need 
to do is uncheck the "Enable DNS" option in the Name Resolution tab so 
that the modecfg exchange will be skipped. Alternately, if you have a 
DNS server that hosts a private zone behind the gateway you can specify 
its address manually after unchecking the "Obtain Automatically" option.

This should get you up and running. Let me know if you have any more 
questions.

-Matthew

More information about the vpn-help mailing list