[Vpn-help] [Bulk] Re: Connecting to Linksys RV042

Marc Goldburg mgoldburg at assia-inc.com
Mon Oct 8 19:51:59 CDT 2007 

Matthew,

That was it!  Deselecting "Obtain Automatically" for the DNS server 
allowed the tunnel to come up, and I was able to manually specify a DNS 
server for our private zone.

Shrewsoft is providing a great public service with this client.  Thank you.

Marc

Matthew Grooms wrote:
> Marc Goldburg wrote:
>> Hello,
>>
>> I'm trying to connect to a "Group VPN" on a Linksys RV042 using the 
>> ShrewSoft client v 2.0.1.  The VPN is set up to authenticate based on 
>> a client FQDN and shared secret, and the router's LAN-side subnet is 
>> included in the client's Policy tab for that connection.  Phase 1 and 
>> Phase 2 are Diffie-Hellman Group 2/AES-256/MD5 with perfect forward 
>> secrecy on phase 2.
>> I've attached a router log and an IKE log from the client for a 
>> connection attempt below.  It looks like Phase 1 is completing 
>> successfully, but the router and client hang at the start (?) of 
>> Phase 2 with the router saying "Received informational payload, type 
>> IPSEC_INITIAL_CONTACT" and the client saying"phase 2 not found."  Any 
>> suggestions for how to debug this or for alternate configurations 
>> would be greatly appreciated.  Thanks in advance!
>>
>
> Yes. The Shrew Soft client uses modecfg between phase1 and phase2 to 
> handle automatic configuration. It can also work with a Gateway that 
> doesn't support modecfg but configuring it to do so can be a bit 
> tricky. In the upcoming 2.1 release, a strictly manual configuration 
> mode has been added to make the client easier to use with Linksys and 
> other gateways that don't support this functionality. DHCP over IPsec 
> support has also been added to work better with gateways such as 
> Fortinet / Fortigate. I also have a Juniper gateway on order which I 
> plan to add full support for in the future.
>
>>     DB : config added
>>     ii : xauth is not required
>>     ii : building config attribute list
>>     ii : excluding unity attribute set
>>     ii : - IP4 DNS Server
>>     ii : sending config pull request
>
> In the above log output, the client has determined it should attempt 
> to autoconfigure the DNS server address. It does this by sending a 
> config pull request which the Linksys router never responds to. What 
> you need to do is uncheck the "Enable DNS" option in the Name 
> Resolution tab so that the modecfg exchange will be skipped. 
> Alternately, if you have a DNS server that hosts a private zone behind 
> the gateway you can specify its address manually after unchecking the 
> "Obtain Automatically" option.
>
> This should get you up and running. Let me know if you have any more 
> questions.
>
> -Matthew
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071008/c36f95e2/attachment-0002.html>

More information about the vpn-help mailing list