[Vpn-help] No IPSEC SA after ISAKMP

Matthew Grooms mgrooms at shrew.net
Sun Oct 14 18:51:02 CDT 2007


David Santinoli wrote:
> 
> Hi Matthew,
>   great!  The new client managed to import and use the private key,
> after asking for the passphrase.
> It went as far as establishing the ISAKMP security association, but did
> not bring up the IPSEC SA (this is confirmed by the server, too).  The
> last line of the IKE log says
> 
>   DB : phase2 not found
> 
> which makes me suspect my configuration is somewhat incomplete - could
> it be the case?
> 

Its difficult to tell what the problem is without seeing more of the 
client debug level log output and the gateway log output. Any chance you 
can forward this to either the list or to me in a private email? My 
guess is that the peer is sending a NO-PROPOSAL-CHOSEN notification. 
Some IKE implementations will require that you specify a precise phase2 
proposal instead of leaving everything set to "auto". If you match this 
up with your gateway config, it may just start working.

> Another thing I noticed is that when I try to commit the configuration
> the client keeps asking "Please specify a valid WINS Server Address"
> even if "Enable WINS" is not ticked.  (The same holds for DNS.)  This
> happens whatever the selected value for "Auto configuration" under the
> "General" tab.
> 

Thanks for the bug report. I hacked on this code quite a bit while 
adding the DHCP over IPsec and manual configuration methods. There was 
bound to be a regression or two :)

The problem has been corrected and an updated build has been uploaded.

http://www.shrew.net/vpn/download.php?name=vpn-client&vers=certtest-x86

-Matthew



More information about the vpn-help mailing list