[Vpn-help] R: Testing 2.0.2 ...
Matthew Grooms
mgrooms at shrew.net
Fri Oct 19 20:47:40 CDT 2007
Antonio Gabriele wrote:
> Version 2.0.2 have the same problem.
> Here is the iked.log and pcap result.
>
Antonio,
Thanks for giving this another go. I looked at the pcap file again and
found a bit of information I overlooked during the previous round. The
second config mode packet send by the Zywall is a different size so it
is obviously not re-requesting the authentication. I was thrown for a
loop before because all other vendors use a different message id when
processing the Xauth challenge/response than when processing the Xauth
result/acknowledge. The Zywall apparently does its own thing here by
using the same message id for both. The Shrew Soft client was discarding
the config handle used for the Xauth challenge/response which stores the
accumulated cipher IV value. This value is important for decrypting
messages that arrive using the same message id. I have modified the new
2.0.2 build to prevent this from happening and allow us to decode the
Xauth response. The negotiations will hopefully get farther along this
time. Could you please give it one more try.
Win2K/XP x86
http://www.shrew.net/vpn/download.php?name=vpn-client&vers=2.0.2-release-x86
WinXP amd64
http://www.shrew.net/vpn/download.php?name=vpn-client&vers=2.0.2-release-a64
If it does get farther, please let me know if you can negotiate IPsec
SAs or if it gets tripped up on something else. If it turns out to have
another trivial problem, we can probably get it fixed for the 2.0.2
release. If not, Zywall support will have to wait until I get further
along into the 2.1 development cycle.
It also may interest you that I placed a Zywall security appliance on
order today to ensure that it will be fully supported in all future
releases. Adding official support for other vendor gateways will be a
growing trend as development of the Shrew Soft Client continues.
Thanks again for your help,
-Matthew
More information about the vpn-help
mailing list