[Vpn-help] R: Testing 2.0.2 ...

[Matthew Grooms]

Antonio Gabriele wrote:
> Version 2.0.2 have the same problem.
> Here is the iked.log and pcap result.
> 

Antonio,

Thanks for giving this another go. I looked at the pcap file again and 
found a  bit of information I overlooked during the previous round. The 
second config mode packet send by the Zywall is a different size so it 
is obviously not re-requesting the authentication. I was thrown for a 
loop before because all other vendors use a different message id when 
processing the Xauth challenge/response than when processing the Xauth 
result/acknowledge. The Zywall apparently does its own thing here by 
using the same message id for both. The Shrew Soft client was discarding 
the config handle used for the Xauth challenge/response which stores the 
accumulated cipher IV value. This value is important for decrypting 
messages that arrive using the same message id. I have modified the new 
2.0.2 build to prevent this from happening and allow us to decode the 
Xauth response. The negotiations will hopefully get farther along this 
time. Could you please give it one more try.

Win2K/XP x86
http://www.shrew.net/vpn/download.php?name=vpn-client&vers=2.0.2-release-x86

WinXP amd64
http://www.shrew.net/vpn/download.php?name=vpn-client&vers=2.0.2-release-a64

If it does get farther, please let me know if you can negotiate IPsec 
SAs or if it gets tripped up on something else. If it turns out to have 
another trivial problem, we can probably get it fixed for the 2.0.2 
release. If not, Zywall support will have to wait until I get further 
along into the 2.1 development cycle.

It also may interest you that I placed a Zywall security appliance on 
order today to ensure that it will be fully supported in all future 
releases. Adding official support for other vendor gateways will be a 
growing trend as development of the Shrew Soft Client continues.

Thanks again for your help,

-Matthew