[Vpn-help] Linksys BEFVP41

Matthew Grooms mgrooms at shrew.net
Tue Sep 18 18:06:23 CDT 2007 

Arnim Sommer wrote:
>
> So, let's get a little Bit deeper:
> The Linksys is in the "Defaults"
> (Phase 1: Main Mode;
> Proposal 1: DES - SHA - 768-bit - 28800 seconds
> Phase 2: Proposal: 3DES - MD5 - PFS on - 768-bit - 3600 seconds
> Key Management Auto (IKE))
> 
> The Shrew soft Client settings are:

Uncheck the Enable Client Login Banner.
Uncheck any Obtain Automatically options.

> General:
> IP, Port 500
> Configuration Method: pull
> Address Method: Use an existing adapter and current address
> 
> Client:
> Nat Traversal: enable
> Port: 4500
> 15 sec
> IKE Fragmentation: disable
> All Other Options checked.
> 
> Name Resolution:
> Enable DNS, DNS Server Address IP
> Enable Split DNS
> Obtain Automatically
> 
> Authentication:
> Method: Mutual PSK
> Local Identity: IP Address (discovered)
> Remote Identity: IP Address (discovered)
> Credentials: <PSK>
> 
> Phase1:
> Type: main
> group 2 - DES - SHA1
> 28800s
> 0K
> 
> Phase2:
> ESP-3DES - MD5 - group 1 - no compression
> 3600s
> 9K
> 
> Policy:
> <-> Private net
> 
> And in the Linksys-Log I get
> 007-09-18 14:44:21 @in UDP from xxx.xxx.xxx.xxx:500 to xxx.xxx.xxx.xxx:500
> 2007-09-18 14:44:21 IKE[71] Rx << MM_I1 : xxx.xxx.xxx.xxx SA, VID, VID, VID, VID
> 2007-09-18 14:44:21 IKE[71] Tx >> MM_R1 : xxx.xxx.xxx.xxx SA
> 2007-09-18 14:44:21 IKE[71] ISAKMP SA CKI=[21ba5b68 97b7932e] CKR=[c55d7e18
> e1af9384]
> 2007-09-18 14:44:21 IKE[71] ISAKMP SA DES / SHA / PreShared / MODP_1024 /
> 28800 sec (*0 sec)
> 2007-09-18 14:44:21 IKE[71] Rx << MM_I2 : xxx.xxx.xxx.xxx KE, NONCE
> 2007-09-18 14:44:21 IKE[71] Tx >> MM_R2 : xxx.xxx.xxx.xxx KE, NONCE
> 2007-09-18 14:44:22 This connection request matches tunnel 3 setting !
> 2007-09-18 14:44:22 IKE[3] Rx << MM_I3 : xxx.xxx.xxx.xxx ID, HASH
> 2007-09-18 14:44:22 IKE[3] Tx >> MM_R3 : xxx.xxx.xxx.xxx ID, HASH
> 2007-09-18 14:44:22 IKE[3] Rx << Notify :
> 2007-09-18 14:44:22 IKE[3] Tx >> Notify : INVALID-EXCHANGE-TYPE
> 2007-09-18 14:44:27 IKE[3] Tx >> Notify : INVALID-EXCHANGE-TYPE
> 2007-09-18 14:44:32 IKE[3] Tx >> Notify : INVALID-EXCHANGE-TYPE
> 2007-09-18 14:46:02 IKE[3] Rx << Delete ISAKMP_SA : cookie 21ba5b68 97b7932e |
> c55d7e18 e1af9384
> 
> What do you make of this?
> 

What I make of it is that you have a perfectly healthy Phase1
negotiation completing. After which, the client is sending a modecfg
request which causes the Linksys router to respond with
"INVALID-EXCHANGE-TYPE".

I know its a bit annoying, but you have to manually disable any option
that will cause the client to initiate a modecfg request if the peer
does not support it. I will be adding an option in 2.1 to disable this
in one place ( instead of everywhere related ). By following the
suggestions I made regarding your configuration, you should at least get
to phase2.

Hope this helps,

-Mattheww

More information about the vpn-help mailing list