[Vpn-help] Connection Running Afoul of XAUTH

Matthew Grooms mgrooms at shrew.net
Sat Dec 6 17:59:07 CST 2008


Ron Westfall wrote:
> I trying to connect the Shrew VPN client 2.1.4 to a D-Link DI-804HV.   
> I get the phase 1 SA established, but I then get into trouble.
> 
> On the Shrew side, I get the following log messages (I have obfuscated  
> the 804HV's public IP address to 1.2.3.4):
> 

Hi Ron,

The problem isn't with Xauth but with modecfg which is the exchange mode 
used to perform automatic client configuration. The Xauth protocol 
extension is built on top of the modecfg extension so they use the same 
exchange type ( 6 ).

When the DLink gateway receives this packet ...

> 08/11/25 19:08:04 ii : building config attribute list
> 08/11/25 19:08:04 ii : - IP4 Subnet
> 08/11/25 19:08:04 == : new config iv ( 8 bytes )
> 08/11/25 19:08:04 0x : 46831c91 c41ba9ac
> 08/11/25 19:08:04 ii : sending config pull request
> 08/11/25 19:08:04 >> : hash payload
> 08/11/25 19:08:04 >> : attribute payload
> 08/11/25 19:08:04 == : new configure hash ( 20 bytes )
> 08/11/25 19:08:04 >= : cookies 074c69b8a3b74741:d4d7b1359e30be21
> 08/11/25 19:08:04 >= : message c4a7fa40
> 08/11/25 19:08:04 >= : encrypt iv ( 8 bytes )
> 08/11/25 19:08:04 0x : 46831c91 c41ba9ac
> 08/11/25 19:08:04 == : encrypt packet ( 64 bytes )
> 08/11/25 19:08:04 == : stored iv ( 8 bytes )
> 08/11/25 19:08:04 0x : c62e62ac 6eb88db8
> 08/11/25 19:08:04 -> : send IKE packet 192.168.2.5:500 -> 1.2.3.4:500  
> ( 96 bytes )

It assumes the request is an Xauth request ...

Receive XAUTH (REQUEST): 5.6.7.8 -> 1.2.3.4, but router is not in
client mode

... The DLink is confused because it doesn't support the use of modecfg 
for anything but Xauth. Your best bet is to set your site configuration 
'Auto Configuration' mode to disabled and use only manual settings. This 
will bypass the modecfg exchange.

Hope this helps,

-Matthew



More information about the vpn-help mailing list