[Vpn-help] Connection Running Afoul of XAUTH

Ron Westfall rwestfall at polarblue.com
Mon Dec 8 19:59:21 CST 2008


Matthew

Thank you very much for the response!

A followup question for the list ...

As Matthew has pointed out, the D-Link DI-804HV does not fully support  
modecfg (i.e. automatic client configuration).  Unfortunately for me,  
I need to configure the VPN client with an IP address from the secured  
network.  My secured network has default routers that are not the VPN  
gateway.  If the VPN client uses a non-secured network IP address, I  
can get packets from the VPN client through the tunnel to the  
computers in the secured network, but the response packets get sent to  
the default routers instead of the VPN gateway.

What I need is a VPN gateway that will configure the VPN client  
(presumably via modecfg) with an IP address from the secured network.   
Ideally the VPN gateway could work with DHCP to do this, but I can  
always assign a fixed IP address if I have to.  Once the tunnel is up,  
the VPN gateway would be required to respond to ARP requests with its  
own Ethernet MAC address when computers on the secured network try to  
respond and ask for an ARP translation of the VPN client's secured  
network IP address.  Does anybody care to recommend a VPN gateway that  
has this behavior?  I am sure I could do it with an expensive Cisco or  
other high end VPN gateway, but I only need to support a very few  
remote users.

Ron

On 6-Dec-08, at 3:59 PM, Matthew Grooms wrote:

> Ron Westfall wrote:
>> I trying to connect the Shrew VPN client 2.1.4 to a D-Link  
>> DI-804HV.   I get the phase 1 SA established, but I then get into  
>> trouble.
>> On the Shrew side, I get the following log messages (I have  
>> obfuscated  the 804HV's public IP address to 1.2.3.4):
>
> Hi Ron,
>
> The problem isn't with Xauth but with modecfg which is the exchange  
> mode used to perform automatic client configuration. The Xauth  
> protocol extension is built on top of the modecfg extension so they  
> use the same exchange type ( 6 ).
>
> When the DLink gateway receives this packet ...
>
>> 08/11/25 19:08:04 ii : building config attribute list
>> 08/11/25 19:08:04 ii : - IP4 Subnet
>> 08/11/25 19:08:04 == : new config iv ( 8 bytes )
>> 08/11/25 19:08:04 0x : 46831c91 c41ba9ac
>> 08/11/25 19:08:04 ii : sending config pull request
>> 08/11/25 19:08:04 >> : hash payload
>> 08/11/25 19:08:04 >> : attribute payload
>> 08/11/25 19:08:04 == : new configure hash ( 20 bytes )
>> 08/11/25 19:08:04 >= : cookies 074c69b8a3b74741:d4d7b1359e30be21
>> 08/11/25 19:08:04 >= : message c4a7fa40
>> 08/11/25 19:08:04 >= : encrypt iv ( 8 bytes )
>> 08/11/25 19:08:04 0x : 46831c91 c41ba9ac
>> 08/11/25 19:08:04 == : encrypt packet ( 64 bytes )
>> 08/11/25 19:08:04 == : stored iv ( 8 bytes )
>> 08/11/25 19:08:04 0x : c62e62ac 6eb88db8
>> 08/11/25 19:08:04 -> : send IKE packet 192.168.2.5:500 ->  
>> 1.2.3.4:500  ( 96 bytes )
>
> It assumes the request is an Xauth request ...
>
> Receive XAUTH (REQUEST): 5.6.7.8 -> 1.2.3.4, but router is not in
> client mode
>
> ... The DLink is confused because it doesn't support the use of  
> modecfg for anything but Xauth. Your best bet is to set your site  
> configuration 'Auto Configuration' mode to disabled and use only  
> manual settings. This will bypass the modecfg exchange.
>
> Hope this helps,
>
> -Matthew
>




More information about the vpn-help mailing list