[Vpn-help] shrew soft Linux client --> netgear FVS114 problems

Wed Jul 30 17:05:21 CDT 2008

Hi everybody,

I have an Asus EEE laptop running Debian Lenny, and I would like to
reach my home LAN (10.38.0.0/24) via my FVS114 VPN router while I'm on
the move.
My FVS114 already has a VPN tunnel enabled to another FVS114 and it
works OK.

For my "road warrior" access, I created an IKE policy named "nomade".
Here are the parameters:

direction/type : remote access
mode : aggressive mode
local identity type : fully qualified domain
local identity data : fvs_local
remote identity type : fully qualified domain name
remote identity data : fvs_remote
encryption algo : 3DES
auth algo : SHA1
auth method : psk
dh group : 2
SA life time : 3600 sec

The associated VPN Policy, also named "nomade", has the following setup

IKE keep alive : disabled
SA life time : 3600 sec / 0 Kb
IP sec PFS enabled / group 2
netbios enabled
local IP : subnet address (10.38.0.0/24)
remote IP : any
AH disabled
ESP enabled (encryption = 3DES, auth = SHA1)

I recently tried the Shrew soft VPN client to connect to this VPN setup,
with no success yet. 

Here is my Shrew soft client config:

* "General" tab

host name : my routers'static WAN IP / port 500
auto configuration : ike config pull
address method = use virtual adapter and assigned address / obtain automatically
mtu = 1380

* "Client" tab

nat traversal enabled / port 4500
keep alive : 15 sec
IKE fragmentation : enabled
max packet size : 540 Bytes

* "Name Resolution" tab

enable DNS enabled / obtain automatically

* "Authentification" tab

method = mutual psk
local identity : FQDN / fvs_remote
remote identity : FQDN / fvs_local
credentials : psk

* "phase 1" tab

exchange type : aggressive
dh exchange : group 2
cipher alog = 3des / key length = auto
hasl algo = sha1
key life time limit = 3600 sec / data limit 0 kbs

* "phase 2" tab

transform algo = 3des / key length = auto
hmac algo = sha1
pfs exchange = group2
compression = disabled (or deflate, it doesn't change anything)
key life time limit = 3600 sec / data limit = 0 Kbs

* "policy" tab

maintain persistent SA enabled
ontain topology auto enabled

When I try connecting from outside (let's say with a IP "IP-NOMADE"),
here is what the router's log says:

[2008-07-30 17:30:45][==== IKE PHASE 1(from <IP-NOMADE>) START
(responder) ====]
[2008-07-30 17:30:45]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2008-07-30 17:30:45]<POLICY: > PAYLOADS:
SA,PROP,TRANS,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID,VID,VID,VID,VID,VID,VID
[2008-07-30 17:30:45]<LocalRID> Type=ID_FQDN,ID Data=fvs_remote
[2008-07-30 17:30:45]<RemoteLID> Type=ID_FQDN,ID Data=fvs_remote
[2008-07-30 17:30:45]<POLICY: Nomade> PAYLOADS:
SA,PROP,TRANS,KE,NONCE,ID,HASH
[2008-07-30 17:30:45]**** SENT OUT SECOND MESSAGE OF AGGR MODE **** 

Moreover, I see the following line for a few seconds in the "IKE SA"
part of the VPN status page:

(policy name) (Endpoint) (state) (Lifetime)
Nomade <IP-NOMADE> HASH_WAIT 0