[Vpn-help] VPN Client 2.1.5 Release Now Available ...
Matthew Grooms
mgrooms at shrew.net
Sun Dec 6 19:15:04 CST 2009
Bruijne, Mark de wrote:
> Hi Matthew and listmembers,
>
> I just installed the 2.1.5 and 2.1.6 beta-1 releases, but I still
> have the problem that my connection is killed after a couple of
> seconds. (imported Cisco .pcf) The last weeks a couple of other
> people also complained about that specific issue. Although I don't
> know for sure that I also are connecting with a Cisco 3000
> concentrator, I think it's the same issue.
>
> Can you tell me if this should be fixed with the latest releases or
> this still is an open issue? If I do have to adjust settings or
> something, please help me out.
>
> bringing up tunnel ... network device configured tunnel enabled
> session terminated by gateway tunnel disabled detached from key
> daemon ...
>
> I also have another profile that isn't working because of an
> authentication-error. In the .pcf I see a 'NTDomain=nl' configured.
> Do you happen to know if this is ignored by Shrew when importing the
> .pcf? I'm sure that I'm using the correct credentials, but still are
> receiving the authentication-error. I tried to use NL\username, but
> that isn't working as well. I don't know the hardware I'm connecting
> with....
>
> Thanks in advance, Mark de Bruijne Netherlands
>
Hi Mark,
We are shooting for 100% Cisco compatibility but there still appears to
be a few problems to resolve. One known issue is with IOS based devices.
I'm beginning to think that versions of the 3000 concentrator may also
be effected ...
http://lists.shrew.net/mailman/htdig/vpn-help/2009-October/002286.html
When the Shrew Soft VPN client reports a connection successful but then
disconnects a few seconds later, you will generally see a messages from
the gateway saying NO-PROPOSAL-CHOSEN followed by another asking it to
delete its ISAKMP SA. This is essentially a disconnection from the user
perspective. This occurs because the client was unable to negotiate an
IPSec SA within a timely fashion. Most commonly, this means there is a
configuration issue either with the phase2 proposal or an ID mismatch (
SRC -> DST Address/Network ). To identify this, have a look at the debug
level log output in the VPN Trace application ...
http://www.shrew.net/support/wiki/BugReportVpnWindows
However, the the problem I mentioned previously that effects Shrew Soft
w/ Cisco IOS routers is actually due to a fundamental difference in how
they negotiate IPsec SAs. The only solution for this will be for the
Shrew Soft client to modify its behavior to match what the Cisco device
expects. I will do my best to add this support for the 2.1.6 release but
our main focus is to get certified/signed kernel drivers. That work will
take priority over all other changes.
As for the NTDomain issue, unfortunately I don't have an answer for you.
It would appear others are successfully using the same 'Domain\Account'
method. I'm not sure how your gateway configuration differs to prevent
this from being an option.
-Matthew
More information about the vpn-help
mailing list