[Vpn-help] Shrew on Windows, to dynamic ZyWall : my id problem

Lukasz Sokol el.es.cr at googlemail.com
Tue Dec 8 04:45:21 CST 2009 

Shrew config and log created by trace (informational level) attached to the end of file.

Lukasz Sokol wrote:
> Hi vpn-help,
> 
> My ZyWall 5 gateway shows this in logs when I try to configure a tunnel with Shrew:
> 
> 11	2009-11-25 15:25:03 	[ID] : Rule [Office-Tunnel-Network-Policy] Verifying Remote ID failed: 
> 9	2009-11-25 15:25:03 	Recv ID: SINGLE, [10.0.2.1]-[10.0.2.1] 	
> 7	2009-11-25 15:25:03 	vs. My Remote [0.0.0.0]-[0.0.0.0] 	
> 
> Phase 1 is configured aggressive, with email identifiers and XAUTH and PSK. (when I get it working I will
> go to certificate-based encryption anyway).
> (Btw, why the email-based identifiers for phase1 are only allowed in aggressive mode ? I.e. main mode
> requires me to put IP as both remote and local ID on Shrew, whereas the ZyWALL does not).
> 
> Unfortunately, My Remote ID needs to remain 0.0.0.0 on the ZyWall, because it won't allow to set it.
> 
> The ZyWall won't allow to set it, because its gateway IP is set to 0.0.0.0, effectively making it
> 'dynamic' as per ZyWall way of naming things.
> 
> The ZyWall needs to be dynamic, because it gets a different WAN IP every time it re-connects to our ISP
> (I consider this a feature).
> 
> (It is a bit more complex than that : we have an incoming DSL connection, with PPPoA, connected to a 
> ZyXEL P660RU modem, which actually gets the WAN IP (which is assigned by DHCP, so it expires sometimes),
> then all ports from WAN are redirected to the ZyWALL 5 WAN; The bad bit of this, is that the ZyWall 5 has no 
> way of knowing what its actual WAN IP is, because its WAN sits on modems' LAN e.g. 192.168.0.X, and has its 
> own LAN of 192.168.1.X)
> 
> And the remote side (Shrew Local Host setting) needs to be on virtual adapter and assigned address, 
> because the ZyWall does not support any automatic way of configuring things.
> 
> What I want to achieve, is to give the people who connect via tunnel, access to the local network (on the 
> 192.168.1.X subnet - ZyWALLs LAN) (and just one host is all I really need).
> 
> Is there something I can do th make the above sane and manageable ? (and safe too?)
> 
> Will it be a good idea, to have the ZyWALL set to the 192.168.0.X as gateway IP so to make the 
> Phase2 recognize it is not Dynamic ?
> 
> Also I could obtain some DynDNS account and use it for this purpose - this would be the easiest thing to do
> actually - but I didn't really want to do it... being a honeypot is no fun.
> 
> I have read the Shrew support page on ZyWALL 5  and used some google-fu to find 
> http://www.dslreports.com/forum/r22711771-Free-windows-VPN-client-for-ZyWall5
> http://www.dslreports.com/forum/r22994160-Zyxel-Zywall-5-PPTP-VPN-how-to
> 
> which helped me to get through Phase1.
> 
> I do not hesitate to read, so google keywords, pointers and hints are welcome and appreciated)
> (I don't expect anybody to fix my problems :) )
> 
> Thanks in advance,
> 
> Lukasz
> 
> 
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
> 

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
n:client-addr-auto:0
s:network-host:WW.XX.YY.ZZ
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:10.0.2.1
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:ufqdn
s:ident-client-data:XXXXXXXXXXXXXXXXXXXXXX
s:ident-server-data:YYYYYYYYYYYYYYYYYYYYYY
b:auth-mutual-psk:ZZZZZZZZZZZZZZZZZZZZZZZZZ
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1


09/12/08 10:37:59 ## : IKE Daemon, ver 2.1.4
09/12/08 10:37:59 ## : Copyright 2008 Shrew Soft Inc.
09/12/08 10:37:59 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/12/08 10:37:59 ii : opened 'D:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
09/12/08 10:37:59 ii : rebuilding vnet device list ...
09/12/08 10:38:00 ii : device ROOT\VNET\0000 disabled
09/12/08 10:38:00 ii : network process thread begin ...
09/12/08 10:38:00 ii : pfkey process thread begin ...
09/12/08 10:38:00 ii : ipc server process thread begin ...
09/12/08 10:38:09 ii : ipc client process thread begin ...
09/12/08 10:38:09 <A : peer config add message
09/12/08 10:38:09 <A : proposal config message
09/12/08 10:38:09 <A : proposal config message
09/12/08 10:38:09 <A : client config message
09/12/08 10:38:09 <A : xauth username message
09/12/08 10:38:09 <A : xauth password message
09/12/08 10:38:09 <A : local id 'remote-access at skyconway.com' message
09/12/08 10:38:09 <A : remote id 'gateway at skyconway.com' message
09/12/08 10:38:09 <A : preshared key message
09/12/08 10:38:09 <A : peer tunnel enable message
09/12/08 10:38:09 ii : local supports XAUTH
09/12/08 10:38:09 ii : local supports nat-t ( draft v00 )
09/12/08 10:38:09 ii : local supports nat-t ( draft v01 )
09/12/08 10:38:09 ii : local supports nat-t ( draft v02 )
09/12/08 10:38:09 ii : local supports nat-t ( draft v03 )
09/12/08 10:38:09 ii : local supports nat-t ( rfc )
09/12/08 10:38:09 ii : local supports FRAGMENTATION
09/12/08 10:38:09 ii : local supports DPDv1
09/12/08 10:38:09 ii : local is SHREW SOFT compatible
09/12/08 10:38:09 ii : local is NETSCREEN compatible
09/12/08 10:38:09 ii : local is SIDEWINDER compatible
09/12/08 10:38:09 ii : local is CISCO UNITY compatible
09/12/08 10:38:09 >= : cookies bcdcde55b5174d68:0000000000000000
09/12/08 10:38:09 >= : message 00000000
09/12/08 10:38:10 ii : processing phase1 packet ( 413 bytes )
09/12/08 10:38:10 =< : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 =< : message 00000000
09/12/08 10:38:10 ii : matched isakmp proposal #1 transform #1
09/12/08 10:38:10 ii : - transform    = ike
09/12/08 10:38:10 ii : - cipher type  = 3des
09/12/08 10:38:10 ii : - key length   = default
09/12/08 10:38:10 ii : - hash type    = md5
09/12/08 10:38:10 ii : - dh group     = modp-1024
09/12/08 10:38:10 ii : - auth type    = xauth-initiator-psk
09/12/08 10:38:10 ii : - life seconds = 86400
09/12/08 10:38:10 ii : - life kbytes  = 0
09/12/08 10:38:10 ii : phase1 id match 
09/12/08 10:38:10 ii : received = user-fqdn gateway at skyconway.com
09/12/08 10:38:10 ii : peer supports nat-t ( rfc )
09/12/08 10:38:10 ii : peer supports nat-t ( draft v00 )
09/12/08 10:38:10 ii : peer supports DPDv1
09/12/08 10:38:10 ii : peer is ZYWALL compatible
09/12/08 10:38:10 ii : nat discovery - local address is translated
09/12/08 10:38:10 ii : nat discovery - remote address is translated
09/12/08 10:38:10 ii : switching to nat-t udp port 4500
09/12/08 10:38:10 >= : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 >= : message 00000000
09/12/08 10:38:10 ii : phase1 sa established
09/12/08 10:38:10 ii : WW.XX.YY.ZZ:4500 <-> 192.168.1.33:4500
09/12/08 10:38:10 ii : bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 ii : sending peer INITIAL-CONTACT notification
09/12/08 10:38:10 ii : - 192.168.1.33:4500 -> WW.XX.YY.ZZ:4500
09/12/08 10:38:10 ii : - isakmp spi = bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 ii : - data size 0
09/12/08 10:38:10 >= : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 >= : message 002f7454
09/12/08 10:38:10 ii : processing config packet ( 68 bytes )
09/12/08 10:38:10 =< : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 =< : message 8d3ed5b1
09/12/08 10:38:10 ii : received xauth request - 
09/12/08 10:38:10 ii : added standard xauth username attribute
09/12/08 10:38:10 ii : added standard xauth password attribute
09/12/08 10:38:10 ii : sending xauth response for vagabond
09/12/08 10:38:10 >= : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:10 >= : message 8d3ed5b1
09/12/08 10:38:11 ii : processing config packet ( 60 bytes )
09/12/08 10:38:11 =< : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:11 =< : message 8d3ed5b1
09/12/08 10:38:11 ii : received xauth result - 
09/12/08 10:38:11 ii : user vagabond authentication succeeded
09/12/08 10:38:11 ii : sending xauth acknowledge
09/12/08 10:38:11 >= : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:11 >= : message 8d3ed5b1
09/12/08 10:38:11 ii : configuration method is manual
09/12/08 10:38:14 ii : creating NONE INBOUND policy ANY:WW.XX.YY.ZZ:* -> ANY:192.168.1.33:*
09/12/08 10:38:14 ii : creating NONE OUTBOUND policy ANY:192.168.1.33:* -> ANY:WW.XX.YY.ZZ:*
09/12/08 10:38:14 ii : created NONE policy route for WW.XX.YY.ZZ/32
09/12/08 10:38:14 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* -> ANY:10.0.2.1:*
09/12/08 10:38:14 ii : creating IPSEC OUTBOUND policy ANY:10.0.2.1:* -> ANY:0.0.0.0/0:*
09/12/08 10:38:15 ii : created IPSEC policy route for 0.0.0.0
09/12/08 10:38:15 ii : split DNS is disabled
09/12/08 10:38:18 >= : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 >= : message d8135386
09/12/08 10:38:18 ii : processing informational packet ( 76 bytes )
09/12/08 10:38:18 =< : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 =< : message cd5be120
09/12/08 10:38:18 ii : received peer INVALID-ID-INFORMATION notification
09/12/08 10:38:18 ii : - WW.XX.YY.ZZ:4500 -> 192.168.1.33:4500
09/12/08 10:38:18 ii : - isakmp spi = bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 ii : - data size 0
09/12/08 10:38:18 ii : processing informational packet ( 76 bytes )
09/12/08 10:38:18 =< : cookies bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 =< : message 227fec18
09/12/08 10:38:18 ii : received peer DELETE message
09/12/08 10:38:18 ii : - WW.XX.YY.ZZ:4500 -> 192.168.1.33:4500
09/12/08 10:38:18 ii : - isakmp spi = bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 ii : cleanup, marked phase1 bcdcde55b5174d68:779a3f6a377a4a68 for removal
09/12/08 10:38:18 ii : phase1 removal before expire time
09/12/08 10:38:18 ww : ike packet from WW.XX.YY.ZZ ignored, unknown phase1 sa for peer
09/12/08 10:38:18 ww : bcdcde55b5174d68:779a3f6a377a4a68
09/12/08 10:38:18 ii : removing IPSEC INBOUND policy ANY:0.0.0.0/0:* -> ANY:10.0.2.1:*
09/12/08 10:38:18 ii : removing IPSEC OUTBOUND policy ANY:10.0.2.1:* -> ANY:0.0.0.0/0:*
09/12/08 10:38:18 ii : removed IPSEC policy route for ANY:0.0.0.0/0:*
09/12/08 10:38:18 ii : removing NONE INBOUND policy ANY:WW.XX.YY.ZZ:* -> ANY:192.168.1.33:*
09/12/08 10:38:18 ii : removing NONE OUTBOUND policy ANY:192.168.1.33:* -> ANY:WW.XX.YY.ZZ:*
09/12/08 10:38:18 ii : removed NONE policy route for ANY:WW.XX.YY.ZZ:*
09/12/08 10:38:19 DB : removing tunnel config references
09/12/08 10:38:19 DB : removing tunnel phase2 references
09/12/08 10:38:19 ii : phase2 removal before expire time
09/12/08 10:38:19 DB : removing tunnel phase1 references
09/12/08 10:38:19 DB : removing all peer tunnel refrences
09/12/08 10:38:19 ii : ipc client process thread exit ...

More information about the vpn-help mailing list