[Vpn-help] Shrew on Windows, to dynamic ZyWall : my id problem

Matthew Grooms mgrooms at shrew.net
Thu Dec 10 02:51:42 CST 2009 

Lukasz Sokol wrote:
> Shrew config and log created by trace (informational level) attached to the end of file.
> 
> Lukasz Sokol wrote:
>> Hi vpn-help,
>>
>> My ZyWall 5 gateway shows this in logs when I try to configure a tunnel with Shrew:
>>
>> 11	2009-11-25 15:25:03 	[ID] : Rule [Office-Tunnel-Network-Policy] Verifying Remote ID failed: 
>> 9	2009-11-25 15:25:03 	Recv ID: SINGLE, [10.0.2.1]-[10.0.2.1] 	
>> 7	2009-11-25 15:25:03 	vs. My Remote [0.0.0.0]-[0.0.0.0] 	
>>
>> Phase 1 is configured aggressive, with email identifiers and XAUTH and PSK. (when I get it working I will
>> go to certificate-based encryption anyway).
>> (Btw, why the email-based identifiers for phase1 are only allowed in aggressive mode ? I.e. main mode
>> requires me to put IP as both remote and local ID on Shrew, whereas the ZyWALL does not).
>>
>> Unfortunately, My Remote ID needs to remain 0.0.0.0 on the ZyWall, because it won't allow to set it.
>>
>> The ZyWall won't allow to set it, because its gateway IP is set to 0.0.0.0, effectively making it
>> 'dynamic' as per ZyWall way of naming things.
>>
>> The ZyWall needs to be dynamic, because it gets a different WAN IP every time it re-connects to our ISP
>> (I consider this a feature).
>>

I think your confusing the phase1 IDs with the phase2 network IDs. The 
Shrew Soft client is trying to negotiate 10.0.2.1 -> ANY during phase2 
because you don't have a remote include network in your policy tab. When 
the client connects, it tries to establish a 10.0.2.1/32 -> 0.0.0.0/0 
IPsec SA and your Zywall is rejecting it.

>> (It is a bit more complex than that : we have an incoming DSL connection, with PPPoA, connected to a 
>> ZyXEL P660RU modem, which actually gets the WAN IP (which is assigned by DHCP, so it expires sometimes),
>> then all ports from WAN are redirected to the ZyWALL 5 WAN; The bad bit of this, is that the ZyWall 5 has no 
>> way of knowing what its actual WAN IP is, because its WAN sits on modems' LAN e.g. 192.168.0.X, and has its 
>> own LAN of 192.168.1.X)
>>
>> And the remote side (Shrew Local Host setting) needs to be on virtual adapter and assigned address, 
>> because the ZyWall does not support any automatic way of configuring things.
>>
>> What I want to achieve, is to give the people who connect via tunnel, access to the local network (on the 
>> 192.168.1.X subnet - ZyWALLs LAN) (and just one host is all I really need).
>>

I really think all the information you need is in the Zywall document on 
our web site. Pay close attention to the "Add a Network Policy" section. 
Set your "Local Network" needs to match the subnet behind your Zywall 
and set "Remote Network" to Single Address / 0.0.0.0 / 0.0.0.0. You also 
need to make sure the Shrew Soft client has the Zywal "Local Network" as 
  an include network entry under the policy tab.

http://www.shrew.net/support/wiki/HowtoZywall

-Matthew

More information about the vpn-help mailing list