[Vpn-help] Shrew on Windows, to dynamic ZyWall : my id problem
Matthew Grooms
mgrooms at shrew.net
Thu Dec 10 02:51:42 CST 2009
Lukasz Sokol wrote:
> Shrew config and log created by trace (informational level) attached to the end of file.
>
> Lukasz Sokol wrote:
>> Hi vpn-help,
>>
>> My ZyWall 5 gateway shows this in logs when I try to configure a tunnel with Shrew:
>>
>> 11 2009-11-25 15:25:03 [ID] : Rule [Office-Tunnel-Network-Policy] Verifying Remote ID failed:
>> 9 2009-11-25 15:25:03 Recv ID: SINGLE, [10.0.2.1]-[10.0.2.1]
>> 7 2009-11-25 15:25:03 vs. My Remote [0.0.0.0]-[0.0.0.0]
>>
>> Phase 1 is configured aggressive, with email identifiers and XAUTH and PSK. (when I get it working I will
>> go to certificate-based encryption anyway).
>> (Btw, why the email-based identifiers for phase1 are only allowed in aggressive mode ? I.e. main mode
>> requires me to put IP as both remote and local ID on Shrew, whereas the ZyWALL does not).
>>
>> Unfortunately, My Remote ID needs to remain 0.0.0.0 on the ZyWall, because it won't allow to set it.
>>
>> The ZyWall won't allow to set it, because its gateway IP is set to 0.0.0.0, effectively making it
>> 'dynamic' as per ZyWall way of naming things.
>>
>> The ZyWall needs to be dynamic, because it gets a different WAN IP every time it re-connects to our ISP
>> (I consider this a feature).
>>
I think your confusing the phase1 IDs with the phase2 network IDs. The
Shrew Soft client is trying to negotiate 10.0.2.1 -> ANY during phase2
because you don't have a remote include network in your policy tab. When
the client connects, it tries to establish a 10.0.2.1/32 -> 0.0.0.0/0
IPsec SA and your Zywall is rejecting it.
>> (It is a bit more complex than that : we have an incoming DSL connection, with PPPoA, connected to a
>> ZyXEL P660RU modem, which actually gets the WAN IP (which is assigned by DHCP, so it expires sometimes),
>> then all ports from WAN are redirected to the ZyWALL 5 WAN; The bad bit of this, is that the ZyWall 5 has no
>> way of knowing what its actual WAN IP is, because its WAN sits on modems' LAN e.g. 192.168.0.X, and has its
>> own LAN of 192.168.1.X)
>>
>> And the remote side (Shrew Local Host setting) needs to be on virtual adapter and assigned address,
>> because the ZyWall does not support any automatic way of configuring things.
>>
>> What I want to achieve, is to give the people who connect via tunnel, access to the local network (on the
>> 192.168.1.X subnet - ZyWALLs LAN) (and just one host is all I really need).
>>
I really think all the information you need is in the Zywall document on
our web site. Pay close attention to the "Add a Network Policy" section.
Set your "Local Network" needs to match the subnet behind your Zywall
and set "Remote Network" to Single Address / 0.0.0.0 / 0.0.0.0. You also
need to make sure the Shrew Soft client has the Zywal "Local Network" as
an include network entry under the policy tab.
http://www.shrew.net/support/wiki/HowtoZywall
-Matthew
More information about the vpn-help
mailing list