[Vpn-help] Windows client 2.1.4, Arkoon & autoconfiguration issues

Eric Masson emss at free.fr
Sat Sep 19 15:59:57 CDT 2009 

"Philippe ROSE" <philippe.rose at filopat.net> writes:

Hi,

The box I'm trying to connect to is :
Firewall Arkoon A51
Version 4.1EMB/3

> For arkoon with mutual RSA authentication you have to put
> configuration to use an existing adapter and you have to add network
> addresses to ressources in the policy parameters (in my following
> config, 192.168.3.0/24). Here's the relevant parameters of my .vpn
> export file (add your IP adresses and credentials):

I've tested with a configuration based on your settings, but no luck,
phase 2 fails.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iked-no-virtual.log
Type: application/octet-stream
Size: 6868 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090919/d9df7c7b/attachment-0002.obj>
-------------- next part --------------

The configuration I was using previously works (cert data removed &
network host scrambled) :

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-keylen:128
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:128
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:x.y.z.t
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:10.1.1.237
s:client-ip-mask:255.255.255.255
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-list-include:10.1.1.0 / 255.255.255.0
s:auth-client-cert:client-cert.pem
s:auth-client-key:client-key.pem
s:auth-server-cert:CAs-cert.pem

The problem is that vpn client should get client-ip-addr from the remote
gateway (just like a client like TheGreenBow does)

If I setup vpn client to get address from the remote gateway (dhcp over
ipsec, pull, push) it fails.

Debug information & setup files regarding configurations are attached in
the following zipfile (cert data removed & network host scrambled) :

-------------- next part --------------
A non-text attachment was scrubbed...
Name: shrew-tests-without-pcaps.zip
Type: application/zip
Size: 13251 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090919/d9df7c7b/attachment-0002.zip>
-------------- next part --------------

@Matthew : I can provide full debug information privately if needed.

Regards

?ric Masson

-- 
 donc, si tu n'en a rien ? foutre tu ne lis pas les mess qui ne te sont
 pas adress?s, c'est le probl?me de poster sur plusieurs forums, tu
 parles au charcutier, et c'est la saucisse qui te r?pond :-)"
 -+- Sandra in GNU : Si six neuneux scient six saucisses -+-

More information about the vpn-help mailing list