[vpn-help] VPN connects and then disconnects...

Matthew Grooms mgrooms at shrew.net
Mon Jun 28 13:47:42 CDT 2010


On 6/28/2010 1:33 AM, Gilles Gravier wrote:
>   Hi!
>
> I'm trying to connect to my corporate VPN... I imported a PCF file.
> Shrew VPN then tells me that I need a certificate for it. Fine. I get
> the certificate from a Linux VPN installation file. I specify it in my
> Shrew configuration file.
>
> I connect. If I type wrong username/password, I get an error. If I type
> correct username/password, but with the wrong certificate, I get an error.
>
> If I type correct username/password, with the correct certificate
> installed, it connects, then after a few seconds it disconnects.
>

Hi Gilles,

Try installing the 2.1.6 beta which contains a few interoperability 
improvements. If you are using 2.1.6, my guess is that your connecting 
to a 3000 series concentrator or an IOS based appliance. These require 
more modifications to the client for interoperability. The explanation 
for this is rather technical, but I'll try to summarize ...

The Shrew Soft implementation generates policies and unique security 
associations for those policies. The cisco client negotiates policies 
and then a single security association for all policies. This works fine 
with newer PIX/ASA firmware but causes issues with concentrators and IOS 
based routers. The problem occurs because the client attempts to 
negotiate an SA using a specific target network value which is typically 
obtained from the gateway during modecfg negotiation. Because the 
gateway expects the client to negotiate an SA using a generic value of 
0.0.0.0/0, it disconnects the client.

If 2.1.6 doesn't work, try adding a single 0.0.0.0/0 include network ( 
under the policy tab ). However, I'll be posting a new 2.1.6 beta in the 
next day or two that introduces additional control over how SA's are 
negotiated for generated policies. This change is designed to solve the 
problem I just described. Keep an eye on the mailing list for more details.

Thanks,

-Matthew



More information about the vpn-help mailing list