[vpn-help] VPN connects and then disconnects...

Gilles Gravier gilles at gravier.org
Wed Jun 30 02:07:39 CDT 2010


 Hi, Matthew!

OK... I've installed 2.1.6b9 ... and when I try to connect, I get a
slightly different behavior : "incorrect message from gateway". :)

It's (some sort of) a progress... :)

But you are right... it's a Cisco gateway.

Should I try your "0.0.0.0/0 include network" thing... with the 2.1.6b9?
Or should I try it with the 2.1.5? Or wait for 2.1.6b10?

Thanks,
Gilles.

On 28/06/2010 20:47, Matthew Grooms wrote:
> On 6/28/2010 1:33 AM, Gilles Gravier wrote:
>>   Hi!
>>
>> I'm trying to connect to my corporate VPN... I imported a PCF file.
>> Shrew VPN then tells me that I need a certificate for it. Fine. I get
>> the certificate from a Linux VPN installation file. I specify it in my
>> Shrew configuration file.
>>
>> I connect. If I type wrong username/password, I get an error. If I type
>> correct username/password, but with the wrong certificate, I get an
>> error.
>>
>> If I type correct username/password, with the correct certificate
>> installed, it connects, then after a few seconds it disconnects.
>>
>
> Hi Gilles,
>
> Try installing the 2.1.6 beta which contains a few interoperability
> improvements. If you are using 2.1.6, my guess is that your connecting
> to a 3000 series concentrator or an IOS based appliance. These require
> more modifications to the client for interoperability. The explanation
> for this is rather technical, but I'll try to summarize ...
>
> The Shrew Soft implementation generates policies and unique security
> associations for those policies. The cisco client negotiates policies
> and then a single security association for all policies. This works
> fine with newer PIX/ASA firmware but causes issues with concentrators
> and IOS based routers. The problem occurs because the client attempts
> to negotiate an SA using a specific target network value which is
> typically obtained from the gateway during modecfg negotiation.
> Because the gateway expects the client to negotiate an SA using a
> generic value of 0.0.0.0/0, it disconnects the client.
>
> If 2.1.6 doesn't work, try adding a single 0.0.0.0/0 include network (
> under the policy tab ). However, I'll be posting a new 2.1.6 beta in
> the next day or two that introduces additional control over how SA's
> are negotiated for generated policies. This change is designed to
> solve the problem I just described. Keep an eye on the mailing list
> for more details.
>
> Thanks,
>
> -Matthew

-- 
/*Gilles Gravier*/ *=* *Gilles at Gravier.org* <mailto:Gilles at Gravier.org>
ICQ : *77488526*
<http://www.icq.com/whitepages/about_me.php?Uin=77488526> * || *MSN
Messenger : Gilles at Gravier.org <http://members.msn.com/Gilles@Gravier.org>*
*Skype : ggravier <callto://ggravier>* || *Y! : ggravier
<http://profiles.yahoo.com/ggravier> || AOL : gillesgravier
<aim:goim?screenname=gillesgravier>
Aka-Aki : *ggravier* <http://www.aka-aki.com/profiles/view/ggravier> ||
PGP Key ID : *0x8DE6D026*
<http://pgp.mit.edu:11371/pks/lookup?search=0x8DE6D026&op=index>
"Living on Earth is expensive, but it does include a free trip around
the sun."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100630/d2e6df19/attachment-0002.html>


More information about the vpn-help mailing list