[vpn-help] Shrew VPN client fails to connect when "ike config push" is selected

Vali mastanvali at gmail.com
Thu May 27 17:05:08 CDT 2010 

Hi All,
   I analyzed this further from my gateway and i noticed following things

   In the XAuth negotiation, after authenticating user successfully, my gateway
   is pushing configuration data (IP address, Mask and DNS) to client using
   ISAKMP_CFG_SET with XAUTH_STATUS attribute set to 1.

   draft-ietf-ipsec-isakmp-xauth-06.txt requires XAUTH_STATUS attribute exchange
   to terminate xauth transaction.

   Shrew client is sending ISAKMP_CFG_ACK message with no attributes.
   I also see an additional ISAKMP_CFG_ACK message with all the attributes.
   Debug logs shows client is sending config push.

   I do not see XAUTH_STATUS in both ISAKMP_CFG_ACK messages.

   My gateway is ignoring second ISAKMP_CFG_ACK message but seems like shrew
   client is expecting some reply from gateway and it is re-sending the seconf
   ISAKMP_CFG_ACK without starting phase-2 negotiation.

   Hoping this analysis will help to identify the issue.

Thanks,
Vali.


Message: 1
Date: Wed, 26 May 2010 16:42:34 -0700
From: Vali <mastanvali at gmail.com>
Subject: [vpn-help] Shrew VPN client fails to connect when "ike config
       push"   is selected
To: vpn-help at lists.shrew.net
Message-ID:
       <AANLkTimnGOY4STAsTUJAl8FsAfAOOkMu0pyevItU2i7o at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

   I'm hoping you will help me to identify the problem here.

   Problem:
       Shrew VPN client fails to connect to my gateway when "ike config push"
       is choosed.

   I configured "ike config push" method in the general tab.
   phase-1 and phase-2 configuration matches with what are configured on
   gateway.

   Situation:
       - Phase-1 completed successfully
       - After xauth is completed, gateway is pushing IP details to client.
       - Shrew-client is sending two ISAKMP_CFG_ACK packets to gateway. One
         with no attributes and other with accepted attributes list.

   debug logs are attached.

   If i disable "Auto configuration" in general tab and assigns a manual IP,
   everything works file. Tunnel establishes and traffic goes through.

   "ike config pull" is not working in my case.


   Here are some additional details
       . VPN Client Version    : 2.1.5
       . Windows OS Version    : Windows XP
       . Gateway Make/Model    : Watchguard's Firebox X1250e
       . Gateway OS Version ( if known ) : Do not know

Thanks,
Mastan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.7z
Type: application/octet-stream
Size: 9006 bytes
Desc: not available
Url : http://lists.shrew.net/pipermail/vpn-help/attachments/20100526/b32bea49/attachment-0001.obj

More information about the vpn-help mailing list