[vpn-help] WatchGuard XTM 23 & Shrew 2.2

kevin vpn kvpn at live.com
Thu Apr 28 21:40:15 CDT 2011 

On Wed, 20 Apr 2011 23:18:49 -0500
<gregmail at outtacyte.com> wrote:

> 
> So I downloaded, applied & then created the .vpn file.  I imported the
> created .vpn file and gave it a try.  I got a lot further than
> before, but I'm still getting an error.
> 

Hi Greg,

This message in the Shrew log suggests to me that you should first
check to see if your preshared keys match between Shrew and the gateway.

11/04/20 22:56:37 == : phase1 hash_r ( received ) ( 20 bytes )
11/04/20 22:56:37 !! : phase1 sa rejected, invalid auth data
11/04/20 22:56:37 !! : 100.55.20.75:4500 <-> 100.100.100.37:4500

If that doesn't work, I'd work to make sure the other phase1 settings
match.  This is what Shrew is trying to use:

11/04/20 22:56:37 << : security association payload
11/04/20 22:56:37 << : - propsal #1 payload 
11/04/20 22:56:37 << : -- transform #1 payload 
11/04/20 22:56:37 ii : matched isakmp proposal #1 transform #1
11/04/20 22:56:37 ii : - transform    = ike
11/04/20 22:56:37 ii : - cipher type  = 3des
11/04/20 22:56:37 ii : - key length   = default
11/04/20 22:56:37 ii : - hash type    = sha1
11/04/20 22:56:37 ii : - dh group     = group1 ( modp-768 )
11/04/20 22:56:37 ii : - auth type    = xauth-initiator-psk
11/04/20 22:56:37 ii : - life seconds = 86400
11/04/20 22:56:37 ii : - life kbytes  = 0

And this output from the gateway shows what it would like:

Debug	2011-04-21T03:59:26	Process=iked  msg=IKE
Proposal : peer propose EncryptAlgo 3DES 
Debug   2011-04-21T03:59:26	Process=iked  msg=IKE Proposal : peer
propose AuthAlgo SHA-1 
Debug	2011-04-21T03:59:26	Process=iked  msg=Select IKE
Proposal : matched DHGrp 1 
Debug 2011-04-21T03:59:26	Process=iked  msg=IKE Proposal : peer
propose XAuthMode 65001 
Debug	2011-04-21T03:59:26 	Process=iked
msg=P1__Mode: XAuth enforced, peer propose 65001 
Debug	2011-04-21T03:59:26 	Process=iked  msg=IkeSelect
Xauth= 65001 1 
Debug 	2011-04-21T03:59:26	Process=iked msg=Select
Proposal : peer propose life sec 86400 
Debug 	2011-04-21T03:59:26 	Process=iked msg=Select
Proposal : take local proposed life sec 28800 
Debug 	2011-04-21T03:59:26	Process=iked
msg=IkeProposalHtoN : net order spi(0000 0000 0000 0000) 
Debug	2011-04-21T03:59:26 	Process=iked  msg=peer ID type
3 length 19 data0 54

Notice that there is a mismatch when it comes to the "life sec".  There
may be other mismatches, because I don't know how to map the "peer ID
type 3" to the Shrew client settings.

More information about the vpn-help mailing list