[vpn-help] WatchGuard XTM 23 & Shrew 2.2

gregmail at outtacyte.com gregmail at outtacyte.com
Fri Apr 29 13:17:18 CDT 2011


Kevin, et. al.,

I've gotten further on this and I do now have it working between Shrew
(2.1.7 & 2.2) and the WatchGuard (Fireware 11.4.1 Pro).  WatchGuard folks
have a brand-new release that supports the Shrew client (11.4[.1]).  There
is a "firmware" and a System Manager, both at the same release levels.  They
have a feature to generate either a WatchGuard config file or a Shrew (.vpn)
config file.  This is what I found shortly before I sent the second note.  I
gave it a go and had some problems.  I've been working with the WatchGuard
folks since 4/21/11.

The problem is that the FireWire Web UI is a) not filling in the PSK in the
.vpn file (It had "b:auth-mutual-psk:(null)") and b) is barfing when it
received this from the client.  This then responded fail to the PSK
authentication which made it look like the PSK values did not match.

The interesting thing is that via the WSM (their service manager software)
the .vpn file is generated correctly (base64 encoded psk).

I have a ticket open with them now.  They were quite responsive while they
thought it was a setup error or Shrew's fault, but have been a bit slower
when I proved that it was their generation of the that was at fault.

There are next to zero config options on the WatchGuard, but the software
does work when the .vpn file is generated correctly.

One question I have is:  Is it legal to have "b:auth-mutual-psk:(null)" in
the .vpn file and what does Shrew do when it encounters such?

-greg

-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of kevin vpn
Sent: Thursday, April 28, 2011 9:40 PM
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] WatchGuard XTM 23 & Shrew 2.2

On Wed, 20 Apr 2011 23:18:49 -0500
<gregmail at outtacyte.com> wrote:

> 
> So I downloaded, applied & then created the .vpn file.  I imported the 
> created .vpn file and gave it a try.  I got a lot further than before, 
> but I'm still getting an error.
> 

Hi Greg,

This message in the Shrew log suggests to me that you should first check to
see if your preshared keys match between Shrew and the gateway.

11/04/20 22:56:37 == : phase1 hash_r ( received ) ( 20 bytes )
11/04/20 22:56:37 !! : phase1 sa rejected, invalid auth data
11/04/20 22:56:37 !! : 100.55.20.75:4500 <-> 100.100.100.37:4500

If that doesn't work, I'd work to make sure the other phase1 settings match.
This is what Shrew is trying to use:

11/04/20 22:56:37 << : security association payload
11/04/20 22:56:37 << : - propsal #1 payload
11/04/20 22:56:37 << : -- transform #1 payload
11/04/20 22:56:37 ii : matched isakmp proposal #1 transform #1
11/04/20 22:56:37 ii : - transform    = ike
11/04/20 22:56:37 ii : - cipher type  = 3des
11/04/20 22:56:37 ii : - key length   = default
11/04/20 22:56:37 ii : - hash type    = sha1
11/04/20 22:56:37 ii : - dh group     = group1 ( modp-768 )
11/04/20 22:56:37 ii : - auth type    = xauth-initiator-psk
11/04/20 22:56:37 ii : - life seconds = 86400
11/04/20 22:56:37 ii : - life kbytes  = 0

And this output from the gateway shows what it would like:

Debug	2011-04-21T03:59:26	Process=iked  msg=IKE
Proposal : peer propose EncryptAlgo 3DES 
Debug   2011-04-21T03:59:26	Process=iked  msg=IKE Proposal : peer
propose AuthAlgo SHA-1 
Debug	2011-04-21T03:59:26	Process=iked  msg=Select IKE
Proposal : matched DHGrp 1 
Debug 2011-04-21T03:59:26	Process=iked  msg=IKE Proposal : peer
propose XAuthMode 65001 
Debug	2011-04-21T03:59:26 	Process=iked
msg=P1__Mode: XAuth enforced, peer propose 65001 
Debug	2011-04-21T03:59:26 	Process=iked  msg=IkeSelect
Xauth= 65001 1 
Debug 	2011-04-21T03:59:26	Process=iked msg=Select
Proposal : peer propose life sec 86400 
Debug 	2011-04-21T03:59:26 	Process=iked msg=Select
Proposal : take local proposed life sec 28800 
Debug 	2011-04-21T03:59:26	Process=iked
msg=IkeProposalHtoN : net order spi(0000 0000 0000 0000) 
Debug	2011-04-21T03:59:26 	Process=iked  msg=peer ID type
3 length 19 data0 54

Notice that there is a mismatch when it comes to the "life sec".  There may
be other mismatches, because I don't know how to map the "peer ID type 3" to
the Shrew client settings.


_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help




More information about the vpn-help mailing list