[vpn-help] Shrew not connecting to Watchguard

Kevin VPN kvpn at live.com
Tue Dec 6 21:45:50 CST 2011


On 12/01/2011 11:25 PM, Greg Ledford wrote:
> I appreciate the response. I thought I included both phases. I'll put more of the log in this message. Thanks for any help. (I also think it's stupid Watchguard switched over to Shrew because it's lazy on their part!)
>
> 11/11/30 21:03:33 ii : phase1 sa established
...
> 11/11/30 21:03:33 ii : sending xauth response for xxxx
...
> 11/11/30 21:03:33 ii : processing config packet ( 116 bytes )
> 11/11/30 21:03:33 DB : config found
> 11/11/30 21:03:33 =<  : cookies bd0b5c039a760147:e5d89fd56d79cb3b
> 11/11/30 21:03:33 =<  : message d879ecbe
> 11/11/30 21:03:33 =<  : decrypt iv ( 8 bytes )
> 11/11/30 21:03:33 == : decrypt packet ( 116 bytes )
> 11/11/30 21:03:33 !! : validate packet failed ( reserved value is non-null )
> 11/11/30 21:03:33 !! : config packet ignored ( packet decryption error )
> 11/11/30 21:03:33<- : recv NAT-T:IKE packet ##.###.###.##:4500 ->  192.168.1.21:4500 ( 116 bytes )
> 11/11/30 21:03:33 DB : phase1 found
>

Hi Greg,

This log shows a little more.  Phase1 goes alright, as does the xauth 
stage.  Where it goes dodgy is in the config exchange.

Are you using a config file generated from the Watchguard that you 
imported into the Shrew client?  If so, I would first try to manually 
enter the PSK into the Shrew configuration (on the 
Authentication/Credentials tab).  Maybe somehow the PSK didn't get 
shared correctly.

Second thing I would try is to play with the Auto Configuration on the 
General tab of the Shrew configuration.

It might be even more helpful if you could provide us with the actual 
Shrew configuration file that was generated by the Watchguard.  It's 
just a text file, so feel free to anonymize any IPs you wish.



More information about the vpn-help mailing list