[vpn-help] Windows v2.1.7 client vs. Zyxel Prestige router/security gateway

Maurizio Properzi maurizio.properzi at univaq.it
Wed Mar 23 11:58:15 CDT 2011


Hi Kevin,
you are correct, also...
...changing "Site configuration"->"Policy"->"IPSEC Policy Configuration"
settings, according to your hint, fixed all.

If you (= shrew.net)like, I can contribute writing down a configuration guide for
ZYXEL P-662H-D1 and P-661H-D1 (however, these devices, AFAIK, are no longer produced...)

Thank you, best regards
Maurizio Properzi

---
On Tue, 15 Mar 2011 17:18:14 +0100 (CET)
Maurizio Properzi <maurizio.properzi at univaq.it> wrote:

> Problem:
> 
> After examining the device log, root cause seems to be [see
> Log-gateway.gif] a Phase 2 ID mismatch, but I haven't found where to
> change it in client settings, while other VPN clients let me to do
> so!!!...
> 

Hi Maurizio,

You are correct, you do have a Phase 2 mismatch.  The Shrew client is
attempting to tunnel all traffic from the client PC to the gateway
(e.g. <0.0.0.0>-<0.0.0.0>) whereas the gateway is expecting only
traffic for the local subnet (e.g. <192.168.0.0>-<255.255.255.0>).

You can correct this in the Shrew config. If you're using Windows, in
the Site Configuration, on the Policy tab (far right tab) do the
following:

1. Uncheck "Obtain Topology Automatically or Tunnel All".
2. Click Add and use the following settings:

Type: Include
Address:  192.168.0.0
Netmask:  255.255.255.0

3. Click Ok then Save.

If you're using Linux and editing the configuration file manually, you
have to change a couple policy-list lines.

From:  
s:policy-list-auto:1
s:policy-list-include:0.0.0.0 / 0.0.0.0

To:
s:policy-list-auto:0
s:policy-list-include:192.168.0.0 / 255.255.255.0

That should hopefully do it.




More information about the vpn-help mailing list