[vpn-help] WatchGuard XTM 23 & Shrew 2.2

[Matthew Grooms]

On 4/29/2011 1:17 PM, gregmail at outtacyte.com wrote:
> Kevin, et. al.,
>
> I've gotten further on this and I do now have it working between Shrew
> (2.1.7&  2.2) and the WatchGuard (Fireware 11.4.1 Pro).  WatchGuard folks
> have a brand-new release that supports the Shrew client (11.4[.1]).  There
> is a "firmware" and a System Manager, both at the same release levels.  They
> have a feature to generate either a WatchGuard config file or a Shrew (.vpn)
> config file.  This is what I found shortly before I sent the second note.  I
> gave it a go and had some problems.  I've been working with the WatchGuard
> folks since 4/21/11.
>
> The problem is that the FireWire Web UI is a) not filling in the PSK in the
> .vpn file (It had "b:auth-mutual-psk:(null)") and b) is barfing when it
> received this from the client.  This then responded fail to the PSK
> authentication which made it look like the PSK values did not match.
>
> The interesting thing is that via the WSM (their service manager software)
> the .vpn file is generated correctly (base64 encoded psk).
>
> I have a ticket open with them now.  They were quite responsive while they
> thought it was a setup error or Shrew's fault, but have been a bit slower
> when I proved that it was their generation of the that was at fault.
>
> There are next to zero config options on the WatchGuard, but the software
> does work when the .vpn file is generated correctly.
>
> One question I have is:  Is it legal to have "b:auth-mutual-psk:(null)" in
> the .vpn file and what does Shrew do when it encounters such?
>

It may load the file but the connection would obviously fail. Try it and 
see what happens.

-Matthew