[vpn-help] negotiation timeout
Kevin VPN
kvpn at live.com
Thu Aug 2 21:25:22 CDT 2012
On 07/31/2012 12:12 AM, Steven Lam wrote:
> Hi, here is the setup screen of the client to gateway vpn.
>
> -----Original Message-----
> From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
> Sent: July-27-12 7:14 PM
> To: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] negotiation timeout
>
> On 07/27/2012 12:13 AM, Steven Lam wrote:
>> Ok, so it is a vpn configuration problem. I guess I have to REALLY
>> dig in what each option means. You know the sample vpn-shrew
>> configuration for
>> RV082 is for an old firmware (1.3.98-tm) but my firmware is
>> 2.0.0.19-TM. My version has a lot more options. Is there a sample
> configuration somewhere?
>> I really hate to bug you like this.
>>
>
> Hi Steven,
>
> Feel free to send screenshots of the new firmware and we can try to help you
> map the settings from the HowTo to the new options. In general there's not
> too many settings that actually need to be modified, we can probably figure
> this out.
Hi Steven,
Here's the first thing I'm going to suggest you look at.
In the PDF you sent, there's a field labeled "Remote Client." This
Remote Client field is what is used by the gateway to identify a valid
client - a valid client should send/use an identity value that matches
what the gateway expects. If the value doesn't match, the gateway
doesn't respond to the client.
In the PDF, the value you've assigned to it is "IP Only." That means
you've told the gateway to expect the remote client to use a specific IP
address. The IP address that you enter in to the fields (they're blank
in the PDF) is what the gateway will expect.
Using an IP Address for identity is problematic if your clients are
using dynamic IP addresses. It might work for a while, but once the
client's IP address changes, the gateway will reject connection attempts
from the new IP address.
If you look at the Linksys Howto, it uses another option, "Domain
Name(FQDN)." This is one of the options that allows a client to provide
an identifying string instead of an IP address. My suggestion is to try
using the FQDN similarly to the Howto.
(Remember that you also have to change the values in the Shrew Site
Configuration -> Authentication tab -> Local Identity sub-tab to match
what you specify on the gateway configuration.)
BTW, if you get this working, I next highly recommend that you change
the Phase 1/Phase 2 Encryption/Authentication values to AES/3DES and
SHA1. The values you've got now (DES/MD5) are relatively weak.
More information about the vpn-help
mailing list