[vpn-help] negotiation timeout

[Kevin VPN]

On 07/31/2012 12:12 AM, Steven Lam wrote:
> Hi, here is the setup screen of the client to gateway vpn.
>
> -----Original Message-----
> From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
> Sent: July-27-12 7:14 PM
> To: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] negotiation timeout
>
> On 07/27/2012 12:13 AM, Steven Lam wrote:
>> Ok, so it is a vpn configuration problem.  I guess I have to REALLY
>> dig in what each option means.  You know the sample vpn-shrew
>> configuration for
>> RV082 is for an old firmware (1.3.98-tm) but my firmware is
>> 2.0.0.19-TM.  My version has a lot more options.  Is there a sample
> configuration somewhere?
>> I really hate to bug you like this.
>>
>
> Hi Steven,
>
> Feel free to send screenshots of the new firmware and we can try to help you
> map the settings from the HowTo to the new options.  In general there's not
> too many settings that actually need to be modified, we can probably figure
> this out.

Hi Steven,

Here's the first thing I'm going to suggest you look at.

In the PDF you sent, there's a field labeled "Remote Client."  This 
Remote Client field is what is used by the gateway to identify a valid 
client - a valid client should send/use an identity value that matches 
what the gateway expects.  If the value doesn't match, the gateway 
doesn't respond to the client.

In the PDF, the value you've assigned to it is "IP Only."  That means 
you've told the gateway to expect the remote client to use a specific IP 
address.  The IP address that you enter in to the fields (they're blank 
in the PDF) is what the gateway will expect.

Using an IP Address for identity is problematic if your clients are 
using dynamic IP addresses.  It might work for a while, but once the 
client's IP address changes, the gateway will reject connection attempts 
from the new IP address.

If you look at the Linksys Howto, it uses another option, "Domain 
Name(FQDN)."  This is one of the options that allows a client to provide 
an identifying string instead of an IP address.  My suggestion is to try 
using the FQDN similarly to the Howto.

(Remember that you also have to change the values in the Shrew Site 
Configuration ->  Authentication tab -> Local Identity sub-tab to match 
what you specify on the gateway configuration.)


BTW, if you get this working, I next highly recommend that you change 
the Phase 1/Phase 2 Encryption/Authentication values to AES/3DES and 
SHA1.  The values you've got now (DES/MD5) are relatively weak.