[vpn-help] Can same server config work for iPhone and Shrew? - Phase 1 trouble

Whit Blauvelt whit at transpect.com
Thu Jan 19 09:31:44 CST 2012


Hi,

As a way of providing VPN access for our iPhone-using staff, I've followed
the nice recipe provided here:

http://blog.dest-unreach.be/2011/03/03/iphone-compatible-ipsec-vpn-on-an-ubuntu-server-with-ldap-authentication/

Aside from using standard auth rather than ldap, that's the config we're
using.

Now, I'd like to have the Shrew client as another option to connect to that.
But I can't get Phase 1 to work. It fails like this:

Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:GSS-API on Kerberos 5
Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:GSS-API on Kerberos 5
Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:GSS-API on Kerberos 5
Jan 19 10:12:55 boxname racoon: ERROR: no suitable proposal found.
Jan 19 10:12:55 boxname racoon: ERROR: failed to get valid proposal.
Jan 19 10:12:55 boxname racoon: ERROR: failed to pre-process packet.
Jan 19 10:12:55 boxname racoon: ERROR: phase1 negotiation failed.

I have Shrew's Phase 1 set for agressive, group 2, aes, auto, sha1, and the
Authentication Method set to "Mutual PSK + XAuth," would seem to match racoon's settings:

remote anonymous { 
tunnel
 passive on; 
 exchange_mode main,aggressive; 
 my_identifier fqdn "something.obfuscated.com";
 mode_cfg on; 
 verify_cert off; 
 ike_frag on; 
 generate_policy on; 
 nat_traversal on;
 dpd_delay 20;
 proposal {
  encryption_algorithm aes;
  hash_algorithm sha1;
  authentication_method xauth_psk_server;
  dh_group 2;
 }
}

I've tried both the latest Linux Shrew, and the stable Windows version, and
both get a similar string of "rejected" responses from racoon. Is Shrew's
"Mutual PSK + XAuth" the equivalent of "xauth_psk_client" rather than
"xauth_psk_server" on the racoon side? I have no idea what the difference
between those two is, but prefer not to alter something that's working for
the primary audience, the iPhone users. 

Whit





More information about the vpn-help mailing list