[vpn-help] Use of Shrew-soft client software 2.2.0-rc4 with Vyatta OS 6.5

John Frink thehelpdeskguy.com at gmail.com
Mon Apr 22 14:24:35 CDT 2013 

I am attempting to get a working configuration that will allow the 'road
scholars' (as opposed to 'road warriors') at my company use the current
Shrew Soft VPN client software to create an IPSec VPN with our Vyatta
router.  We are using the Vyatta VSE6.5R3 x64 OS. I will be happy to share
the final, working configuration settings with your users, assuming I can
get this working.  We have paid-for support with Vyatta, so if I can get a
few questions answered, I believe I have a good chance of making this work.

(1) Much like the Vyatta to Cisco ASA connections, I need to configure
"no-xauth" and "no-config-mode" at both ends of the Vyatta-to-Shrewsoft
tunnel.  (Vyatta does not currently support either "xauth" or "config-mode"
when setting up the tunnel.)  The documentation for your latest VPN client
(ver. 2.1.7) connection to Cisco ASA shows the " re-xauth disable "
setting.  I wish to be certain this will completely disable "xauth".

(2) Similar to question (1), how do I completely disable the "config-mode"
on this client?  (Again, Vyatta does not currently support "config-mode".)

(3) I need to use a pre-shared-key, at least at first. Is there a setting
that requires Main Mode to be used rather than Aggressive Mode?  The Vyatta
OS will not use Aggressive Mode for the RA sessions.

(4) If I have multiple users authenticate with separate usernames and
passwords, do I need to use a single PSK for all RA users, or can I set up
unique PSKs for each user?

(5) The debug messages state "


13/04/22 11:53:01 DB : phase1 found
13/04/22 11:53:01 ii : processing informational packet ( 92 bytes )
13/04/22 11:53:01 == : new informational iv ( 16 bytes )
13/04/22 11:53:01 =< : cookies 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:01 =< : message 4839f1be
13/04/22 11:53:01 =< : decrypt iv ( 16 bytes )
13/04/22 11:53:01 == : decrypt packet ( 92 bytes )
13/04/22 11:53:01 <= : trimmed packet padding ( 8 bytes )
13/04/22 11:53:01 <= : stored iv ( 16 bytes )
13/04/22 11:53:01 << : hash payload
13/04/22 11:53:01 << : notification payload
13/04/22 11:53:01 == : informational hash_i ( computed ) ( 20 bytes )
13/04/22 11:53:01 == : informational hash_c ( received ) ( 20 bytes )
13/04/22 11:53:01 ii : informational hash verified
13/04/22 11:53:01 ii : received peer DPDV1-R-U-THERE-ACK notification
13/04/22 11:53:01 ii : - 111.222.333.444:500 -> 10.17.9.17:500
13/04/22 11:53:01 ii : - isakmp spi = 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:01 ii : - data size 4
13/04/22 11:53:01 ii : DPD ARE-YOU-THERE-ACK sequence 1dfca67e accepted
13/04/22 11:53:01 ii : next tunnel DPD request in 15 secs for peer
111.222.333.444:500
13/04/22 11:53:16 DB : phase1 found
13/04/22 11:53:16 ii : sending peer DPDV1-R-U-THERE notification
13/04/22 11:53:16 ii : - 10.17.9.17:500 -> 111.222.333.444:500
13/04/22 11:53:16 ii : - isakmp spi = 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:16 ii : - data size 4
13/04/22 11:53:16 >> : hash payload
13/04/22 11:53:16 >> : notification payload
13/04/22 11:53:16 == : new informational hash ( 20 bytes )
13/04/22 11:53:16 == : new informational iv ( 16 bytes )
13/04/22 11:53:16 >= : cookies 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:16 >= : message 47019083
13/04/22 11:53:16 >= : encrypt iv ( 16 bytes )
13/04/22 11:53:16 == : encrypt packet ( 84 bytes )
13/04/22 11:53:16 == : stored iv ( 16 bytes )
13/04/22 11:53:16 -> : send IKE packet 10.17.9.17:500 ->111.222.333.444:500
( 120 bytes )
13/04/22 11:53:16 ii : DPD ARE-YOU-THERE sequence 1dfca67f requested
13/04/22 11:53:16 <- : recv IKE packet 111.222.333.444:500 ->
10.17.9.17:500( 92 bytes )
13/04/22 11:53:16 DB : phase1 found
13/04/22 11:53:16 ii : processing informational packet ( 92 bytes )
13/04/22 11:53:16 == : new informational iv ( 16 bytes )
13/04/22 11:53:16 =< : cookies 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:16 =< : message 27d6214b
13/04/22 11:53:16 =< : decrypt iv ( 16 bytes )
13/04/22 11:53:16 == : decrypt packet ( 92 bytes )
13/04/22 11:53:16 <= : trimmed packet padding ( 8 bytes )
13/04/22 11:53:16 <= : stored iv ( 16 bytes )
13/04/22 11:53:16 << : hash payload
13/04/22 11:53:16 << : notification payload
13/04/22 11:53:16 == : informational hash_i ( computed ) ( 20 bytes )
13/04/22 11:53:16 == : informational hash_c ( received ) ( 20 bytes )
13/04/22 11:53:16 ii : informational hash verified
13/04/22 11:53:16 ii : received peer DPDV1-R-U-THERE-ACK notification
13/04/22 11:53:16 ii : - 111.222.333.444:500 -> 10.17.9.17:500
13/04/22 11:53:16 ii : - isakmp spi = 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:16 ii : - data size 4
13/04/22 11:53:16 ii : DPD ARE-YOU-THERE-ACK sequence 1dfca67f accepted
13/04/22 11:53:16 ii : next tunnel DPD request in 15 secs for peer
111.222.333.444:500
13/04/22 11:53:18 K< : recv pfkey ACQUIRE UNSPEC message
13/04/22 11:53:18 DB : policy found
13/04/22 11:53:18 ii : ignoring init phase2 by acquire, tunnel is nailed
13/04/22 11:53:25 <A : peer tunnel disable message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing IPSEC INBOUND policy ANY:0.0.0.0/0:* ->
ANY:10.17.9.17:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing IPSEC OUTBOUND policy ANY:10.17.9.17:* ->
ANY:0.0.0.0/0:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing NONE INBOUND policy ANY:10.17.1.1:* ->
ANY:10.17.9.17:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing NONE OUTBOUND policy ANY:10.17.9.17:* ->
ANY:10.17.1.1:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing NONE INBOUND policy ANY:111.222.333.444:*
-> ANY:10.17.9.17:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 ii : removing NONE OUTBOUND policy ANY:10.17.9.17:* ->
ANY:111.222.333.444:*
13/04/22 11:53:25 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 ii : removed NONE policy route for ANY:111.222.333.444:*
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 DB : policy deleted ( obj count = 5 )
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 DB : policy deleted ( obj count = 4 )
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 DB : policy deleted ( obj count = 3 )
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 DB : policy deleted ( obj count = 2 )
13/04/22 11:53:25 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/04/22 11:53:25 DB : policy found
13/04/22 11:53:25 DB : policy deleted ( obj count = 1 )
13/04/22 11:53:25 DB : tunnel dpd event canceled ( ref count = 4 )
13/04/22 11:53:25 DB : tunnel stats event canceled ( ref count = 3 )
13/04/22 11:53:25 DB : removing tunnel config references
13/04/22 11:53:25 DB : config deleted ( obj count = 0 )
13/04/22 11:53:25 DB : removing tunnel phase2 references
13/04/22 11:53:25 DB : removing tunnel phase1 references
13/04/22 11:53:25 DB : phase1 soft event canceled ( ref count = 3 )
13/04/22 11:53:25 DB : phase1 hard event canceled ( ref count = 2 )
13/04/22 11:53:25 DB : phase1 dead event canceled ( ref count = 1 )
13/04/22 11:53:25 ii : sending peer DELETE message
13/04/22 11:53:25 ii : - 10.17.9.17:500 -> 111.222.333.444:500
13/04/22 11:53:25 ii : - isakmp spi = 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:25 ii : - data size 0
13/04/22 11:53:25 >> : hash payload
13/04/22 11:53:25 >> : delete payload
13/04/22 11:53:25 == : new informational hash ( 20 bytes )
13/04/22 11:53:25 == : new informational iv ( 16 bytes )
13/04/22 11:53:25 >= : cookies 16adb235e902b8cf:1bbf7eaa4ce7f460
13/04/22 11:53:25 >= : message 6d0d7075
13/04/22 11:53:25 >= : encrypt iv ( 16 bytes )
13/04/22 11:53:25 == : encrypt packet ( 80 bytes )
13/04/22 11:53:25 == : stored iv ( 16 bytes )
13/04/22 11:53:25 -> : send IKE packet 10.17.9.17:500 ->
111.222.333.444:500 ( 120 bytes )
13/04/22 11:53:25 ii : phase1 removal before expire time
13/04/22 11:53:25 DB : phase1 deleted ( obj count = 0 )
13/04/22 11:53:25 DB : tunnel deleted ( obj count = 0 )
13/04/22 11:53:25 DB : removing all peer tunnel references
13/04/22 11:53:25 DB : peer deleted ( obj count = 0 )
13/04/22 11:53:25 ii : ipc client process thread exit ...

Thank you for your time and assistance.


thehelpdeskguy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130422/9ee14bc1/attachment.html>

More information about the vpn-help mailing list