News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: IPsec -- Shrew Soft VPN Manager
Pages: [1]
Topic: IPsec -- Shrew Soft VPN Manager  (Read 4366 times)
« on: May 06, 2010, 23:27:43 »
animedreamer *
Posts: 19
I have been experimenting with the IPsec capabilities of monowall.  I am using the Shrew Soft VPN Manager on my client to create the tunnel.  I can successfully create the tunnel using pre-shared keys, but I'd rather use certificates instead.  I have everything setup to use certificates, but I cannot get the tunnel established.  The Shrew Soft VPN manager keeps showing a "gateway authentication error" message.

There was one unusual thing that I noticed when saving changes to the IPsec service.  The following warning message appears in the logs:

racoon: WARNING: /var/etc/racoon.conf:23: "}" Both CERT and ASN1 ID are set. Hope this is OK.

Here are the logs for when I attempt to establish the tunnel:

May 6 17:23:35    racoon: INFO: ISAKMP-SA deleted 65.105.187.162[500]-192.168.0.15[500] spi:d2c5d13cfcd49d9d:08817ca0365cae41
May 6 17:23:34    racoon: INFO: ISAKMP-SA expired 65.105.187.162[500]-192.168.0.15[500] spi:d2c5d13cfcd49d9d:08817ca0365cae41
May 6 17:23:34    racoon: INFO: ISAKMP-SA established 65.105.187.162[500]-192.168.0.15[500] spi:d2c5d13cfcd49d9d:08817ca0365cae41
May 6 17:23:34    racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Pennsylvania/L=Pittsburgh/CN=TEST Enterprises/emailAddress=test@test.com
May 6 17:23:34    racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Pennsylvania/L=Pittsburgh/CN=test-vincentr/emailAddress=test@test.com
May 6 17:23:34    racoon: INFO: NAT not detected
May 6 17:23:34    racoon: INFO: NAT-D payload #1 verified
May 6 17:23:34    racoon: INFO: Hashing 192.168.0.15[500] with algo #2
May 6 17:23:34    racoon: INFO: NAT-D payload #0 verified
May 6 17:23:34    racoon: INFO: Hashing 65.105.187.162[500] with algo #2
May 6 17:23:33    racoon: INFO: Hashing 65.105.187.162[500] with algo #2
May 6 17:23:33    racoon: INFO: Hashing 192.168.0.15[500] with algo #2
May 6 17:23:33    racoon: INFO: Adding remote and local NAT-D payloads.
May 6 17:23:33    racoon: INFO: Selected NAT-T version: RFC 3947
May 6 17:23:33    racoon: INFO: received Vendor ID: CISCO-UNITY
May 6 17:23:33    racoon: INFO: received Vendor ID: DPD
May 6 17:23:33    racoon: INFO: received Vendor ID: RFC 3947
May 6 17:23:33    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 6 17:23:33    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 6 17:23:33    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
May 6 17:23:33    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 6 17:23:33    racoon: INFO: begin Aggressive mode.
May 6 17:23:33    racoon: INFO: respond new phase 1 negotiation: 65.105.187.162[500]<=>192.168.0.15[500]

It looks like the tunnel is established, but is then immediately torn down.  My best guess is that the Shrew Soft manager is waiting for additional authentication information, but never receives it.

Any insight into this issue is greatly appreciated.

Thanks.

Vincent
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines