News: This forum is now permanently frozen.
Pages: [1]
Topic: Initial Shrew vpn client config  (Read 5699 times)
« on: May 11, 2010, 09:19:04 »
bigbrother *
Posts: 12

Hi everybody

I did setup the shrew vpn client with the following installation guide:

http://www.shrew.net/support/wiki/HowtoMonowall


When I try to connect I'm getting the following log entries in the M0n0wall:

Quote
May 11 09:08:23    racoon: ERROR: phase1 negotiation failed.
May 11 09:08:23    racoon: ERROR: failed to pre-process packet.
May 11 09:08:23    racoon: ERROR: failed to get valid proposal.
May 11 09:08:23    racoon: ERROR: no suitable proposal found.
May 11 09:08:23    racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = pre-shared key:65001
May 11 09:08:23    racoon: INFO: Selected NAT-T version: RFC 3947
May 11 09:08:23    racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 09:08:23    racoon: INFO: received Vendor ID: DPD
May 11 09:08:23    racoon: INFO: received Vendor ID: RFC 3947
May 11 09:08:23    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 11 09:08:23    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 11 09:08:23    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
May 11 09:08:23    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 11 09:08:23    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 11 09:08:23    racoon: INFO: begin Aggressive mode.
May 11 09:08:23    racoon: INFO: respond new phase 1 negotiation: {M0n0wall-IP}[500]<=>{Client-IP}[17896]


This is my M0n0wall configuration:

Quote
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:30
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:54600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:{M0n0wall}
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:address
s:ident-client-data:{email address}
b:auth-mutual-psk:*********************
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-list-include:192.168.1.0 / 255.255.255.0


Can somebody help me please? There is probably something wrong in the installation guide from Shrew.

Many thanx

bb
« Reply #1 on: May 11, 2010, 11:45:35 »
bigbrother *
Posts: 12

@ ALL

I did find out some more things and now im connected via vpn to the m0n0wall device.

But if I ping for example 192.168.1.10 from the mobile client I see system log entries on
the m0n0wall side like:

Quote
May 11 11:34:49    racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.24.4.50/32[0] proto=any dir=out"
May 11 11:34:49    racoon: ERROR: such policy does not already exist: "172.24.4.50/32[0] 192.168.1.0/24[0] proto=any dir=in"

After the ping I see that SAD/SPD are existing so the vpn session is sucessfully established
but there must be a policy config mistake I think.

Does somebody know something about?


Kind regards
bb
« Last Edit: May 11, 2010, 11:48:14 by bigbrother »
« Reply #2 on: May 11, 2010, 17:54:46 »
bigbrother *
Posts: 12

@ ALL

I red that this behavior is normal. So I'm able to establish a vpn tunnel but nothing happens when I ping form the mobile client (shrew) a device on the remote side.

I don't know what the mistake is...?


Any help is appreciated

bb
« Reply #3 on: June 26, 2010, 11:35:48 »
bigbrother *
Posts: 12

@ ALL again  Tongue

Ok I did found teh problem...

(In german http://www.administrator.de/IPsec_VPN_auf_M0n0wall_oder_pfsense_Firewall_mit_Client_oder_Cisco_Router.html)

There is an important point to avoiding frustrations :-)
If you use M0n0wall in combination with a dsl router every inbound traffic is blocked.

You have to allow inbound IPSec ESP traffic as followed:

Open on WAN Port UDP 500 (IKE), UDP 4500 (NAT Traversal) and ESP protocol.

http://www.administrator.de/images/articles/dc25e349b85fe4cd5cc9f9c01970f23c-monoesp.jpg


This helps me to connect finally from Shrew Client to M0n0wall :-)


Saludos
bb
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines