Hi All, I analyzed this further from my gateway and i noticed following things
In the XAuth negotiation, after authenticating user successfully, my gateway is pushing configuration data (IP address, Mask and DNS) to client using ISAKMP_CFG_SET with XAUTH_STATUS attribute set to 1. draft-ietf-ipsec-isakmp-xauth-06.txt requires XAUTH_STATUS attribute exchange to terminate xauth transaction. Shrew client is sending ISAKMP_CFG_ACK message with no attributes. I also see an additional ISAKMP_CFG_ACK message with all the attributes. Debug logs shows client is sending config push. I do not see XAUTH_STATUS in both ISAKMP_CFG_ACK messages. My gateway is ignoring second ISAKMP_CFG_ACK message but seems like shrew client is expecting some reply from gateway and it is re-sending the seconf ISAKMP_CFG_ACK without starting phase-2 negotiation. Hoping this analysis will help to identify the issue. Thanks, Vali. Message: 1 Date: Wed, 26 May 2010 16:42:34 -0700 From: Vali <[email protected]> Subject: [vpn-help] Shrew VPN client fails to connect when "ike config push" is selected To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hello, I'm hoping you will help me to identify the problem here. Problem: Shrew VPN client fails to connect to my gateway when "ike config push" is choosed. I configured "ike config push" method in the general tab. phase-1 and phase-2 configuration matches with what are configured on gateway. Situation: - Phase-1 completed successfully - After xauth is completed, gateway is pushing IP details to client. - Shrew-client is sending two ISAKMP_CFG_ACK packets to gateway. One with no attributes and other with accepted attributes list. debug logs are attached. If i disable "Auto configuration" in general tab and assigns a manual IP, everything works file. Tunnel establishes and traffic goes through. "ike config pull" is not working in my case. Here are some additional details . VPN Client Version : 2.1.5 . Windows OS Version : Windows XP . Gateway Make/Model : Watchguard's Firebox X1250e . Gateway OS Version ( if known ) : Do not know Thanks, Mastan. -------------- next part -------------- A non-text attachment was scrubbed... Name: debug.7z Type: application/octet-stream Size: 9006 bytes Desc: not available Url : http://lists.shrew.net/pipermail/vpn-help/attachments/20100526/b32bea49/attachment-0001.obj _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
