On 6/28/2010 1:33 AM, Gilles Gravier wrote: > Hi! > > I'm trying to connect to my corporate VPN... I imported a PCF file. > Shrew VPN then tells me that I need a certificate for it. Fine. I get > the certificate from a Linux VPN installation file. I specify it in my > Shrew configuration file. > > I connect. If I type wrong username/password, I get an error. If I type > correct username/password, but with the wrong certificate, I get an error. > > If I type correct username/password, with the correct certificate > installed, it connects, then after a few seconds it disconnects. >
Hi Gilles, Try installing the 2.1.6 beta which contains a few interoperability improvements. If you are using 2.1.6, my guess is that your connecting to a 3000 series concentrator or an IOS based appliance. These require more modifications to the client for interoperability. The explanation for this is rather technical, but I'll try to summarize ... The Shrew Soft implementation generates policies and unique security associations for those policies. The cisco client negotiates policies and then a single security association for all policies. This works fine with newer PIX/ASA firmware but causes issues with concentrators and IOS based routers. The problem occurs because the client attempts to negotiate an SA using a specific target network value which is typically obtained from the gateway during modecfg negotiation. Because the gateway expects the client to negotiate an SA using a generic value of 0.0.0.0/0, it disconnects the client. If 2.1.6 doesn't work, try adding a single 0.0.0.0/0 include network ( under the policy tab ). However, I'll be posting a new 2.1.6 beta in the next day or two that introduces additional control over how SA's are negotiated for generated policies. This change is designed to solve the problem I just described. Keep an eye on the mailing list for more details. Thanks, -Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
