Hi, Matthew! OK... I've installed 2.1.6b9 ... and when I try to connect, I get a slightly different behavior : "incorrect message from gateway". :)
It's (some sort of) a progress... :) But you are right... it's a Cisco gateway. Should I try your "0.0.0.0/0 include network" thing... with the 2.1.6b9? Or should I try it with the 2.1.5? Or wait for 2.1.6b10? Thanks, Gilles. On 28/06/2010 20:47, Matthew Grooms wrote: > On 6/28/2010 1:33 AM, Gilles Gravier wrote: >> Hi! >> >> I'm trying to connect to my corporate VPN... I imported a PCF file. >> Shrew VPN then tells me that I need a certificate for it. Fine. I get >> the certificate from a Linux VPN installation file. I specify it in my >> Shrew configuration file. >> >> I connect. If I type wrong username/password, I get an error. If I type >> correct username/password, but with the wrong certificate, I get an >> error. >> >> If I type correct username/password, with the correct certificate >> installed, it connects, then after a few seconds it disconnects. >> > > Hi Gilles, > > Try installing the 2.1.6 beta which contains a few interoperability > improvements. If you are using 2.1.6, my guess is that your connecting > to a 3000 series concentrator or an IOS based appliance. These require > more modifications to the client for interoperability. The explanation > for this is rather technical, but I'll try to summarize ... > > The Shrew Soft implementation generates policies and unique security > associations for those policies. The cisco client negotiates policies > and then a single security association for all policies. This works > fine with newer PIX/ASA firmware but causes issues with concentrators > and IOS based routers. The problem occurs because the client attempts > to negotiate an SA using a specific target network value which is > typically obtained from the gateway during modecfg negotiation. > Because the gateway expects the client to negotiate an SA using a > generic value of 0.0.0.0/0, it disconnects the client. > > If 2.1.6 doesn't work, try adding a single 0.0.0.0/0 include network ( > under the policy tab ). However, I'll be posting a new 2.1.6 beta in > the next day or two that introduces additional control over how SA's > are negotiated for generated policies. This change is designed to > solve the problem I just described. Keep an eye on the mailing list > for more details. > > Thanks, > > -Matthew -- /*Gilles Gravier*/ *=* *[email protected]* <mailto:[email protected]> ICQ : *77488526* <http://www.icq.com/whitepages/about_me.php?Uin=77488526> * || *MSN Messenger : [email protected] <http://members.msn.com/[email protected]>* *Skype : ggravier <callto://ggravier>* || *Y! : ggravier <http://profiles.yahoo.com/ggravier> || AOL : gillesgravier <aim:goim?screenname=gillesgravier> Aka-Aki : *ggravier* <http://www.aka-aki.com/profiles/view/ggravier> || PGP Key ID : *0x8DE6D026* <http://pgp.mit.edu:11371/pks/lookup?search=0x8DE6D026&op=index> "Living on Earth is expensive, but it does include a free trip around the sun."
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
