On Fri, 4 Mar 2011 15:00:10 -0500
"Shane Petersen {Computer Gurus}" <[email protected]> wrote:> Attached are the Syswan VPN configuration screens. Anyone have a > recommended configuration that would work with the ShrewSoft VPN > client? > > If the attachments are blocked here are links to view them: > http://dl.dropbox.com/u/522926/SysWanIKESetup.JPG > http://dl.dropbox.com/u/522926/SysWanIPSecSetup.JPG > Hi Shane, You can either modify the gateway to match Shrew's defaults, or modify Shrew to match the gateway. I suggest we try the second approach first. There's sort of three steps that need to be completed before you can get a working tunnel: 1. Phase 1 negotiation. 2. Authentication. 3. Phase 2 negotiation. So if we try to take this one step at a time, let's get Phase 1 working first. One thing you'll have to do on the gateway side, is on the IPSec screen, you'll need to change the "Phase 1 Negotiation" to Aggressive. On the Shrew side, you need to match up the values with the gateway. On the Phase 1 tab: Exchange Type: aggressive DH Exchange: group 1 (typically people use group 2 btw) Cipher Algorithm: auto Hash Algorithm: auto Key Life Time limit: 28800 For a start at the second step, you'll need to figure out how you want the Shrew client to be identified to the gateway. Based on your IPSec image, the gateway is currently set to expect a specific IP address to establish contact. If you have a static IP on the client side, put it into the IP Address field next to "Remote Security Network." Also put a password into the "Preshared Key" field. On the Shrew side, on the Authentication tab, change the "Authentication Method" to "Mutual PSK". Under "Local Identity" change the "Identification Type" to "IP Address" and enter your static client's IP address. Then under "Credentials" put the same password as above into the "Pre Shared Key" field. If you don't have static client IP, consider using something like "Fully Qualified Domain Name" (FQDN) on the gateway and in Shrew. You can make up any name, as long as it has at least two dots (aa.bb.cc) and is the same in both. Try to get that working first. Watch the logs on the SysWan device to see if Phase 1 completes successfully. If not, report back with the output from the log. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
