Kevin, et. al., I've gotten further on this and I do now have it working between Shrew (2.1.7 & 2.2) and the WatchGuard (Fireware 11.4.1 Pro). WatchGuard folks have a brand-new release that supports the Shrew client (11.4[.1]). There is a "firmware" and a System Manager, both at the same release levels. They have a feature to generate either a WatchGuard config file or a Shrew (.vpn) config file. This is what I found shortly before I sent the second note. I gave it a go and had some problems. I've been working with the WatchGuard folks since 4/21/11.
The problem is that the FireWire Web UI is a) not filling in the PSK in the .vpn file (It had "b:auth-mutual-psk:(null)") and b) is barfing when it received this from the client. This then responded fail to the PSK authentication which made it look like the PSK values did not match. The interesting thing is that via the WSM (their service manager software) the .vpn file is generated correctly (base64 encoded psk). I have a ticket open with them now. They were quite responsive while they thought it was a setup error or Shrew's fault, but have been a bit slower when I proved that it was their generation of the that was at fault. There are next to zero config options on the WatchGuard, but the software does work when the .vpn file is generated correctly. One question I have is: Is it legal to have "b:auth-mutual-psk:(null)" in the .vpn file and what does Shrew do when it encounters such? -greg -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of kevin vpn Sent: Thursday, April 28, 2011 9:40 PM To: [email protected] Subject: Re: [vpn-help] WatchGuard XTM 23 & Shrew 2.2 On Wed, 20 Apr 2011 23:18:49 -0500 <[email protected]> wrote: > > So I downloaded, applied & then created the .vpn file. I imported the > created .vpn file and gave it a try. I got a lot further than before, > but I'm still getting an error. > Hi Greg, This message in the Shrew log suggests to me that you should first check to see if your preshared keys match between Shrew and the gateway. 11/04/20 22:56:37 == : phase1 hash_r ( received ) ( 20 bytes ) 11/04/20 22:56:37 !! : phase1 sa rejected, invalid auth data 11/04/20 22:56:37 !! : 100.55.20.75:4500 <-> 100.100.100.37:4500 If that doesn't work, I'd work to make sure the other phase1 settings match. This is what Shrew is trying to use: 11/04/20 22:56:37 << : security association payload 11/04/20 22:56:37 << : - propsal #1 payload 11/04/20 22:56:37 << : -- transform #1 payload 11/04/20 22:56:37 ii : matched isakmp proposal #1 transform #1 11/04/20 22:56:37 ii : - transform = ike 11/04/20 22:56:37 ii : - cipher type = 3des 11/04/20 22:56:37 ii : - key length = default 11/04/20 22:56:37 ii : - hash type = sha1 11/04/20 22:56:37 ii : - dh group = group1 ( modp-768 ) 11/04/20 22:56:37 ii : - auth type = xauth-initiator-psk 11/04/20 22:56:37 ii : - life seconds = 86400 11/04/20 22:56:37 ii : - life kbytes = 0 And this output from the gateway shows what it would like: Debug 2011-04-21T03:59:26 Process=iked msg=IKE Proposal : peer propose EncryptAlgo 3DES Debug 2011-04-21T03:59:26 Process=iked msg=IKE Proposal : peer propose AuthAlgo SHA-1 Debug 2011-04-21T03:59:26 Process=iked msg=Select IKE Proposal : matched DHGrp 1 Debug 2011-04-21T03:59:26 Process=iked msg=IKE Proposal : peer propose XAuthMode 65001 Debug 2011-04-21T03:59:26 Process=iked msg=P1__Mode: XAuth enforced, peer propose 65001 Debug 2011-04-21T03:59:26 Process=iked msg=IkeSelect Xauth= 65001 1 Debug 2011-04-21T03:59:26 Process=iked msg=Select Proposal : peer propose life sec 86400 Debug 2011-04-21T03:59:26 Process=iked msg=Select Proposal : take local proposed life sec 28800 Debug 2011-04-21T03:59:26 Process=iked msg=IkeProposalHtoN : net order spi(0000 0000 0000 0000) Debug 2011-04-21T03:59:26 Process=iked msg=peer ID type 3 length 19 data0 54 Notice that there is a mismatch when it comes to the "life sec". There may be other mismatches, because I don't know how to map the "peer ID type 3" to the Shrew client settings. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
