Hi, As a way of providing VPN access for our iPhone-using staff, I've followed the nice recipe provided here:
http://blog.dest-unreach.be/2011/03/03/iphone-compatible-ipsec-vpn-on-an-ubuntu-server-with-ldap-authentication/ Aside from using standard auth rather than ldap, that's the config we're using. Now, I'd like to have the Shrew client as another option to connect to that. But I can't get Phase 1 to work. It fails like this: Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:GSS-API on Kerberos 5 Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:GSS-API on Kerberos 5 Jan 19 10:12:55 boxname racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:GSS-API on Kerberos 5 Jan 19 10:12:55 boxname racoon: ERROR: no suitable proposal found. Jan 19 10:12:55 boxname racoon: ERROR: failed to get valid proposal. Jan 19 10:12:55 boxname racoon: ERROR: failed to pre-process packet. Jan 19 10:12:55 boxname racoon: ERROR: phase1 negotiation failed. I have Shrew's Phase 1 set for agressive, group 2, aes, auto, sha1, and the Authentication Method set to "Mutual PSK + XAuth," would seem to match racoon's settings: remote anonymous { tunnel passive on; exchange_mode main,aggressive; my_identifier fqdn "something.obfuscated.com"; mode_cfg on; verify_cert off; ike_frag on; generate_policy on; nat_traversal on; dpd_delay 20; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 2; } } I've tried both the latest Linux Shrew, and the stable Windows version, and both get a similar string of "rejected" responses from racoon. Is Shrew's "Mutual PSK + XAuth" the equivalent of "xauth_psk_client" rather than "xauth_psk_server" on the racoon side? I have no idea what the difference between those two is, but prefer not to alter something that's working for the primary audience, the iPhone users. Whit _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
