On 05/04/2012 04:21 PM, Giuseppe Gammariello wrote:
Hello all,
I am using Shrewsoft 2.1.7 to connect to a very old and outdated
Watchguard Firewall; running WatchGuard SOHO 6 TC. I am able to
connect to the WG successfully and from what I can tell, successfully
establish phase 1 and phase 2 authentications. All works fine for
about 10-15 minutes, then I can no longer pass traffic. Shrewsoft
still says the tunnel is enabled, but no pings are returned. I have
the WatchGuard VPN software working on a Windows XP machine without
issue and that stays connected all the time, however I can't get
WatchGuard and Shrewsoft to work together. I have attached some
logs. I have changed the external ip to 2.2.2.2 in the log files.
The local site has a 192.168.1.0 network and the remote site has a
192.168.7.0 network.
I did a running ping and pings stop getting replies at the
22:37:39.482 mark in the log files.
Any help would be greatly appreciated.
Hi Giuseppe,
I'm not sure if this is still a problem (you sent this message weeks
ago), but I think your problem may be related to the phase1 "life
kbytes" as shown below.
From my understanding, after either the "life seconds" or "life kbytes"
limit is reached, the phase1 security association needs to be
re-negotiated. However, I've also noticed that is possible for a tunnel
to be established between a gateway and a client even if the "life
seconds" or "life kbytes" do not match, and unfortunately if they do not
match, the phase1 re-negotiation usually fails because only one end of
the connection is ready to negotiate (the other thinks the current
security association can still be used).
Try either setting the Shrew configuration Phase 1 "Key Life Data limit"
to 0 or check with your VPN gateway administrator to see what the
correct values for the Phase1 lifetime (Key Life Time limit) and Kbytes
(Key Life Data limit) should be.
iked.log
...
12/05/03 22:23:27 << : security association payload
12/05/03 22:23:27 << : - propsal #1 payload
12/05/03 22:23:27 << : -- transform #1 payload
12/05/03 22:23:27 ii : matched isakmp proposal #1 transform #1
12/05/03 22:23:27 ii : - transform = ike
12/05/03 22:23:27 ii : - cipher type = des
12/05/03 22:23:27 ii : - key length = default
12/05/03 22:23:27 ii : - hash type = sha1
12/05/03 22:23:27 ii : - dh group = modp-768
12/05/03 22:23:27 ii : - auth type = psk
12/05/03 22:23:27 ii : - life seconds = 86400
12/05/03 22:23:27 ii : - life kbytes = 1000
...
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
