So I followed the guide to get Shrew connected with using a PSK. That worked perfectly.
Now, what I think might be easier than trying to troubleshoot my original problem is to find a guide that talks about how to setup the RSA-Signature based client to box connection. Does anyone know of such a guide? I think my biggest hangup is the local/remote IDs and me inputting the incorrect data in the fields either on the router or the shrew side. ----- Original Message ----- From: john espiro <[email protected]> To: "[email protected]" <[email protected]> Cc: Sent: Wednesday, July 29, 2015 6:01 PM Subject: Problem connecting to FVS318N Trying to get Shrew connected to my FVS318N. Configuration and error messages are below. Netgear won't support Shrew so I am hoping that someone here has seen this before and mght be able to assist. Running Windows 7 Professional x64. Shrew version 2.2.2 Netgear FVS318N - Certificates tab CA Identity (Subject Name): C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN Issuer Name: C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN Active Self Certificates Subject Name: CN=router1 Issuer Name: C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN The Client Cert: OpenSSL> x509 -subject -nameopt RFC2253 -noout -in client1.crt subject= CN=client1,OU=VPN,O=My VPN,L=MyCity,ST=Montana,C=US The Router Cert: OpenSSL> x509 -subject -nameopt RFC2253 -noout -in router1.crt subject= CN=router1 IKE Policies: Name: vpnclient-ike Mode: agressive Local ID: CN=router1 Remote ID: CN=client1 Encr: 3DES Auth: SHA-1 DH: Group 5 (1536 bit) Mode Config: Record Name: vpnclient-cfg Pool Start: 10.10.0.50 Pool End: 10.10.0.55 Shrew: General: IP set Auto Configuration: ike config pull Adapter Mode: Virtual adapater Authentication: Mutual RSA Local Identity: Identification Type: ASN.1 Distinguished Name DN String: CN=client1 Remote Identity: ASN.1 Distinguished Name Use the subject... box checked, ASN.1 DN field blank Credentials: Server cert: root-ca.crt Client cert: client1.crt Client private key: client1.key Phase 1: Exchange type: agressive DH exchange: group 5 Cipher: 3des Has: sha1 Key lifetime limit: 28800 Policy: Policy generation level: auto Remote network resource: 10.0.0.0 / 255.255.255.0 (which is my LAN) I get the message below: config loaded for site 'xx.xx.xx.xx' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured server cert configured client cert configured client key configured bringing up tunnel ... gateway authentication error tunnel disabled detached from key daemon attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured server cert configured client cert configured client key configured bringing up tunnel ... gateway authentication error tunnel disabled detached from key daemon If I set Local and Remote on Shrew to use subject in certificate, I get: config loaded for site 'xx.xx.xx.xx' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured server cert configured client cert configured client key configured bringing up tunnel ... invalid message from gateway tunnel disabled detached from key daemon attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured server cert configured client cert configured client key configured bringing up tunnel ... invalid message from gateway tunnel disabled detached from key daemon Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] ERROR: No policy found: 10.0.0.0/24[0] 10.10.0.50/32[0] proto=any dir=out Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] ERROR: No policy found: 10.10.0.50/32[0] 10.0.0.0/24[0] proto=any dir=in Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] INFO: 10.10.0.50 IP address has been released by remote peer. Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] INFO: ISAKMP-SA deleted for xx.xx.xx.xx[500]-10.0.0.18[500] with spi:fbfe2631e3923c00:9af064c7258fcc4a Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=fbfe2631e3923c00:9af064c7258fcc4a. Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: Short payload Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload[608] Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: ISAKMP-SA established for xx.xx.xx.xx[500]-10.0.0.18[500] with spi:fbfe2631e3923c00:9af064c7258fcc4a Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: 10.10.0.50 IP address is assigned to remote peer 10.0.0.18[500] Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT not detected Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Montana/L=MyCity/O=My VPN/OU=VPN/CN=VPN Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Montana/L=MyCity/O=My VPN/OU=VPN/CN=client1 Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT-D payload matches for 10.0.0.18[500] Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: For 10.0.0.18[500], Selected NAT-T version: RFC 3947Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT-D payload matches for xx.xx.xx.xx[500] Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: DPD Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: DPD Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: RFC 3947 Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Beginning Aggressive mode. Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received request for new phase 1 negotiation: xx.xx.xx.xx[500]<=>10.0.0.18[500] Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Anonymous configuration selected for 10.0.0.18[500]. _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
