21 Replies Latest reply on May 1, 2017 4:33 AM by mick

Netvanta VPN using Shrewsoft client

unclegary Apr 20, 2017 10:31 AM

Shrewsoft 2.2 VPN client with Netvanta 2300.

Fails on phase 1 IKE for mobile peer.

Have juggled every possible client and router configuration.

Nothing will affect the Phase 1 failure.

Re: Netvanta VPN using Shrewsoft client

mick Apr 20, 2017 11:30 AM (in response to unclegary)

That should do it if you're just venting, but if you expect people to try to help you then you'll need to post the configuration files for your Shrew client and the router, obfuscating passwords and public IP addresses as necessary.
--
Regards,
Mick
Like Show 0 Likes(0)

Actions
- Re: Netvanta VPN using Shrewsoft client
  
  unclegary Apr 20, 2017 11:33 AM (in response to mick)
  
  OK, understand.
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Netvanta VPN using Shrewsoft client
    
    jayh Apr 20, 2017 10:06 PM (in response to unclegary)
    
    And a debug of the negotiation would also be useful.
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: Netvanta VPN using Shrewsoft client
      
      unclegary Apr 21, 2017 2:33 PM (in response to jayh)
      
      Debug of client authentication and client configuration produces a series of:
      
      IDE In Vendor ID Process failed
      Received Vendor ID not recognized with IKE
      
      Ending with Could not find a matching remote ID
      
      What Vendor ID is it referring to ?
      
      G
      
      Like Show 0 Likes(0)
      
      Actions
- Re: Netvanta VPN using Shrewsoft client
  
  unclegary Apr 21, 2017 2:37 PM (in response to mick)
  
  Debug of client authentication and client configuration produces a series of:
  
  IKE In Vendor ID Process failed
  Received Vendor ID not recognized with IKE
  
  Ending with Could not find a matching remote ID
  
  What Vendor ID is it referring to ?
  
  G
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Netvanta VPN using Shrewsoft client
    
    jayh Apr 21, 2017 3:29 PM (in response to unclegary)
    
    unclegary wrote:
    
    Debug of client authentication and client configuration produces a series of:
    
    IKE In Vendor ID Process failed
    Received Vendor ID not recognized with IKE
    
    What Vendor ID is it referring to ?
    That's a hex value of a list of vendors stored locally. Not recognizing the Vendor ID shouldn't cause IKE to fail, it's primarily informational, so that a Cisco box knows it's talking to another Cisco, etc.
    
    Ending with Could not find a matching remote ID
    
    This is typically the IP address of the remote system on a site-to-site VPN but can be a hostname or string for remote access. Make sure that the client is sending what the server expects.
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: Netvanta VPN using Shrewsoft client
      
      unclegary Apr 21, 2017 3:32 PM (in response to jayh)
      
      OK, this is a mobile peer.
      I’ll keep looking….tnx !
      
      Like Show 0 Likes(0)
      
      Actions
      - Re: Netvanta VPN using Shrewsoft client
        
        mick Apr 21, 2017 4:39 PM (in response to unclegary)
        
        Unclegary, I don't know how you have configured both ends, but try using their respective public IP addresses as their peer ID in the first instance, to see if this error goes away and you can move to the next phase.
        --
        Regards,
        Mick
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        jayh Apr 21, 2017 9:28 PM (in response to mick)
        
        Great idea for troubleshooting phase 1 but won't scale as he wants to use the client for remote access and its public IP will change.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        mick Apr 22, 2017 2:03 AM (in response to jayh)
        
        Yes, it is likely the mobile peer will have a dynamically allocated IP address and also by its nature of being mobile will be connecting from different locations at times. The reason I suggested to try setting initially both peer IDs as the respective public IP addresses, was in case unclegary is using a pre-shared key with Main Mode VPN tunnel. This combination will not work with other forms of peer ID (e.g. FQDN, user@FQDN), because the mobile peer initiating the connection will need to select the correct PSK to calculate the hash for the router, before it has received and processed the router's ID. When using public key certificates for peer authentication with Main Mode VPN this problem goes away, but without seeing the configuration files of both peers we can only guess this much. :-)
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 22, 2017 6:55 AM (in response to mick)
        
        OK, I'll copy my config setup and the IKE errors on Monday so you guys can see it all.
        I'm using Aggressive and PSK for the mobile client setup. No certs.
        The client setup used to function as a mobile peer.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 24, 2017 10:28 AM (in response to jayh)
        
        Ignoring the “ Vendor ID “ info, looks like “ could not find a matching remote ID “ might be important ?
        
        Policy 106 belongs to my VPN mobile client.
        
        Lawrence#
        Crypto IKE Policy 106
        Respond to aggressive mode
        Will not initiate
        Local ID Address: 199.XXXXXXXXXXXXXXXXXX
        NAT Traversal V1 Allowed
        Peers:
            Any Peer
        Client Authentication Server List:
            LoginUseLocalUsers
        Client Config Pool
            VPN Client
        Attributes:
            1
              Encryption: AES-256-CBC
              Hash: MD5
              Authentication: Pre-share
              Group: 1
              Lifetime: 28800 seconds
        106: IkeCheckIdData failed
        
        106: IkeCheckIdData failed
        
        2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID
        2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed
        2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed
        2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeSelectIsakmpProposal: pIsakmpSA->usEncKeyLen = 32
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IKEInVendorIDProcess :: Received Vendor ID not registered with IKE
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeInVIDProcess :: IKEInVendorIDProcess failed
        
        Could not find a matching remote ID
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed
        2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa
        2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION DPDP1NodeTrafficBased :: Sending Notify Payload for Phase 1
        2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION DPDSendNotifyPayload :: Sending Notify REQUEST for Phase 1
        2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION InitialiseCipherContext :: Not DES and Not 3DES
        2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION InitialiseCipherContext :: Not DES and Not 3DES
        2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION IkeInNotifyProcess: NOTIFY TYPE: R U THERE (36136)
        
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION <POLICY: 106> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID,VID,VID,VID,VID,VID
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     DOI: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Situation: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         Transform Number: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: Unknown/Other (7)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Key Length (14)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (256)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: MD5 (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: DH Group 1 (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: Unknown/Other (65001)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: Seconds (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 4
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (86400)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   KE PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   NONCE PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   ID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     IANA No. for identifn: 2 -> ID_FQDN
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Protocol Id: 0
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Port: 0
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Id Data:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       63 6C 69 65 6E 74 2E 68 client.h
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       6F 6D 65 6E 65 74 77 6F omenetwo
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       72 6B 2E 6C 6F 63 61 6C rk.local
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 8
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     09 00 26 89 DF D6 B7 12 ..&.....
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     44 85 15 2D 18 B6 BB CD D..-....
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     0B E8 A8 46 95 79 DD CC ...F.y..
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     16 F6 CA 16 E4 A4 06 6D .......m
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     83 82 1A 0F 0A EA A8 62 .......b
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E ....>.in
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F .c...B{.
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     7D 94 19 A6 53 10 CA 6F }...S..o
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     2C 17 9D 92 15 52 9D 56 ,....R.V
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     4A 13 1C 81 07 03 58 45 J.....XE
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     5C 57 28 F2 0E 95 45 2F \W(...E/
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     F1 4B 94 B7 BF F1 FE F0 .K......
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     27 73 B8 C4 9F ED ED 26 's.....&
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 20
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     16 6F 93 2D 55 EB 64 D8 .o.-U.d.
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     E4 DF 4F D3 7E 23 13 F0 ..O.~#..
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     D0 FD 84 51              ...Q
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     84 04 AD F9 CD A0 57 60 ......W`
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     B2 CA 29 2E 4B FF 53 7B ..).K.S{
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     12 F5 F2 8C 45 71 68 A9 ....Eqh.
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     70 2D 9F E2 74 CC 01 00 p-..t...
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeSelectIsakmpProposal: pIsakmpSA->usEncKeyLen = 32
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IKEInVendorIDProcess :: Received Vendor ID not registered with IKE
        2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION SENDING NOTIFY MSG:
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION INVALID_ID_INFORMATION
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION <POLICY: 106> PAYLOADS: NOTIFY
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   NOTIFY PAYLOAD
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     DOI: 0
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Size of SPI: 16
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Type of notify message: 18
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Notify Type: Invalid ID Info (18)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Length of Notification Data: 0
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: Sent informational exchange message
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa
        2017.04.24 12:14:53 CRYPTO_IKE.NEGOTIATION peer 192.168.1.73: Received first message of aggressive mode
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 24, 2017 1:01 PM (in response to jayh)
        
        The mobile VPN client is set to authenticate to “   Local Userlist “
        However, I noticed I can enter any bogus credentials in the client XAUTH login and it will attempt to authenticate.
        It is definitely not using the correct client information.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        jayh Apr 24, 2017 3:59 PM (in response to unclegary)
        
        The remote is identifying as "client.homenetwork.local". Is this configured as a valid VPN ID?
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 24, 2017 4:01 PM (in response to jayh)
        
        Yes
        
        Sent from my Sprint Phone.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        mick Apr 28, 2017 1:34 PM (in response to unclegary)
        
        Hi unclegary,
        
        You haven't shared your configuration files, so I'm answering on the basis of the Netvanta log you posted above. There are number of client attributes which may not have been configured correctly. Starting from the top:
        
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: Unknown/Other (7)
        
        This should not be 'Unknown/Other', but should be AES according to the settings in Crypto IKE Policy 106. Have you configured your Shrew to use only AES-256 for IKE encryption?
        
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Key Length (14)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (256)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: MD5 (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: DH Group 1 (1)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value: Unknown/Other (65001)
        
        This ought to be showing a value of 'Pre-shared Key' rather than 'Unknown/Other'. Have you configured the Shrew client to use the same Pre-shared Key value as you have configured in the Netvanta?
        
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID
        2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed
        
        The Remote peer ID (the mobile client ID) sent by the client is not configured the same in the Netvanta.
        
        From what you have shared so far, the problem appears to be that the client and router configuration are not mirroring each other. Have a quick look here for an example that works, or post your configurations at each end and we'll take a look to see if anything is amiss.
        
        PS. As jayh has mentioned the Vendor ID error is more of a warning and not related to your problem. This Vendor ID is used as a shorthand code to inform each peer if NAT-T, DPD, fragmentation, etc. are attributes available at the other end.
        --
        Regards,
        Mick
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 28, 2017 2:53 PM (in response to mick)
        
        Thanks Mick.
        
        I’m working backward from an existing remote client setup.
        This should be simple….it’s just matching the 2 ends up.
        I’ll get some more logs for you guys next week.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 28, 2017 2:54 PM (in response to mick)
        
        Here’s IKE Policy 90, which is being used for the mobile clients:
        
        And 106:
        
        image002.png 37.6 K
        
        image001.png 35.7 K
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        unclegary Apr 28, 2017 2:57 PM (in response to mick)
        
        Here’s another part of IKE policy 106
        
        image001.png 37.0 K
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        jayh Apr 28, 2017 11:39 PM (in response to unclegary)
        
        It would be more useful for me to see a "show run" from the CLI with passwords, etc. redacted that screenshots from the GUI.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Netvanta VPN using Shrewsoft client
        
        mick May 1, 2017 4:33 AM (in response to unclegary)
        
        unclegary, I can't see anything wrong in the Netvanta configuration you have shared, but as jayh suggests it would be clearer if we could see the whole configuration of Netvanta after you obfuscate any sensitive information. In particular, we need to see the remote id you have configured in the Netvanta for the Shrew client.
        
        It will be necessary to compare this with your corresponding Shrew client configuration. If the Shrew client is running in MSWindows, please post your Shrew configuration for the site you are trying to connect to. It should be stored in C:\Users\unclegary\AppData\Local\Shrew Soft VPN\sites\AA.BBB.CC.DDD, where 'AA.BBB.CC.DDD' would be the IP address or name you have given to the Shrew connection settings. If Shrew (ike) is running on Linux or BSD check /etc/iked.conf, or your /home directory. Again, obfuscate sensitive information in this file too.
        --
        Regards,
        Mick
        
        Like Show 0 Likes(0)
        
        Actions