For Windows, I have used the Shrew Soft VPN client 2.2.2-release build dated Jul 01 2013. For Linux systems, I have used the vpnc package, a command-line VPN client, running on version 0.5.3r512. PfSense Configuration.
This topic describes common types of problems you might encounter with Mobile VPN with IPSec, and describes the solutions that most often resolve these problems. Even after the IPSec VPN client connects, client traffic might not be able to reach some network resources because of network or policy configuration problems.
License activation fails for the VPN clientIf you select Online Activation in WatchGuard IPSec Mobile VPN client, and activation fails, one of these error messages might appear:
Software activation error. Error number: 10103-1. An error occurred when activating the software. The maximum number of activations was exceeded.
This error can occur when the license key is in use on another system. If you have uninstalled the client from that other system, contact WatchGuard Customer Care and provide:
- The serial and license information from your confirmation email
- Screenshots of the activation wizard with the serial number and license filled in, and the error message
Invalid license key or serial number
This error can occur when:
- You installed the IPsec Client from NCP, not the WatchGuard Mobile VPN with IPsec Client. The license keys for the WatchGuard-branded client do not work for activation of the client from NCP.
- You attempted to activate with the incorrect serial number, such as the serial number of your Firebox. Make sure to use the IPSec Mobile VPN client serial number you received in the confirmation email.
If the VPN client can connect to a network resource by IP address, but not by name, the client device might not have the correct DNS and WINS information for your network.
In Fireware v12.2.1 or higher, you can select these options in the Mobile VPN with IPSec configuration:
- Assign or not assign the Network (global) DNS/WINS settings to mobile clients
- Assign the domain name, DNS server, and WINS server settings specified in the mobile VPN configuration to mobile clients
In Fireware v12.2 or lower, your Firebox automatically provides client devices with the WINS and DNS IP addresses configured in the Network (global) DNS/WINS settings on your device.
For information about how to configure DNS and WINS IP addresses, see Configure the Firebox for Mobile VPN with IPSec.
The VPN client can connect, but VPN users cannot connect to internal resources with a single-part host name.If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client.
In Fireware v12.2.1 or higher, you can select to:
- Assign or not assign the Network (global) DNS/WINS settings to mobile clients
- Assign the domain name, DNS server, and WINS server settings specified in the mobile VPN configuration to mobile clients
In Fireware v12.2 or lower, when you use Mobile VPN with IPSec with the Shrew Soft client, WatchGuard Mobile VPN with IPSec (NCP) client, or any other supported client, the Firebox assigns the VPN client the DNS settings configured for the Firebox. It does not assign the DNS suffix.
A client that does not have an assigned DNS suffix must use the entire DNS name to resolve an address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix, example.net.
To resolve this problem, you can add the DNS suffix in the configuration of the Mobile VPN client. For instructions, see these articles in the WatchGuard Knowledge Base:
The VPN client can connect, but all traffic fails. Because of the group membership, Unhandled MUVPN Packet log messages are generated.On the authentication server used for the Mobile VPN, verify that the user is a member of a group that exactly matches the Mobile VPN with IPSec group profile name. For example, if the Mobile VPN with IPSec group profile name is ipsec-users, and it is configured to use an Active Directory domain, you must make sure that each mobile VPN user is a member of the ipsec-users group on the Active Directory server. Make sure the text and case of the Active Directory group name exactly matches the Mobile VPN with IPSec group name.
For RADIUS, SecurID, and VASCO authentication, the authentication server must return the group membership as the Filter-ID attribute.
For more information about Mobile VPN with IPSec group membership, see Configure the External Authentication Server.
The VPN client can connect, but all traffic fails. Because the policy configuration is incorrect, Unhandled MUVPN Packet log messages are generated.When you initially create a Mobile VPN with IPSec profile, a policy is automatically created that allows traffic on all ports and protocols to all networks that were defined in the Allowed Resources section of the Mobile VPN configuration. If you later modify the Allowed Resources in the Mobile VPN with IPSec profile, you must also edit the Allowed Resources in the Mobile VPN with IPSec policy to match the network addresses in the updated Mobile VPN with IPSec profile.
For more information about how to edit the policy, see Configure Policies to Filter IPSec Mobile VPN Traffic.
The VPN client can connect, and traffic appears to be allowed, but the client never gets a response, or connections to some network resources fail.If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show that traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:
- The virtual IP address pool for Mobile VPN with IPSec clients does not overlap with any IP addresses assigned to internal network users.
- The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
- If the Mobile VPN with IPSec users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.
For more information about how to configure the virtual IP address pool, see Modify an Existing Mobile VPN with IPSec Group Profile.
If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.
Give Us Feedback ● Get Support ● All Product Documentation ● Technical Search
© 2019 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries. All other tradenames are the property of their respective owners.
Hello,
I use openSUSE 13.1 and I try connect with the Windows shrew VPN Client to my strongSwan VPN gateway.
With the PSK + Xauth authentication in shrew VPN, I can connect to the strongSwan gateway,
but when I try to authenticate with the option 'Mutual RSA + Xauth' https://www.shrew.net/static/help-2....nSettings.html the connection fails.
I generatetd the certificates acording to this documentation https://wiki.strongswan.org/projects..._%28Apple%29/9
the ipsec.conf show follwoing options:
conn rw_shrew
leftsubnet=172.16.0.0/16,172.18.0.0/16
auto=add
rightsourceip=172.17.190.0/16
keyexchange=ikev1
##
authby=xauthrsasig
xauth=server
right=%any
rightcert=clientCert.pem
#
left=%any
leftauth=pubkey
leftcert=serverCert.pem
the ipsec.secrets shows:
: RSA serverKey.pem
: RSA clientKey.pem
rw_client : XAUTH 'Passwort'
the following error appeared in the strongSwan VPN gateway log:
vpn-server charon: 06[CFG] looking for XAuthInitRSA peer configs matching 172.16.190.32...<PUBLIC IP>[]
vpn-server charon: 06[IKE] no peer config found
vpn-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2545430305 [ HASH N(AUTH_FAILED) ]
vpn-server charon: 06[NET] sending packet: from 172.16.190.32[4500] to <PUBLIC IP>[4500] (92 bytes)
How can I connect to strongSwan with RSA+Xauth authentication with shrew VPN ?
Is there an better free VPN client for Windows (with the exception of the Windows internal client) ?
Do you konw if shrew VPN is able to connect via IKEv2 ?
Best regards
B.-D.