The free Shrew Soft VPN Client for IPSEC seems perfect for Mikrotik to make easy connections from Windows computers without having to manually change Windows settings, etc.
However, I am unable to get it to work. After Phase 1, the MT log keeps saying Invalid Exchange Type 6, no matter how many settings I adjust, I can't get it to get pass Phase 2.
Any help?
Re: Shrew Soft VPN Client
The VPN client is trying to do mode config (where the VPN server sends the client several parameters to configure the client with). The MT VPN server doesn't speak that mode so it throws the invalid exchange error.
I'm not familiar with that client but going by what you posted the client is configured incorrectly.
I'm not familiar with that client but going by what you posted the client is configured incorrectly.
-
-
jandafields
Forum Guru
- Posts: 1518
- Joined:
Re: Shrew Soft VPN Client
Do you know of any good free ipsec clients for windows that also supports l2tp?
Thanks.
Thanks.
Re: Shrew Soft VPN Client
I was able to successfully get the Greenbow VPN client to work with XP and RouterOS. However my free trial expired so I thought I would try the Shrew Soft client. My goal was to allow "road warrior" access to the network. So far I've not had complete success getting Shrew Soft configured in conjunction with RotuerOS. I'm failing with the error "no suitable proposal found". My current IPSEC config is:
/ip ipsec proposal
set default auth-algorithms=md5 comment="" disabled=no enc-algorithms=aes-128 lifetime=1h name=default pfs-group=\
modp1024
/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=\
disable-dpd dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=yes \
hash-algorithm=md5 lifebytes=0 lifetime=4h nat-traversal=no proposal-check=obey secret=123456789 \
send-initial-contact=yes
and my Shrew Soft config:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:1
n:phase1-life-secs:14400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:128
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
n:phase1-keylen:0
s:network-host:64.119.37.74
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:any
b:auth-mutual-psk:MTIzNDU2Nzg5
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:md5
s:phase2-transform:esp-aes
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:1
s:policy-level:require
/ip ipsec proposal
set default auth-algorithms=md5 comment="" disabled=no enc-algorithms=aes-128 lifetime=1h name=default pfs-group=\
modp1024
/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=\
disable-dpd dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=yes \
hash-algorithm=md5 lifebytes=0 lifetime=4h nat-traversal=no proposal-check=obey secret=123456789 \
send-initial-contact=yes
and my Shrew Soft config:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:1
n:phase1-life-secs:14400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:128
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
n:phase1-keylen:0
s:network-host:64.119.37.74
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:any
b:auth-mutual-psk:MTIzNDU2Nzg5
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:md5
s:phase2-transform:esp-aes
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:1
s:policy-level:require
