[vpn-help] Asymmetric routing between Shrewsoft 2.1.7 and OpenSwan

Kevin VPN kvpn at live.com
Wed Sep 14 20:22:20 CDT 2011 

On 09/14/2011 10:58 AM, Erich Titl wrote:
> Hi Kevin
>
> at 14.09.2011 03:57, Kevin VPN wrote:
>>
>> Hi Erich,
>>
>> Based on the source and destination of the plaintext traffic being
>> private addresses, obviously it's possible to reach from the Shrew
>> client PC to the remote network in some path other than the tunnel.
>> Perhaps that path (route) has a lower metric than the VPN route, and is
>> thus used instead of the tunnel route.
>
> Right, the default route, unfortunately, has a metric of 25, whereas the
> Shrewsoft tunnel uses a metric of 31. Can this be configured in the product.
>

Hi Erich,

As far as I know, the metric is not set by Shrew itself.

I did some testing and it appears that 31 is the metric that Windows 
likes to assign to Shrew's route.  I tried connecting to the VPN, 
deleting the 0.0.0.0 route that points to the tunnel, then creating the 
route manually with a metric of 5.  Windows installed the route, but 
gave it a metric of 35.  Any metric I tried ended up being 30+metric value.

I searched on this and found out the following:  Windows 7 calculates 
the displayed metric as the sum of two metrics, called the GatewayMetric 
and the InterfaceMetric.  These are specific to each network adapter in 
Windows.  Using the information in the posts I link to below, I 
discovered that the Shrew adapter's InterfaceMetric is set to 30 and it 
tries to create a gateway route with GatewayMetric 1, making a sum of 
31, which we see in the route table when the tunnel is connected.

My Local Area Network's InterfaceMetric is 20.  I suspect that yours is 
as well, and something has probably created the default route with a 
GatewayMetric of 5, making the sum of 25 that you see in your route table.

I would suggest reading the posts below and playing with your adapter's 
Automatic Metric and InterfaceMetric settings to see if you can correct 
the problem.

Articles:

Forcing Windows 7 to use wired when available
http://blog-rat.blogspot.com/2011/06/forcing-windows-7-to-use-wired-when.html

How to change the Gateway Metric on Windows 7
http://blog-rat.blogspot.com/2011/06/how-to-change-gateway-metric-on-windows.html

An explanation of the Automatic Metric feature for Internet Protocol routes
http://support.microsoft.com/kb/299540

More information about the vpn-help mailing list