[vpn-help] Session terminated by gateway

Matthew Grooms mgrooms at shrew.net
Fri Oct 1 12:41:34 CDT 2010 

On 9/22/2010 7:10 PM, Leblanc, Guy (IT) wrote:
> I am not a VPN expert so I read forums and apply instructions. I found
> that the only way for me to get rid of the "session terminated by
> gateway" issue was to disable my Windows 7 (64 bits) firewall in
> addition to setting Phase-2 PFS=2 as recommended. (Windows firewall
> issued no warning that it had blocked anything Shrew, though, even if
> the notification option was checked). Once the Windows firewall has been
> disabled on my domain connection with my head office, the tunnel remains
> stable over my Linksys WRT-610N WIFI broadband home router/gateway (with
> its own firewall active, btw).
>
> I have now installed Shrew version 2.1.7 beta but I still have to
> disable the Windows firewall to eliminate the error. Is there a
> workaround to this? Much has been written regarding interference from
> some specific router firewalls but after reading many forums, I seem to
> be the only one having to disable its Windows firewall. Anybody has an idea?
>

This is an interesting issue. I believe the windows firewall has been 
implemented as a windows filtering platform driver which is higher in 
the NDIS stack than the Shrew Soft LWF driver. In other words, this 
shouldn't cause any packets sent during IKE negotiations to be blocked 
by the filter. My guess is that the client didn't negotiate an initial 
IPsec SA after the connection had been established. A Cisco gateway will 
terminate the connection unless this occurs. Disabling the windows FW 
may have allowed packets to traverse the tunnel ( DNS or something 
similar ) which allowed the IPsec SA to be established and the tunnel to 
remain active.

I would suggest you try to install the latest 2.1.7 RC and see if that 
makes any difference. Michael Kenny submitted a patch ( which has been 
committed ) that fixes a bug related to the initial SA negotiation which 
may resolve your issue. If that doesn't help, try starting a ping to an 
IP address on the distant side of the tunnel, and then try the 
connection. If the ping starts to respond after you connect and the 
connection remains stable, please let me know. There may be something 
else we can do to improve the situation.

-Matthew

More information about the vpn-help mailing list