[vpn-help] Session terminated by gateway

Leblanc, Guy (IT) Guy.LeBlanc2 at fbn.ca
Mon Oct 4 19:26:50 CDT 2010


Installed version 2.1.7RC as suggested, reactivated the windows 7 firewall on domain accounts, and I was able to establish the tunnel with remote domain as you suspected. Many thanks.

-Guy

-----Original Message-----
From: Matthew Grooms [mailto:mgrooms at shrew.net] 
Sent: October-01-10 1:42 PM
To: Leblanc, Guy (IT)
Cc: 'vpn-help at lists.shrew.net'
Subject: Re: [vpn-help] Session terminated by gateway

On 9/22/2010 7:10 PM, Leblanc, Guy (IT) wrote:
> I am not a VPN expert so I read forums and apply instructions. I found 
> that the only way for me to get rid of the "session terminated by 
> gateway" issue was to disable my Windows 7 (64 bits) firewall in 
> addition to setting Phase-2 PFS=2 as recommended. (Windows firewall 
> issued no warning that it had blocked anything Shrew, though, even if 
> the notification option was checked). Once the Windows firewall has 
> been disabled on my domain connection with my head office, the tunnel 
> remains stable over my Linksys WRT-610N WIFI broadband home 
> router/gateway (with its own firewall active, btw).
>
> I have now installed Shrew version 2.1.7 beta but I still have to 
> disable the Windows firewall to eliminate the error. Is there a 
> workaround to this? Much has been written regarding interference from 
> some specific router firewalls but after reading many forums, I seem 
> to be the only one having to disable its Windows firewall. Anybody has an idea?
>

This is an interesting issue. I believe the windows firewall has been implemented as a windows filtering platform driver which is higher in the NDIS stack than the Shrew Soft LWF driver. In other words, this shouldn't cause any packets sent during IKE negotiations to be blocked by the filter. My guess is that the client didn't negotiate an initial IPsec SA after the connection had been established. A Cisco gateway will terminate the connection unless this occurs. Disabling the windows FW may have allowed packets to traverse the tunnel ( DNS or something similar ) which allowed the IPsec SA to be established and the tunnel to remain active.

I would suggest you try to install the latest 2.1.7 RC and see if that makes any difference. Michael Kenny submitted a patch ( which has been committed ) that fixes a bug related to the initial SA negotiation which may resolve your issue. If that doesn't help, try starting a ping to an IP address on the distant side of the tunnel, and then try the connection. If the ping starts to respond after you connect and the connection remains stable, please let me know. There may be something else we can do to improve the situation.

-Matthew


****************************************************************************************
AVIS DE NON-RESPONSABILITE: Ce document transmis par courrier electronique est destine uniquement a la personne ou a l'entite a qui il est adresse et peut contenir des renseignements confidentiels et assujettis au secret professionnel. La confidentialite et le secret professionnel demeurent malgre l'envoi de ce document a la mauvaise adresse electronique. Si vous n'etes pas le destinataire vise ou la personne chargee de remettre ce document a son destinataire, veuillez nous en informer sans delai et detruire ce document ainsi que toute copie qui en aurait ete faite. Toute distribution, reproduction ou autre utilisation de ce document est strictement interdite. Tout ordre ou toute instruction recu par courrier electronique ne peut etre garanti et pourrait ne pas etre lu en temps opportun ou ne pas etre execute advenant le cas où il serait incomplet ou contiendrait des erreurs. Financiere Banque Nationale et ses filiales ne peuvent pas etre tenues responsables des dommages pouvant etre causes par des virus ou des erreurs de transmission.


DISCLAIMER: This documentation transmitted by electronic mail is intended solely for the use of the individual to whom or the entity to which it is addressed and may contain information which is confidential and privileged. Confidentiality and privilege are not lost by this documentation having been sent to the wrong electronic mail address. If you are not the intended recipient or the person responsible for delivering it to the intended recipient please notify the sender immediately and destroy this document as well as any copies of it. Any distribution, reproduction or other use of this document is strictly prohibited. We cannot guarantee any order or instruction received by electronic mail: it may not be read at the opportune moment or it may not be executed should it be incomplete or contain errors. National Bank Financial and its affiliates cannot be held liable for any damage that may be caused by viruses or transmission errors. 
****************************************************************************************v1.2





More information about the vpn-help mailing list