[vpn-help] Updated package and problem reports
Matthew Grooms
mgrooms at shrew.net
Mon Aug 14 12:45:38 CDT 2006
Peter Eisch wrote:
>
> I think I'm going to attribute the web site availability to a local
> networking configuration issue or at least table it at this point. The
> NAT-T issue is worthy of a little time though.
>
This is very strange. Just two minutes ago I ran the client using NAT-T
to connect to a cisco ASA.
> The config is as below:
>
> Client(10.1.200.170 -> NAT/FW -> [Internet] -> Server
>
> Yes, this "just works" with the cisco client and the server config is very
> similar to the "inside" server that we've been testing with. This server
> also is 0.6.6 on netbsd-3.
>
One difference to note is that the cisco client will fall back to UDP
500 if it trips up using 4500 which will work in most cases. The Shrew
Soft Client does not.
Did you mention before that its being NATd twice or is this another
setup? ie ...
Client -> NAT/FW -> [Internet] -> NAT/FW -> Server
... Is there a firewall installed on the Internet facing device? It
would be good if we could get a tcpdump at the point of entry into your
network so we can see if initiators second packet is arriving on udp
port 4500. Do you have the means to verify this?
If it is passing through all firewalls and NAT devices, what does
racoon say in the debug log when it receives the initiator second packet?
Thanks,
-Matthew
More information about the vpn-help
mailing list