[vpn-help] Problem with configuring client settings

Matthew Grooms mgrooms at shrew.net
Wed Mar 1 13:28:22 CST 2006 

Kimmo Koivisto wrote:
> Hello
> 
> Sorry, I have been busy with work...

No problem. Thanks again for taking the time to test and provide the 
excellent feedback.

> 
> Now I had time and I downloaded beta 2, it solved my GUI problems, dialogs are 
> shown correctly now.
> 

Good to hear.

> I tried now to make connection with commercial VPNGW, but no success.
> 
> Phase 1 goes ok and remote peer creates Phase 2 SA too. But remote peer has 
> feature that I think shrew does not support:
> It sends  IPSEC_RESPONDER_LIFETIME payload just before Phase 2 ends and shrew 
> shows this in it's log (attached):
> <logfile>
> << : unhandled phase2 payload type 11
> DB : phase2 sa not found
> ACTION | unable to process outbound packet
> REASON | no outbound spi for peer 1.2.3.4
> DB : phase2 sa not found
> ACTION | unable to process outbound packet
> REASON | no outbound spi for peer 1.2.3.4
> </logfile>
> 
> GUI shows that tunnel is up, but when I try to ping to the destination 
> network, ipsecd crashes.
> 

This should not happen obviously ;) It could be that I missed something 
obvious while optimizing this code path recently. I will try to 
reproduce the crash and correct the problem. Thanks for the bug report.

> When receiving unsupported payloads, could you just ignore it? I cannot turn 
> off that feature from remote peer. I'm not 100% sure that the reason is this, 
> it just looked like that :)
>

I'm not sure if it would be a good idea to ignore unsupported payload 
types but I will look into handling this situation more gracefully.

> I'm not sure so I have to ask, does shrew vpn support split tunneling and 
> simultaneous tunnels behing more than one remote peer?

The client supports split tunneling but does not support a mode of 
operation where all traffic is forced across a single tunnel. If there 
is a demand for this feature, it would be very easy to implement.

I was very careful when designing the client to make sure it would 
support multiple simultaneous tunnels. Unfortunately, there is an issue 
with a driver inf or the way its being registered ( not a problem with 
the actual driver code ). In any case, multiple adapters can be created 
but the ipsec daemon has trouble identifying more than one instance 
which will causes a tunnel setup failure. Resolving this problem is very 
high on my todo list for the 1.0 release.

> 
> Best Regards
> Kimmo
> 
> 

I will have a new package ready to test within the next few days.

Thanks again,

-Matthew

More information about the vpn-help mailing list