[vpn-help] Problem with configuring client settings
Matthew Grooms
mgrooms at shrew.net
Wed Mar 1 13:28:22 CST 2006
Kimmo Koivisto wrote:
> Hello
>
> Sorry, I have been busy with work...
No problem. Thanks again for taking the time to test and provide the
excellent feedback.
>
> Now I had time and I downloaded beta 2, it solved my GUI problems, dialogs are
> shown correctly now.
>
Good to hear.
> I tried now to make connection with commercial VPNGW, but no success.
>
> Phase 1 goes ok and remote peer creates Phase 2 SA too. But remote peer has
> feature that I think shrew does not support:
> It sends IPSEC_RESPONDER_LIFETIME payload just before Phase 2 ends and shrew
> shows this in it's log (attached):
> <logfile>
> << : unhandled phase2 payload type 11
> DB : phase2 sa not found
> ACTION | unable to process outbound packet
> REASON | no outbound spi for peer 1.2.3.4
> DB : phase2 sa not found
> ACTION | unable to process outbound packet
> REASON | no outbound spi for peer 1.2.3.4
> </logfile>
>
> GUI shows that tunnel is up, but when I try to ping to the destination
> network, ipsecd crashes.
>
This should not happen obviously ;) It could be that I missed something
obvious while optimizing this code path recently. I will try to
reproduce the crash and correct the problem. Thanks for the bug report.
> When receiving unsupported payloads, could you just ignore it? I cannot turn
> off that feature from remote peer. I'm not 100% sure that the reason is this,
> it just looked like that :)
>
I'm not sure if it would be a good idea to ignore unsupported payload
types but I will look into handling this situation more gracefully.
> I'm not sure so I have to ask, does shrew vpn support split tunneling and
> simultaneous tunnels behing more than one remote peer?
The client supports split tunneling but does not support a mode of
operation where all traffic is forced across a single tunnel. If there
is a demand for this feature, it would be very easy to implement.
I was very careful when designing the client to make sure it would
support multiple simultaneous tunnels. Unfortunately, there is an issue
with a driver inf or the way its being registered ( not a problem with
the actual driver code ). In any case, multiple adapters can be created
but the ipsec daemon has trouble identifying more than one instance
which will causes a tunnel setup failure. Resolving this problem is very
high on my todo list for the 1.0 release.
>
> Best Regards
> Kimmo
>
>
I will have a new package ready to test within the next few days.
Thanks again,
-Matthew
More information about the vpn-help
mailing list