[vpn-help] Problem Connecting to Commercial Gateway ...

Mon Mar 6 15:24:16 CST 2006

Matthew Grooms kirjoitti viestissään (lähetysaika Sunday 05 March 2006 01:47):
> We are much closer now than when we started :) Thanks very much for
> being persistent.
Yes, I had some luck establishing the tunnel. But not enough luck to get the 
data to flow :)

> The ipsec daemon crashing is an error condition that should obviously
> never happen. I will do my best to track this down.

Beta 4 died in my laptop, it was able to establish IPsec SA, but died couple 
seconds later.

Unfortunately my laptop died today, nothing to do with Shrew (or can it do 
something to my power source and my space key :=) ) , and I cannot do any 
more real testing before Mr. Dell comes and fixes it.

What is interesting is that because of my laptop is not working, I installed 
vmware server and virtual server with XP Pro to it. I then tried Beta 4 and 
ipsecd did not died. I was able to get some response to my traffic, but not 
all that I needed.

To understand those problems, can you Matthew answer to these:

- does shrew support fragmentation for ipsec data? In my vmware environment 
which might not correspond to real pc, I was able to ping with 3000 bytes 
without IPsec but with shrew enabled, I could not get more that 14xx bytes 
through ipsec tunnel. 

- does shrew support unique tunnels (setkey keywords unique/require). I have 
configured three subnets to the policy and I need separate IPsec SA's with 
unique SPI's for each subnet. Now I think shrew uses same IPsec SA for all 
subnets.

- When I disconnected shrew, I did not see any SA delete traffic in tcpdump. 
Should shrew send SA deletes?

- How does shrew react when it receives IKE SA delete, does it delete IPsec 
SA's too or only the IKE SA?

> I wasn't aware you were configuring all the client properties as well as
> the policies manually. In this scenario it should not be sent and could
> just be erroneous log output. I will look into it.

I don't need WINS, is there any way to configure shrew so that there is no 
need to configure WINS manually without using mode cfg?

>
> Could you please try again using this new build and send me the output
> using the following debug options which are described in the howto.
> Please send the output privately ( off-list ).

I can do that later, just now I only have company provided keypair and company 
policy does not allow me to send decode level logs. But I try to set up 
testing environment with demo certificates so that I can debug my problems.

> I have enabled the lifetime kilobytes options in the VPN Access Manager
> application so that the parameter will be used ( if not set to 0 )
> during negotiations ( but not enforced for now ). Could you please
> provide the requested output with and without this option set to match
> your vpn gateway config.

Yes, I saw that and tried it too. I'll try it with logging enabled when I have 
my testing env up and working. 

Regards
Kimmo