[vpn-help] Problem Connecting to Commercial Gateway ...
Matthew Grooms
mgrooms at shrew.net
Sun Mar 12 14:17:53 CST 2006
Kimmo Koivisto wrote:
> Beta 4 died in my laptop, it was able to establish IPsec SA, but died couple
> seconds later.
>
I think I finally tracked this bug down and have hopefully corrected it.
> To understand those problems, can you Matthew answer to these:
>
> - does shrew support fragmentation for ipsec data? In my vmware environment
> which might not correspond to real pc, I was able to ping with 3000 bytes
> without IPsec but with shrew enabled, I could not get more that 14xx bytes
> through ipsec tunnel.
>
I just corrected a major flaw in the fragmentation code which was most
likely causing all kinds of problems. When you have a chance, please try
this package ...
http://www.shrew.net/download/vpn-client-1.0-beta-8.exe
> - When I disconnected shrew, I did not see any SA delete traffic in tcpdump.
> Should shrew send SA deletes?
>
> - How does shrew react when it receives IKE SA delete, does it delete IPsec
> SA's too or only the IKE SA?
>
This release also interprets and sends sa delete messages. I am in the
process of supporting all the major notification messages as well.
>> I wasn't aware you were configuring all the client properties as well as
>> the policies manually. In this scenario it should not be sent and could
>> just be erroneous log output. I will look into it.
>
> I don't need WINS, is there any way to configure shrew so that there is no
> need to configure WINS manually without using mode cfg?
>
This was also corrected in a previous release.
>> I have enabled the lifetime kilobytes options in the VPN Access Manager
>> application so that the parameter will be used ( if not set to 0 )
>> during negotiations ( but not enforced for now ). Could you please
>> provide the requested output with and without this option set to match
>> your vpn gateway config.
>
> Yes, I saw that and tried it too. I'll try it with logging enabled when I have
> my testing env up and working.
>
I hope this work around is no longer required ;)
> Regards
> Kimmo
>
Thanks again,
-Matthew
More information about the vpn-help
mailing list