[vpn-help] Problem Connecting to Commercial Gateway ...
Kimmo Koivisto
kkoivisto at gmail.com
Wed Mar 15 05:22:03 CST 2006
Matthew Grooms kirjoitti viestissään (lähetysaika Sunday 12 March 2006 22:17):
> Kimmo Koivisto wrote:
> > Beta 4 died in my laptop, it was able to establish IPsec SA, but died
> > couple seconds later.
>
> I think I finally tracked this bug down and have hopefully corrected it.
I installed B8 and it did not crash, so you managed to fix it :)
>
> I just corrected a major flaw in the fragmentation code which was most
> likely causing all kinds of problems. When you have a chance, please try
> this package ...
>
> http://www.shrew.net/download/vpn-client-1.0-beta-8.exe
I had other problems and thus was not able to try out fragmentation.
I was now able to negotiate IPsec SA:s and I can see that traffic is sent out
of the Shrew (what exactly is the name of the vpn client, should it be called
Shrew VPN client or what :) ). Then I can see something wierd:
My Shrew clients public IP is A and it has private address B (I'm behind NAT)
and Shrew virtual adapter has address C.
Remote peer decrypts traffic (ping) and sends it to the destination. When
reply comes, remote peer tries to send ESP to my virtual address C instead of
public address C?
This seems to be problem in the Commercial Gateway product, I have to debug it
more to be sure.
>
> > - When I disconnected shrew, I did not see any SA delete traffic in
> > tcpdump. Should shrew send SA deletes?
> >
> > - How does shrew react when it receives IKE SA delete, does it delete
> > IPsec SA's too or only the IKE SA?
>
> This release also interprets and sends sa delete messages. I am in the
> process of supporting all the major notification messages as well.
Okay, I did not see those deletes but I had other problems so I did not focuse
on those.
>
> > I don't need WINS, is there any way to configure shrew so that there is
> > no need to configure WINS manually without using mode cfg?
>
> This was also corrected in a previous release.
Nice
> >> I have enabled the lifetime kilobytes options in the VPN Access Manager
> >> application so that the parameter will be used ( if not set to 0 )
> >> during negotiations ( but not enforced for now ). Could you please
> >> provide the requested output with and without this option set to match
> >> your vpn gateway config.
Well, I tried without life in kb's and I could not negotiate IPsec SA's,
ISAKMP SA went fine. But with lifetime in kb's, IPsec SA's were negotiated.
Regards
Kimmo
More information about the vpn-help
mailing list