[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts

Matthew Grooms mgrooms at shrew.net
Mon Sep 17 18:04:02 CDT 2007 

Harondel J. Sibble wrote:
> Matthew
> 
> Hmm, I've seen something similar with the Sonicwall units resulting in having 
> to use dhcp over ipsec or local ip configuration.  Perfect example, the NCP 
> client on my Windows Mobile 5 Axim X51V, using mode config against the 
> sonicwall tz170, the connection will fail every time. Configuring the client 
> to use the local address works every time, but then dns resolution on the lan 
> (windows 2003 AD) fails from the pda.
> 
> This was the info I got from NCP tech support
> 
>     DHCP over IPsec is not a mechanism that is encouraged to be used; as it's
>     very prone to timeouts.  The ('standard') mechanism that does what you are
>     looking for is called IKE-ConfigMode (or IKE-CFG), which essentially sends
>     the client a (virtual) IP address, and also the DNS/WINS server addresses.
>     However, although this can be selected by the NCP Secure Client, it is
>     NOT, to the best of my knowledge a feature that is available on the
>     SonicWALL.   
> 
>     You can also manually configure the DNS/WINS server addresses within the
>     client; and enable NetBIOS on the client, and you should be able to
>     resolve names and not have to resort to using IP addresses only!  If it's
>     not working, then I suggest you double check routing to ensure the client
>     can reach the DNS server specified.
> 

Very interesting. Thanks for sharing.

> 
> Hmm, I'm updating my case with Fortinet to request whether they support mode 
> config as opposed to dhcp over ipsec. From experience I suspect they support 
> the latter and not the former, similar to Sonicwall.  Does Shrew support the 
> latter.
>  

At present, the Shrew Soft Client supports modecfg very well but does 
not support DHCP over IPSEC. When updating your case, can you please 
verify that they support the DHCP over IPSEC specification outlined in 
RFC3456 or if they utilize a proprietary implementation.

With that said, I would very much like to support DHCP over IPSEC. The 
only reason I haven't attempted to implement this yet is that I don't 
have access to a gateway that supports the standard. I even have some 
DHCP packet handling code lying around that can be used to put this 
together rather quickly. If you are willing to work with me on this, I 
am very confident we can make this happen for 2.1 :)

> Where do I get sysv startup script I see mentioned in a few posts, that
> doesn't seem to be around after my compile.
>

Attached.

>
> This doesn't stop during a session,. but after you disconnect the client, 
> then hit the connect button again, about 50% of the time it says "failed to 
> attach to key daemon". Hmm, seems to consistenly happen after I change the 
> client config. I assume that's a feature so the daemon can reload the 
> policies?
>

No, this is not a feature. If iked is not responding to the client, then 
it has either crashed or hit a deadlock. If you still see this happen 
with beta 4, please try killing iked, then run it with the -F switch ( 
foreground mode ) and let me know what the output looks like when it 
stops responding.

>
> After the initial contact info it sits about 8 lines later at the sending 
> config pull request and doesn't go any further,  none of the DPD stuff.  
> Tried it both with Nat-T disabled and enabled, no change. Switch back to push 
> method and I start seeing the DPD messages again on both sides.
>

Is the Fortinet spitting out any diagnostics when the client attempts to 
negotiate the config mode exchange?

> Gonna try manual configuration and see what happens. Using the Virtual 
> adaptor and an address configured in the lan scope behind the gateway, I 
> still end up with DPD messages and no connection. Next tried using the local 
> nic without the virtual adaptor. Same result DPD messages, no connection 
> completed.

I believe there was another user on the list that had a Forinet gateway. 
If memory serves, we were able to get this working using static address 
assignments. I think if you toy with it long enough, you could get it to 
work. But that really is no way to manage remote access :) If DCHP over 
IPsec is best way to get dynamic configurations out of these gateways, I 
would much rather spend time on getting that sorted out.

Thanks,

-Matthew
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iked
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20070917/7612cb0c/attachment-0002.ksh>

More information about the vpn-help mailing list