[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts
Matthew Grooms
mgrooms at shrew.net
Mon Sep 17 18:04:02 CDT 2007
Harondel J. Sibble wrote:
> Matthew
>
> Hmm, I've seen something similar with the Sonicwall units resulting in having
> to use dhcp over ipsec or local ip configuration. Perfect example, the NCP
> client on my Windows Mobile 5 Axim X51V, using mode config against the
> sonicwall tz170, the connection will fail every time. Configuring the client
> to use the local address works every time, but then dns resolution on the lan
> (windows 2003 AD) fails from the pda.
>
> This was the info I got from NCP tech support
>
> DHCP over IPsec is not a mechanism that is encouraged to be used; as it's
> very prone to timeouts. The ('standard') mechanism that does what you are
> looking for is called IKE-ConfigMode (or IKE-CFG), which essentially sends
> the client a (virtual) IP address, and also the DNS/WINS server addresses.
> However, although this can be selected by the NCP Secure Client, it is
> NOT, to the best of my knowledge a feature that is available on the
> SonicWALL.
>
> You can also manually configure the DNS/WINS server addresses within the
> client; and enable NetBIOS on the client, and you should be able to
> resolve names and not have to resort to using IP addresses only! If it's
> not working, then I suggest you double check routing to ensure the client
> can reach the DNS server specified.
>
Very interesting. Thanks for sharing.
>
> Hmm, I'm updating my case with Fortinet to request whether they support mode
> config as opposed to dhcp over ipsec. From experience I suspect they support
> the latter and not the former, similar to Sonicwall. Does Shrew support the
> latter.
>
At present, the Shrew Soft Client supports modecfg very well but does
not support DHCP over IPSEC. When updating your case, can you please
verify that they support the DHCP over IPSEC specification outlined in
RFC3456 or if they utilize a proprietary implementation.
With that said, I would very much like to support DHCP over IPSEC. The
only reason I haven't attempted to implement this yet is that I don't
have access to a gateway that supports the standard. I even have some
DHCP packet handling code lying around that can be used to put this
together rather quickly. If you are willing to work with me on this, I
am very confident we can make this happen for 2.1 :)
> Where do I get sysv startup script I see mentioned in a few posts, that
> doesn't seem to be around after my compile.
>
Attached.
>
> This doesn't stop during a session,. but after you disconnect the client,
> then hit the connect button again, about 50% of the time it says "failed to
> attach to key daemon". Hmm, seems to consistenly happen after I change the
> client config. I assume that's a feature so the daemon can reload the
> policies?
>
No, this is not a feature. If iked is not responding to the client, then
it has either crashed or hit a deadlock. If you still see this happen
with beta 4, please try killing iked, then run it with the -F switch (
foreground mode ) and let me know what the output looks like when it
stops responding.
>
> After the initial contact info it sits about 8 lines later at the sending
> config pull request and doesn't go any further, none of the DPD stuff.
> Tried it both with Nat-T disabled and enabled, no change. Switch back to push
> method and I start seeing the DPD messages again on both sides.
>
Is the Fortinet spitting out any diagnostics when the client attempts to
negotiate the config mode exchange?
> Gonna try manual configuration and see what happens. Using the Virtual
> adaptor and an address configured in the lan scope behind the gateway, I
> still end up with DPD messages and no connection. Next tried using the local
> nic without the virtual adaptor. Same result DPD messages, no connection
> completed.
I believe there was another user on the list that had a Forinet gateway.
If memory serves, we were able to get this working using static address
assignments. I think if you toy with it long enough, you could get it to
work. But that really is no way to manage remote access :) If DCHP over
IPsec is best way to get dynamic configurations out of these gateways, I
would much rather spend time on getting that sorted out.
Thanks,
-Matthew
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iked
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20070917/7612cb0c/attachment-0002.ksh>
More information about the vpn-help
mailing list