[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts
Matthew Grooms
mgrooms at shrew.net
Mon Sep 17 21:28:38 CDT 2007
Harondel J. Sibble wrote:
>
> Since the current 50 is working fine for now, I could hook up the 50A on a
> spare ip address and give you remote access to it, along with instructions
> for getting debug/logging info from the box, if that helps with this.
>
Perfect. This would help immensely. Let me know when you have things up
and ready for testing.
>> DHCP packet handling code lying around that can be used to put this
>> together rather quickly. If you are willing to work with me on this, I
>> am very confident we can make this happen for 2.1 :)
>
> Coolio, count me in!
>
Very cool. I will do some prep work and read through the RFC a few more
times.
>> Is the Fortinet spitting out any diagnostics when the client attempts to
>> negotiate the config mode exchange?
>
> None, that I noticed, but I was viewing the ipsec stuff, not the dhcp stuff,
> will have to turn on dhcp debug and see if I see anything useful.
>
The diagnostic output would be for ike not DHCP. I would at least expect
to see an error message that describes the failure. Something along the
lines of "exchange type 6 not supported".
>> I believe there was another user on the list that had a Forinet gateway. If
>> memory serves, we were able to get this working using static address
>> assignments. I think if you toy with it long enough, you could get it to work.
>
> Hmm, that didn't work for me, but I'll play with the settings a bit.
>
>> But that really is no way to manage remote access :)
>
> Agreed wholeheartedly! Hmm interestingly enough, the NCP client works fine
> connecting to the fortinet gateways doing dhcp over ipsec, but not to the
> sonicwall doing dhcp over ipsec. That's not too surprising since a lot of
> what sonicwall does is very proprietary, at least more so than most
> manufacturers.
>
If memory serves correctly, I believe its either the sonic wall or the
juniper product line that supports mode config in push mode. I need to
create a compatibility matrix on the Shrew Soft web site to document all
this so it doesn't get lost in my head. Maybe a wiki would be in order
as well for users that are kind enough to write some quick vendor
platform specific notes or howtos.
>> If DCHP over IPsec is best way to get dynamic configurations out of
>> these gateways, I would much rather spend time on getting that sorted
>> out.
>
> Like I said, I'll gladly help this effort in whatever way I can.
>
Excellent. I look forward to working with you on this.
> As to coding, maybe having a chat with the folks over at Lobotomo Software
> might be enlightening. Ther're the ones who put together IPSecuritas, a poor
> man's version of VPN Tracker (both mac based). Both programs are essentially
> front ends to racoon. I've gotten IPSecuritas working successfully with both
> Sonicwall and Fortinet Gateways. The latter was pretty easy, the former was
> not. You can read about what I had to do here
>
> <http://www.lobotomo.com/cgi-
> bin/yabb/YaBB.pl?board=IPSecuritas;action=display;num=1160415123;start=0>
>
> or
>
> http://preview.tinyurl.com/29rra7
>
> Check out the 4th posting from the bottom by sibble-comp.
>
> Hmm, rereading my instructions, it looks like I am using neither dhcp over
> ipsec or mode config.
Interesting read. I may have to get in touch with them if I hit a bump
in the road.
Thanks again,
-Matthew
More information about the vpn-help
mailing list