[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts

Matthew Grooms mgrooms at shrew.net
Mon Sep 17 21:28:38 CDT 2007


Harondel J. Sibble wrote:
>  
> Since the current 50 is working fine for now, I could hook up the 50A on a 
> spare ip address and give you remote access to it, along with instructions 
> for getting debug/logging info from the box, if that helps with this.
> 

Perfect. This would help immensely. Let me know when you have things up 
and ready for testing.

>> DHCP packet handling code lying around that can be used to put this 
>> together rather quickly. If you are willing to work with me on this, I 
>> am very confident we can make this happen for 2.1 :)
> 
> Coolio, count me in!
>  

Very cool. I will do some prep work and read through the RFC a few more 
times.

>> Is the Fortinet spitting out any diagnostics when the client attempts to
>> negotiate the config mode exchange?
> 
> None, that I noticed, but I was viewing the ipsec stuff, not the dhcp stuff, 
> will have to turn on dhcp debug and see if I see anything useful.
>

The diagnostic output would be for ike not DHCP. I would at least expect 
to see an error message that describes the failure. Something along the 
lines of "exchange type 6 not supported".

>> I believe there was another user on the list that had a Forinet gateway. If
>> memory serves, we were able to get this working using static address
>> assignments. I think if you toy with it long enough, you could get it to work.
> 
> Hmm, that didn't work for me, but I'll play with the settings a bit.
> 
>> But that really is no way to manage remote access :) 
> 
> Agreed wholeheartedly! Hmm interestingly enough, the NCP client works fine 
> connecting to the fortinet gateways doing dhcp over ipsec, but not to the 
> sonicwall doing dhcp over ipsec. That's not too surprising since a lot of 
> what sonicwall does is very proprietary, at least more so than most 
> manufacturers.
>

If memory serves correctly, I believe its either the sonic wall or the 
juniper product line that supports mode config in push mode. I need to 
create a compatibility matrix on the Shrew Soft web site to document all 
this so it doesn't get lost in my head. Maybe a wiki would be in order 
as well for users that are kind enough to write some quick vendor 
platform specific notes or howtos.

>> If DCHP over IPsec is best way to get dynamic configurations out of
>> these gateways, I would much rather spend time on getting that sorted
>> out. 
> 
> Like I said, I'll gladly help this effort in whatever way I can. 
> 

Excellent. I look forward to working with you on this.

> As to coding, maybe having a chat with the folks over at Lobotomo Software 
> might be enlightening. Ther're the ones who put together IPSecuritas, a poor 
> man's version of VPN Tracker (both mac based). Both programs are essentially 
> front ends to racoon.  I've gotten IPSecuritas working successfully with both 
> Sonicwall and Fortinet Gateways.  The latter was pretty easy, the former was 
> not.   You can read about what I had to do here
> 
> <http://www.lobotomo.com/cgi-
> bin/yabb/YaBB.pl?board=IPSecuritas;action=display;num=1160415123;start=0>
> 
> or 
> 
> http://preview.tinyurl.com/29rra7
> 
> Check out the 4th posting from the bottom by sibble-comp.
> 
> Hmm, rereading my instructions, it looks like I am using neither dhcp over 
> ipsec or mode config.

Interesting read. I may have to get in touch with them if I hit a bump 
in the road.

Thanks again,

-Matthew



More information about the vpn-help mailing list