[Vpn-help] DHCP over IPSEC problems

Matthew Grooms mgrooms at shrew.net
Tue Jun 16 20:27:26 CDT 2009 

Bryan Washer wrote:
> Anyone,
> 

Hi Bryan,

>   I have started to try and get the shrew client working within my 
> fortinet enterprise installation.  I have quite a number of remote VPN 
> users that are connecting to Fortigate F60’s.  I have been looking at 
> the Shrew client to provide VPN client access for my Linux users.  This 
> is where I have run into a couple of issues. 
> 
> 1.        If I connect with a Debian installation everything works 
> fine.  If I use a RHEL 5 installation I get an error “Unable to bind to 
> DHCP socket” and it hangs at “bringing the tunnel up”.  If I reconfigure 
> the client to use a static IP address then it connects and everything 
> works fine.
> 

Which version of the client do you have installed? I have to admit, I 
have never seen this error message before. I need to look at the code 
again, but I don't believe its attempting to bind to a privileged socket 
so I'm not sure what is causing the failure.

> 2.       Sometimes when disconnecting the VPn client it hangs with the 
> following message “unregister_netdevice: waiting for tap0 to become 
> free. Usage count=1” and never clears up.  Again this is on RHEL 5, and 
> I have not heard of this problem on the Debain system.
> 

Hmmm. I have have seen a similar problem before where the network device 
would not de-register unless all IPsec SPs/SAs were first removed. Can 
you try running the following commands in a terminal as root next time 
this occurs ( you will need ipsec-tools installed ) ...

#setkey -F
#setkey -FP

> Any help would be greatly appreciated.  If you need any additional 
> information or testing done please let me know and I will get it for you 
> as soon as possible.
> 
> Thanks for any help you can give on this matter….I have quite a few 
> linux users that would love to have this and stop using their virtual 
> windows machines to connect to the office.
> 

Well, I'm not sure I was much help but hopefully we can get this working 
for you 100% after some trial and error.

-Matthew

More information about the vpn-help mailing list