[Vpn-help] DHCP over IPSEC problems
Matthew Grooms
mgrooms at shrew.net
Tue Jun 16 20:27:26 CDT 2009
Bryan Washer wrote:
> Anyone,
>
Hi Bryan,
> I have started to try and get the shrew client working within my
> fortinet enterprise installation. I have quite a number of remote VPN
> users that are connecting to Fortigate F60’s. I have been looking at
> the Shrew client to provide VPN client access for my Linux users. This
> is where I have run into a couple of issues.
>
> 1. If I connect with a Debian installation everything works
> fine. If I use a RHEL 5 installation I get an error “Unable to bind to
> DHCP socket” and it hangs at “bringing the tunnel up”. If I reconfigure
> the client to use a static IP address then it connects and everything
> works fine.
>
Which version of the client do you have installed? I have to admit, I
have never seen this error message before. I need to look at the code
again, but I don't believe its attempting to bind to a privileged socket
so I'm not sure what is causing the failure.
> 2. Sometimes when disconnecting the VPn client it hangs with the
> following message “unregister_netdevice: waiting for tap0 to become
> free. Usage count=1” and never clears up. Again this is on RHEL 5, and
> I have not heard of this problem on the Debain system.
>
Hmmm. I have have seen a similar problem before where the network device
would not de-register unless all IPsec SPs/SAs were first removed. Can
you try running the following commands in a terminal as root next time
this occurs ( you will need ipsec-tools installed ) ...
#setkey -F
#setkey -FP
> Any help would be greatly appreciated. If you need any additional
> information or testing done please let me know and I will get it for you
> as soon as possible.
>
> Thanks for any help you can give on this matter….I have quite a few
> linux users that would love to have this and stop using their virtual
> windows machines to connect to the office.
>
Well, I'm not sure I was much help but hopefully we can get this working
for you 100% after some trial and error.
-Matthew
More information about the vpn-help
mailing list