[Vpn-help] Shrew VPN client - tunnel enabled but cannot access remote side

V.T.Marvin vtmarvin at gmail.com
Mon Sep 21 09:14:28 CDT 2009 

Hello,

I have installed Shrew VPN client (latest stable 2.1.4) on my Acer 
notebook with Vista Home Premium SP2.
I need to connect to VPN gateway running on HP ProCurve 7102dl with VPN 
module.
When I am using original HP Procurve VPN client on WinXP everything 
works ok (client is not compatible with Vista).
It should work even from Vista using Microsoft IPSec client, but 
unfortunately Vista Home does not have secpol module to enable NAT-T on 
them *eh*.

With Shrew VPN client tunnel is established ... or at least connection 
windows says:
bringing up tunnel ...
network device configured
tunnel enabled
then I can ping local VPN network interface but cannot ping/access 
remote network.
There are no errors on ProCurve side logs, according to debug info on 
ProCurve VPN - tunnel building is succesful including IKE config pull, 
after that it receives keepalives etc. Everything looks as it should on 
gateway side.

Used configuration in Shrew VPN is following:
- general
- My ProCurve VPN gateway public IP
- ike config Pull
- localhost - use virtual adapter and assigned address (obtain automaticaly)
- client
- nat traversal: enable
- ike fragmentation: enable
- name resolution
- enable DNS - obtain automaticaly
- enable WINS: disabled
- enable split DNS: disabled
- authentication
- mutual PSK
- local: User FQDN
- remote: FQDN
- credential: Preshared key
- phase 1:
- exchange type: aggressive
- DH: group 2
- cipher: 3des
- hash: sha1
- phase 2:
- transform: auto
- HMAC: auto
- PFS: group 2
- compress: disables
policy:
- maintain persistent sec. associations - disabled
- obtain topology automaticaly - disabled
- added remote resource 192.168.0.0/255.255.255.0

-----

after connecting from Vista to ProCurve VPN gateway using Shrew
ipconfig contains following device (except from WiFi and Etherent adapters):
(sorry for localized identifiers - order/meaning is the same as in yours 
win ;))

Pripona DNS podle pripojeni . . . :
Popis . . . . . . . . . . . . . . : Shrew Soft Virtual Adapter
Fyzick Adresa. . . . . . . . . . : AA-AA-AA-AA-AA-00
Protokol DHCP povolen . . . . . . : Ne
Automaticka konfigurace povolena : Ano
Adresa IPv4 . . . . . . . . . . . : 192.168.2.220
Maska podsite . . . . . . . . . . : 255.255.255.255
Vychozi brana . . . . . . . . . . :
Servery DNS . . . . . . . . . . . : 192.168.0.1
NetBIOS nad TCP/IP. . . . . . . . : zakazano

routing table looks like this:

===========================================================================
Seznam rozhrani
13 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter
11 ...00 22 fb 5c 5e 34 ...... Intel(R) WiFi Link 5100 AGN
10 ...00 26 9e 0c 2d f0 ...... Atheros AR8131 PCI-E Gigabit Ethernet 
Controller
1 ........................... Software Loopback Interface

1===========================================================================

IPv4 Směrovaci tabulka
===========================================================================
Aktivni smerovani:
Cil v siti Sitova maska Brana Rozhrani Metrika
0.0.0.0 0.0.0.0 192.168.191.1 192.168.191.198 40
127.0.0.0 255.0.0.0 Propojen‚ 127.0.0.1 306
127.0.0.1 255.255.255.255 Propojen‚ 127.0.0.1 306
127.255.255.255 255.255.255.255 Propojen‚ 127.0.0.1 306
192.168.0.0 255.255.255.255 Propojen‚ 192.168.2.220 51
192.168.2.220 255.255.255.255 Propojen‚ 192.168.2.220 306
192.168.191.0 255.255.255.0 Propojen‚ 192.168.191.198 296
192.168.191.198 255.255.255.255 Propojen‚ 192.168.191.198 296
192.168.191.255 255.255.255.255 Propojen‚ 192.168.191.198 296
224.0.0.0 240.0.0.0 Propojen‚ 127.0.0.1 306
224.0.0.0 240.0.0.0 Propojen‚ 192.168.191.198 296
224.0.0.0 240.0.0.0 Propojen‚ 192.168.2.220 306
255.255.255.255 255.255.255.255 Propojen‚ 127.0.0.1 306
255.255.255.255 255.255.255.255 Propojen‚ 192.168.191.198 296
255.255.255.255 255.255.255.255 Propojen‚ 192.168.2.220 306
===========================================================================
Trvale trasy:
zadne

192.168.2.220 is IP assigned to local adapter using IKE pull,
192.168.0.0 is remote network behind VPN tunnel.

then I can ping VPN adapter IP but cannot ping/traceroute anything 
inside remote network - eg internal DNS.
When Shrew VPN configuration item -obtain topology automaticaly- was 
*on* then situation was the same, but I cannot ping even adapter IP.

-----

When trying to connect from WinXP SP2 (HP notebook) using Shrew VPN to 
HP ProCurve - routing table looks almost the same:

===========================================================================
Seznam rozhrani
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 22 64 5f 8c 58 ...... Broadcom NetLink (TM) Gigabit 
Ethernet - Shrew Soft Miniport Filter
0x40004 ...00 21 00 76 f0 6a ...... Síťový adaptér Broadcom 802.11b/g - 
Shrew Soft Miniport Filter
0x70005 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter - 
Deterministic Network Enhancer Miniport
===========================================================================
===========================================================================
Aktivni smerovani:
Cil v siti Sitova maska Brana Rozhrani Metrika
0.0.0.0 0.0.0.0 192.168.191.1 192.168.191.197 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.2.221 192.168.2.221 1
192.168.2.221 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.2.255 255.255.255.255 192.168.2.221 192.168.2.221 30
192.168.191.0 255.255.255.0 192.168.191.197 192.168.191.197 30
192.168.191.197 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.191.255 255.255.255.255 192.168.191.197 192.168.191.197 30
224.0.0.0 240.0.0.0 192.168.2.221 192.168.2.221 30
224.0.0.0 240.0.0.0 192.168.191.197 192.168.191.197 30
255.255.255.255 255.255.255.255 192.168.2.221 192.168.2.221 1
255.255.255.255 255.255.255.255 192.168.191.197 40003 1
255.255.255.255 255.255.255.255 192.168.191.197 192.168.191.197 1
Vychozi brana: 192.168.191.1
===========================================================================
Trvale trasy:
zadne

This time leased IP for VPN adapter was 192.168.2.221 - probably 
randomly chosen.
There is only one different thing - default gateway on last line 
192.168.191.1 and I think this is difference between Vista and XP.

Behaviour is the same.
I can ping VPN adapter IP but cannot reach remote network. Traceroute 
timeouts on 1st hop but it does even on working VPN connection.

-----

When using original HP Procurve VPN Client from XP it looks like this:
there is some adapter in ipconfig:
Pripona DNS podle pripojeni . . . :
Popis . . . . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Fyzicka Adresa. . . . . . . . . . : 00-53-45-00-00-00
Protokol DHCP povolen . . . . . . : Ne
Adresa IP . . . . . . . . . . . . : 192.168.2.221
Maska podsiti . . . . . . . . . . : 255.255.255.255
Vychozi brana . . . . . . . . . . :
Servery DNS . . . . . . . . . . . : 192.168.0.1

and routing table looks like this (provider IPs are different because I 
tried this one over different ISP, but it does not affect functionality 
of VPN):

===========================================================================
Seznam rozhrani
0x1 ........................... MS TCP Loopback interface
0x50003 ...00 22 64 5f 8c 58 ...... Broadcom NetLink (TM) Gigabit 
Ethernet - Deterministic Network Enhancer Miniport
0x50004 ...00 21 00 76 f0 6a ...... Síťový adaptér Broadcom 802.11b/g - 
Deterministic Network Enhancer Miniport
0x80005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Aktivni smerovani:
Cil v siti Sitova maska Brana Rozhrani Metrika
0.0.0.0 0.0.0.0 192.168.101.1 192.168.101.172 31
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.2.221 192.168.2.221 1
192.168.2.221 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.2.255 255.255.255.255 192.168.2.221 192.168.2.221 50
192.168.101.0 255.255.255.0 192.168.101.172 192.168.101.172 30
192.168.101.172 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.101.255 255.255.255.255 192.168.101.172 192.168.101.172 30
224.0.0.0 240.0.0.0 192.168.2.221 192.168.2.221 50
224.0.0.0 240.0.0.0 192.168.101.172 192.168.101.172 30
255.255.255.255 255.255.255.255 192.168.2.221 192.168.2.221 1
255.255.255.255 255.255.255.255 192.168.101.172 50003 1
255.255.255.255 255.255.255.255 192.168.101.172 192.168.101.172 1
Vychozi brana: 192.168.101.1
===========================================================================
Trvale trasy:
zadne


Then I can ping VPN adapter IP or ping/access any allowed IP in remote 
network.
-----

Because Shrew VPN client does establish tunnel without any problems it 
looks to me like some stupid problem on Windows side - routing or 
something similar, but I cannot figure out what is the cause.

Any ideas?

Thank you

M.

More information about the vpn-help mailing list