[vpn-help] Bug report: same subnet both ends of the tunnel doesn't work.

Ian Fraser Ian.Fraser at asm.org.uk
Wed Aug 4 04:19:17 CDT 2010


-----Original Message-----
From: Matthew Grooms [mailto:mgrooms at shrew.net]
Sent: 02 August 2010 20:44
To: Ian Fraser
Subject: Re: [vpn-help] Bug report: same subnet both ends of the tunnel doesn't work.

On 8/2/2010 11:56 AM, Ian Fraser wrote:
> -----Original Message-----
> From: Matthew Grooms [mailto:mgrooms at shrew.net]
> Sent: 02 August 2010 17:11
> To: Ian Fraser
> Subject: Re: [vpn-help] Bug report: same subnet both ends of the tunnel doesn't work.
>
> On 7/30/2010 12:36 AM, Matthew Grooms wrote:
>>
>> Hi Ian,
>>
>> I did some investigation and this is what I found. The client does do a
>> pretty good job of demoting existing routes and promoting the routes it
>> adds for tunneling. But since the client responds to ARP requests based
>> on the IPsec policies ( and there was an IPsec policy for the local
>> network because it exists remotely as well ), the host would get really
>> confused because it was receiving ARP responses on the real adapter as
>> well as the virtual adapter. In fact, you could see it bouncing between
>> the two interfaces using arp -a at the command line.
>>
>> In any case, the client now does a lookup to see if a gateway is used to
>> reach the VPN gateway. If so, we install a NONE policy to ensure that
>> packets destined to the gateway won't match an IPsec policy. The ARP
>> code was also modified to ensure that we won't respond to a request
>> coming from our virtual adapter to resolve the gateway MAC. This should
>> get you closer to what you want. Please let me know how it goes ...
>>
>> http://www.shrew.net/download/vpn/vpn-client-2.1.6-arpfix-1.exe
>>
>
>> Any feedback on this? If its positive, I'll include these changes into
>> the 2.1.6 release. If not, I need to ditch them and move forward with
>> the release process.
>
> Yes good feedback so far, I have had 2 people that suffer with the problem confirm that this fixes the issue for them. The rest of them have failed to try it so far (so much for it being an urgent problem). So certainly the change has at the very least improved things. I shall report back when I have feedback from everyone.
>
> Thank you very much for your efforts.
>

Matthew,

I have confirmation from as many of my VPN users as I am likely to that this has resolved their problems.

Many thanks for your help.

Regards
Ian


The information in this message and any attachment is intended for the addressee and is confidential. If you are not that addressee, no action should be taken in reliance on the information and you should please reply to this message immediately to inform us of incorrect receipt and destroy this message and any attachments.

For the purposes of internet level email security incoming and outgoing emails may be read by personnel other than the named recipient or sender.

Whilst all reasonable efforts are made, ASM (UK) Ltd cannot guarantee that emails and attachments are virus free or compatible with your systems. You should make your own checks and ASM (UK) Ltd does not accept liability in respect of viruses or computer problems experienced.
Registered address: Agency Sector Management (UK) Ltd. Ashford House, 41-45 Church Road, Ashford, Middlesex, TW15 2TQ
Registered in England No.2053849

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________



More information about the vpn-help mailing list