[vpn-help] Debugging tunnel issues on Mac OS VPN Client

Kevin VPN kvpn at live.com
Mon Aug 29 20:56:20 CDT 2011 

On 08/01/2011 04:54 PM, Mario Russo wrote:
> Adding some new information in case it sparks any ideas.
>
> Recap:
>> From my home network (WRT54G home router):
> ShrewSoft 2.17 VPN client connects OK via a Windows 7 VM (Fusion) running on my macbook pro.
> ShrewSoft 2.2 VPN client on Mac OS (Snow Leopard) receives the “session terminated by gateway” (I’ve noticed that others seem to have trouble with this when dealing with Cisco equipment.
>
> Update:
>> From the wifi network at the public library:
> ShrewSoft 2.17 VPN client on Windows 7 VM connects OK.
> ShrewSoft 2.2 VPN client on Mac OS connects OK!
>
> I went to the public library for a couple hours this morning and decided to try it out from there.  And it works!
> So I have no idea what kind of hardware / network structure they’re running, but I could successfully connect and access internal machines.
>
> Now that I’m back home I’ve tried several times again with the same results: “session terminated by gateway.”
>
> Because my Windows VM can connect OK I’m tempted to think it is not a configuration issue with my home router.  But, at the advice of another post in the archive I explicitly opened up ports 500,4500 for TCP/UDP on my home router. Still no luck.
>
> Thanks for reading,
> Mario
>
>
> ________________________________
> Date: Fri, 29 Jul 2011 15:24:42 -0500
> To: "vpn-help at lists.shrew.net"<vpn-help at lists.shrew.net>
> Subject: [vpn-help] Debugging tunnel issues on Mac OS VPN Client
>
> Hello,
> I’ve been doing some testing of the Mac VPN client following a few posts in the archives. I believe I installed the stack correctly, but I’m running into issues establishing&  maintaining a tunnel.
>
> Background:
> I just started working with a client that uses the Shrew VPN client on windows machines with a Cisco solution. To test connectivity I installed the Shrew windows client (2.1.7) on a Windows 7 VM and I’m able to connect&  authenticate using the .PCF file they provided.
>
> The problem is that most members of my development team (including myself) use Macs. After installing the stack on my Mac and attempting to connect, the session is terminated by the gateway after about 30 seconds.  During the ~30 seconds it appears that I’m connected (I get the confirmation / help desk message from the host), but I’m not able to ping any resources on the network.
>
> I noticed that the VPN trace utility isn’t available in the Mac version, so I’m not sure how much extra information I can provide. The trace from the Access Manager is included below.
>
> If anyone has any insight about how to proceed I’d love to hear it.
>
> Thanks for your time,
> Mario
>
>
> Platform:
> ----------------------------------------------
> Mac OX 10.6.7
> qt 4.7.1
> tuntap 20090913
> ShrewSoft VPN Mac client 2.2.0
>
>
> ACCESS MANAGER LOGS:
> ----------------------------------------------
> Windows Client (successful):
> ----------------------------------------------
> config loaded for site '******.pcf'
> configuring client settings ...
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> pre-shared key configured
> bringing up tunnel ...
> network device configured
> tunnel enabled
> ----------------------------------------------
> Mac Client (not successful):
> ----------------------------------------------
> config loaded for site '*****'
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> network device configured
> tunnel enabled
>
> ~30 seconds
>
> session terminated by gateway
> tunnel disabled
> detached from key daemon
>
>

Hi Mario,

I'm wondering if perhaps you have a problem with overlapping subnets 
when you are connecting from home.

For instance, if your corporate network uses the same private addresses 
internally as your local network at home does, that would cause a 
conflict that could break the VPN.  Most Linksys routers default to 
using network 192.168.1.x mask 255.255.255.0, but perhaps the public 
library uses a different set of addresses.  You could try changing your 
Linksys to use a different IP subnet.

My theories as to the reason it works from the Windows Fusion instance 
is that often VM software defines a local subnet within the hardware 
that does not overlap with the IP network used by the host OS.  The 
guest OS uses this other network so that there is not actually a 
conflict anymore.

More information about the vpn-help mailing list