[vpn-help] no traffic passing through tunnel (Windows Vista SP2 32bit)

Vaclav Brozik pabouk at centrum.cz
Mon Feb 14 17:43:59 CST 2011


Hello,

I am testing Shrew Soft VPN Client 2.1.7 on Windows Vista SP2 32 bit.
The VPN gateway is some Cisco device. It introduces itself as Cisco Systems, Inc ASA5520-K8.
The IKE negotiation completes successfully and successful keep-alive packet exchange follows.

Unfortunately no traffic passes the established VPN tunnel. It looks like there is an ARP or routing problem.

------ here is the virtual interface:
Ethernet adapter Local Area Connection* 42:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
   Physical Address. . . . . . . . . : AA-AA-AA-46-BC-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1fa:d425:d0c9:2bc4%134(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.94.48(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : -1968526678
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-70-91-69-00-1A-4B-61-1C-D2
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Disabled

------ relevant routes from the routing table:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.147.254  192.168.147.101    266
...
     192.168.94.0    255.255.255.0         On-link     192.168.94.48    286
    192.168.94.48  255.255.255.255         On-link     192.168.94.48    286
   192.168.94.255  255.255.255.255         On-link     192.168.94.48    286
     192.168.95.0    255.255.255.0         On-link     192.168.94.48     31
   192.168.95.255  255.255.255.255         On-link     192.168.94.48    286

192.168.94.0/24 - is the subnet for VPN client addresses
192.168.95.0/24 - is the remote subnet behind the VPN gateway I want to access

Notice that the routing table is set as if the remote subnet was connected directly to a local interface
(there is no gateway set) so Windows need to receive a reply to ARP when sending a packet to the remote subnet.
Is the routing table supposed to be like this?

------ Unfortunately when I ping a remote address Windows receive no reply to ARP request resulting in "destination unreachable" message:
C:Windowssystem32>ping 192.168.95.184

Pinging 192.168.95.184 with 32 bytes of data:
Reply from 192.168.94.48: Destination host unreachable.
Request timed out.

------ the ARP request captured using Wireshark (no reply was ever seen):
1		0.000000000	aa:aa:aa:46:3c:00		Broadcast		ARP	42	Who has 192.168.95.184?  Tell 192.168.94.48

What is strange: IPSEC service logs other ARP requests but not this one which does not get reply.

------ this message sequence continuously repeats twice per second in the IPSEC service log:
11/02/14 23:28:33 K< : recv GET UNSPEC pfkey message
11/02/14 23:28:33 DB : sa found
11/02/14 23:28:33 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/02/14 23:28:33 DB : sa ref decrement ( ref count = 2, sa count = 2 )

------ message describing unrelated ARP request to local network:
11/02/14 23:28:44 ii : inspecting ARP request ...
11/02/14 23:28:44 DB : policy not found
11/02/14 23:28:44 ii : ignoring ARP request for 192.168.147.254, no policy found

------ message related to a request of other LAN machine asking for address of my Windows machine:
11/02/14 23:29:23 ii : inspecting ARP request ...
11/02/14 23:29:23 !! : ARP packet has invalid header

(In fact the ARP request is does not look wrong and is correctly replied to by my Windows machine.)

ARP request sent from the Shrew Soft Virtual Adapter does not appear in the log at all!
It seems that the VPN client does not see the ARP request.
Also the "transferred" counters of the IPsec Security Associations stay at 0 all the time.
I tried a different internet connection (dialup over GPRS) too - no success.

Am I missing something in the VPN client or Windows configuration or could this be a bug in the VPN client?

Thank you in advance for your help.

Pabouk



More information about the vpn-help mailing list