[vpn-help] Other VPN software stops Shrew Working

Matthew Grooms mgrooms at shrew.net
Sun Feb 6 15:55:26 CST 2011 

On 2/2/2011 4:01 PM, Silveston, Tony wrote:
> Hi
>
> I am running Windows XP on a specilaized HP build laptop.
>
> It uses Remote Access to HP (RA2HP) VPN software to allow me to connect to HP internal networks.
> http://remote-access-to-hp-ra2hp-vpn.software.informer.com/
>
> This works fine although I cannot configure it to allow access to other VPN sites apart from HP.
>
> Therfore I have also installed SHREW v2.1.7.
>
> I want this to connect to a Cisco VPN gateway that is nothing to do with HP.
>
> If I disable the RA2HP VPN connection I can connect to my Cisco gateway VPN.
>
> If I enable the RA2HP VPN then I cannot also connect to the Cisco VPN gateway.
>
> I get a "negotiation timeout ocurred"...
>
> Any ideas how to get them both working together?
>

Tony,

No, unfortunately I don't. We have made every attempt to create a VPN 
client that is as friendly to other installed software as possible. We 
use very specialized rules to only accept and process traffic that is 
unique to a VPN session established by our VPN client. We don't touch 
any other traffic, even if it is IPsec related. That means that it is 
_possible_ to use the Shrew Soft client along with other VPN clients. 
But possible doesn't mean it will work. In fact, in most cases it will 
probably break in one way or another unless the following are true ...

1) The other VPN client software was written with the same care as the 
Shrew Soft client. That means, not making assumptions about being the 
only IPsec client installed on the machine and blindly eating IKE or 
IPsec packets that may belong to other software.

2) Your IPsec policies don't overlap. If one client is configured to 
send all traffic down its tunnel, then a second VPN client would fail to 
establish its tunnel ( negotiation traffic is sent down the first VPN 
connections tunnel ).

3) In most cases, only one client will _win_ when it comes to custom DNS 
settings, with the latter overwriting the former connections settings.

So to summarize: Yes, its possible to do what you want but the chance of 
two tunnels working correctly without them being designed to do so is 
just about nil. From what I have seen from other VPN client vendors, 
they just don't seem to care much to co-exist with other IPsec client 
software. This leads to a lot of head scratching and questions like, "Am 
I running into a configuration conflict that can be fixed, or are the 
software components stepping on each others toes"?

Sorry I can't be more help,

-Matthew

More information about the vpn-help mailing list