[vpn-help] Asymmetric routing between Shrewsoft 2.1.7 and OpenSwan
Kevin VPN
kvpn at live.com
Tue Sep 13 21:17:48 CDT 2011
On 09/13/2011 09:57 PM, Kevin VPN wrote:
> On 08/25/2011 03:24 AM, Erich Titl wrote:
>>
>> However, when I try to send an icmp echo request to the remote network I
>> see the packet coming from the configured virtual address, but
>> travelling in the clear, not in the tunnel. The reply though is sent
>> through the tunnel.
>>
> ...
> >
> > s:policy-level:auto
> > s:policy-list-include:172.29.0.0 / 255.255.0.0
> >
>
> Hi Erich,
>
> Based on the source and destination of the plaintext traffic being
> private addresses, obviously it's possible to reach from the Shrew
> client PC to the remote network in some path other than the tunnel.
> Perhaps that path (route) has a lower metric than the VPN route, and is
> thus used instead of the tunnel route.
>
> I would suggest connecting to the VPN, then checking your Shrew client's
> routing table. Check to see if the route directing traffic to the
> 172.29.0.0 network through the tunnel interface has a lower metric than
> any other route that might apply.
>
> If you're not sure, feel free to post the routing table here and we can
> look at it.
On 09/01/2011 07:38 AM, Erich Titl wrote:
>
> Another try on this issue......
>
> ...
>
> 11/09/01 13:23:53 ii : phase2 sa established
> 11/09/01 13:23:53 ii : 192.168.1.186:500<-> 195.141.2.242:500
> 11/09/01 13:23:53>= : cookies 615f8164e6084210:12e05442715051ec
> 11/09/01 13:23:53>= : message 673b2cbd
> 11/09/01 13:24:04 ii : sending peer DPDV1-R-U-THERE notification
> 11/09/01 13:24:04 ii : - 192.168.1.186:500 -> 195.141.2.242:500
> 11/09/01 13:24:04 ii : - isakmp spi = 615f8164e6084210:12e05442715051ec
>
> So this looks like an established tunel to me
>
> Also the route tabel on the Windows 7 PC shows the route to
> 172.29.0.0/16 going through 172.22.53.10
>
You already answered my question about the routing table in your second
post, but that kind of runs me out of ideas. :(
I am still curious how the ping packets with a private network
destination address would have arrived unless there is an alternate
route to the tunnel. If there's an alternate route, then it's still
possible that the routing table is the problem.
Do you have any other VPN clients installed that might be messing with
Shrew's ability to intercept traffic? You mention Windows 7, do you by
any chance have a network adapter called the Microsoft Virtual WiFi
Miniport adapter installed?
More information about the vpn-help
mailing list