[vpn-help] Asymmetric routing between Shrewsoft 2.1.7 and OpenSwan
Kevin VPN
kvpn at live.com
Thu Sep 15 20:16:34 CDT 2011
On 09/15/2011 04:26 AM, Erich Titl wrote:
> Hi Kevin
>
> at 15.09.2011 03:22, Kevin VPN wrote:
>> On 09/14/2011 10:58 AM, Erich Titl wrote:
>>> Hi Kevin
>>>
>>> at 14.09.2011 03:57, Kevin VPN wrote:
>>>>
>>>> Hi Erich,
>>>>
>>>> Based on the source and destination of the plaintext traffic being
>>>> private addresses, obviously it's possible to reach from the Shrew
>>>> client PC to the remote network in some path other than the tunnel.
>>>> Perhaps that path (route) has a lower metric than the VPN route, and is
>>>> thus used instead of the tunnel route.
>>>
>>> Right, the default route, unfortunately, has a metric of 25, whereas the
>>> Shrewsoft tunnel uses a metric of 31. Can this be configured in the
>>> product.
>>>
>>
> ...
>
>>
>> I would suggest reading the posts below and playing with your adapter's
>> Automatic Metric and InterfaceMetric settings to see if you can correct
>> the problem.
>
> Thanks, in the real world, where the remote network cannot be reached
> directly, my setup works fine.
>
> I always thought that routing metrics were applied to rules with equal
> significance, so a default route should not be used when there is a more
> precise route iven with higher metrics.
>
> The route in this case is assigned dynamically using dhcp. AFAIK there
> is no dhcp router metrics option.
>
> Maybe in a directly connected setup icmp redirects take precedents.
>
Hi Erich,
If the route is dynamic you're still not stuck. Simply increase the
InterfaceMetric instead. The Microsoft link tells you how to do it:
To configure the Automatic Metric feature:
In Control Panel, double-click Network Connections.
Right-click a network interface, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
On the General tab, click Advanced.
To specify a metric, on the IP Settings tab, click to clear the
Automatic metric check box, and then enter the metric that you
want in the Interface Metric field.
Simply set it to 32 or more so that the metric on the DHCP route will
always have a metric higher than the one from the Shrew adapter.
(Microsoft link: An explanation of the Automatic Metric feature for
Internet Protocol routes http://support.microsoft.com/kb/299540)
More information about the vpn-help
mailing list