[vpn-help] What is the different between windows and Mac version for shrew VPN?

Wed Jan 11 20:20:04 CST 2012

On 01/05/2012 10:41 PM, Jinyan Huang wrote:
>
> On Fri, Jan 6, 2012 at 10:52 AM, Kevin VPN<kvpn at live.com>  wrote:
>> On 01/02/2012 05:30 AM, Jinyan Huang wrote:
>>>
>>> Dear Kevin,
>>>
>>> I have strange problem for shrew VPN. When I am in France, the vpn on
>>> Mac and windows worked very well. But when I return to China, only VPN
>>> on window is working. The VPN for Mac does not work. I got this error
>>> message. Shrew vpn mac version is Ver 2.2.0.
>>>
>>> negotiation timout occurred
>>> tunnel disabled
>>> detached from key daemon
>>>
>>> I have try these twice. So I am sure for this. In China, only windows
>>> version is fine. In France, both version is OK.
>>>
>>> Maybe China blocked some port? What is the different between windows
>>> and Mac version for shrew VPN?
>>>
>>
>> Hi Jinyan,
>>
>> I'm not sure what differences might come into play.  Obviously they are
>> different in some ways being on different OSes using different dependency
>> components, but I would think that the actual packets going back and forth
>> (which is what a network filter would see) would be pretty similar.
>>
>> Can you provide us with iked.log trace outputs from the Mac and Windows
>> machines so we can compare?  Maybe one is trying to do NAT-T and the other
>> isn't?
>>
>> What version is Shrew on the Windows machine (you mention Mac is 2.2.0)?
>
>  Dear Kevin,
>
> The attachments are windows and Mac iked log files.
>
> With windows, it works. With Mac, it does not work.
>
> For windows version, it sometimes does not work. But if I switched
> "Auto Configuration" between "ike config pull" and "ike config push",
> it will fix this problem.
>
> Shrew version:
>      windows:2.1.7
>      mac:2.2.0
>

Hi Jinyan,

First, you shouldn't have to switch between push and pull configuration. 
  Pull is what the gateway is configured for, so you should be able to 
leave it always on pull.

 From the log files, I can't really see a difference between Windows and 
Mac, other than of course Windows succeeds and Mac does not.  The Mac 
client never gets any response of any kind from the gateway, although 
the destination port (500) should be open to the gateway because Windows 
works.

Something that might have an effect is maximum packet size (MTU).  Maybe 
Windows is splitting packets into smaller pieces than Mac is and that's 
why they're getting through.  Try playing with the MTU, IKE 
Fragmentation and the Maximum packet size in the Shrew config to see if 
that makes a difference.

Have you checked to ensure the Mac box can ping or connect to the 
gateway?  Can it otherwise connect to the Internet?

Another thing would be to assign the same IP to the Mac box as Windows 
uses.  In your logs, the Mac was using IP 192.168.1.101 and Windows was 
using 192.168.1.103.  You could try giving the Mac IP 103 (after 
disconnecting the Windows machine of course).