[vpn-help] What is the different between windows and Mac version for shrew VPN?

Sun Jan 15 20:58:14 CST 2012

On 01/13/2012 10:37 PM, Jinyan Huang wrote:
> Both windows and Mac, I set MUT to 1380. I used CocoapacketAnalyzer
> to obtain some packet. But no hints for me.
>
> On Fri, Jan 13, 2012 at 10:31 PM, Roper,
> Andrew<aroper at bcsvoicedata.com>  wrote:
>> Jinyan,
>>
>> I think you are going to need to obtain some packet captures to see
>> what is happen with the packets that leave the Windows and Mac
>> clients. This should help to determine the difference in the
>> datagrams that may help you determine what the root cause is and
>> then make the necessary adjustments. I'm suspecting that it's an
>> MTU issue and this would be apparent in the packet captures.
>>
>> -Andrew
>>
>> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
>> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Jinyan
>> Huang Sent: Thursday, January 12, 2012 10:38 PM To: Kevin VPN Cc:
>> vpn-help at lists.shrew.net Subject: Re: [vpn-help] What is the
>> different between windows and Mac version for shrew VPN?
>>
>> Dear Kevin,
>>
>> Thank you for your suggestions. I have try them, but it still not
>> works. The problem is the same.
>>
>> I am sure it is because the network problem. For the Mac version,
>> in France, it is OK. But in China, it does not. For windows, both
>> are OK. I do not know how to fix this problem.
>>
>> When I install a windows virtual box on Mac, it is OK on that
>> windows.
>>
>> Thank you.
>>
>> On Thu, Jan 12, 2012 at 10:20 AM, Kevin VPN<kvpn at live.com>  wrote:
>>> On 01/05/2012 10:41 PM, Jinyan Huang wrote:
>>>>
>>>>
>>>> On Fri, Jan 6, 2012 at 10:52 AM, Kevin VPN<kvpn at live.com>
>>>> wrote:
>>>>>
>>>>> On 01/02/2012 05:30 AM, Jinyan Huang wrote:
>>>>>>
>>>>>>
>>>>>> Dear Kevin,
>>>>>>
>>>>>> I have strange problem for shrew VPN. When I am in France,
>>>>>> the vpn on Mac and windows worked very well. But when I
>>>>>> return to China, only VPN on window is working. The VPN for
>>>>>> Mac does not work. I got this error message. Shrew vpn mac
>>>>>> version is Ver 2.2.0.
>>>>>>
>>>>>> negotiation timout occurred tunnel disabled detached from
>>>>>> key daemon
>>>>>>
>>>>>> I have try these twice. So I am sure for this. In China,
>>>>>> only windows version is fine. In France, both version is
>>>>>> OK.
>>>>>>
>>>>>> Maybe China blocked some port? What is the different
>>>>>> between windows and Mac version for shrew VPN?
>>>>>>
>>>>>
>>>>> Hi Jinyan,
>>>>>
>>>>> I'm not sure what differences might come into play.
>>>>> Obviously they are different in some ways being on different
>>>>> OSes using different dependency components, but I would think
>>>>> that the actual packets going back and forth (which is what a
>>>>> network filter would see) would be pretty similar.
>>>>>
>>>>> Can you provide us with iked.log trace outputs from the Mac
>>>>> and Windows machines so we can compare?  Maybe one is trying
>>>>> to do NAT-T and the other isn't?
>>>>>
>>>>> What version is Shrew on the Windows machine (you mention Mac
>>>>> is 2.2.0)?
>>>>
>>>>
>>>> Dear Kevin,
>>>>
>>>> The attachments are windows and Mac iked log files.
>>>>
>>>> With windows, it works. With Mac, it does not work.
>>>>
>>>> For windows version, it sometimes does not work. But if I
>>>> switched "Auto Configuration" between "ike config pull" and
>>>> "ike config push", it will fix this problem.
>>>>
>>>> Shrew version: windows:2.1.7 mac:2.2.0
>>>>
>>>
>>> Hi Jinyan,
>>>
>>> First, you shouldn't have to switch between push and pull
>>> configuration. Pull is what the gateway is configured for, so you
>>> should be able to leave it always on pull.
>>>
>>> From the log files, I can't really see a difference between
>>> Windows and Mac, other than of course Windows succeeds and Mac
>>> does not.  The Mac client never gets any response of any kind
>>> from the gateway, although the destination port (500) should be
>>> open to the gateway because Windows works.
>>>
>>> Something that might have an effect is maximum packet size
>>> (MTU). Maybe Windows is splitting packets into smaller pieces
>>> than Mac is and that's why they're getting through.  Try playing
>>> with the MTU, IKE Fragmentation and the Maximum packet size in
>>> the Shrew config to see if that makes a difference.
>>>
>>> Have you checked to ensure the Mac box can ping or connect to the
>>> gateway? Can it otherwise connect to the Internet?
>>>
>>> Another thing would be to assign the same IP to the Mac box as
>>> Windows uses. In your logs, the Mac was using IP 192.168.1.101
>>> and Windows was using 192.168.1.103.  You could try giving the
>>> Mac IP 103 (after disconnecting the Windows machine of course).
>>>

Hi Jinyan,

You could try forcing the MTU to be smaller than 1380 to see if that
makes a difference.

If you've a packet capture, feel free to post it and we'll look at it.