[vpn-help] Shrew 2.1.7 & Windows 7 (64 bit)

Kevin VPN kvpn at live.com
Thu Mar 1 20:05:53 CST 2012


On 02/20/2012 10:58 AM, James Cope wrote:
> Hi,
>
> We can see the packets leaving the client and hitting the firewall,
> what we can't see is the client accepting the returned packets from
> the firewall.  I have other users using the same routers, DSL from
> same provider and same machine setup.  We have an old XP laptop on
> site and that can connect so it looks to be something specific about
> this machines config (not the VPN config as that is standard).
>
> 2012-02-20 11:57:43 info IKE 217.41.45.141 Phase 1: Retransmission
> limit has been reached. 2012-02-20 11:57:35 info IKE 217.41.45.141
> phase 1:The symmetric crypto key has been generated successfully.
> 2012-02-20 11:57:35 info IKE 217.41.45.141 Phase 1: Responder starts
> AGGRESSIVE mode negotiations. 2012-02-20 11:56:54 info IKE
> 217.41.45.141 phase 1:The symmetric crypto key has been generated
> successfully. 2012-02-20 11:56:54 info IKE 217.41.45.141 Phase 1:
> Responder starts AGGRESSIVE mode negotiations.
>
> Thanks James
>
> ________________________________ From: Roper, Andrew
> [mailto:aroper at bcsvoicedata.com] Sent: 20 February 2012 15:45 To:
> James Cope; vpn-help at lists.shrew.net Subject: RE: Shrew 2.1.7&
> Windows 7 (64 bit)
>
> James,
>
> I would suggest getting packet captures to see what is going on. I
> would gather them on the client and at the gateway. If you see the
> packets leaving the client and arriving at the gateway then the
> client is not at issue. Then, you will need to enable logging on both
> the gateway and the corporate VPN endpoint to see if the packets are
> arriving there and what the disposition is of those packets. Without
> further data, it is difficult to speculate what is occurring.
>
> -Andrew
>
> From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of James Cope
> Sent: Monday, February 20, 2012 8:35 AM To: vpn-help at lists.shrew.net
> Subject: [vpn-help] Shrew 2.1.7&  Windows 7 (64 bit)
>
> Hi,
>
> I have a user who has successfully been connecting up to our office
> for several months without issue.  He's now not been able to connect
> for just under 2 weeks.  He has had sporadic problems connecting
> occassionally but this is a long term period of inactivity now.
>
> Each time it comes back with Negotiation timeout occurred.  We have
> tried on another machine at his location and that can connect so
> router/dsl/firewall are all functioning ok. We have tried both
> reinstalling Shrew from scratch and performing a system restore on
> the PC, neither of which have resolved.  All 3rd party software has
> also been disabled. in MSCONFIG as well as the AV and firewall
> software.
>
> This machine does not have a wireless adaptor in so there is no
> virtual wifi miniport to remove.
>
> Is anyone aware of any further issues at play here?
>

Hi James,

If you can see packets sent the client but do not see packets coming 
back from the gateway, then there's something on the return path causing 
issues.

One possibility may be that the gateway is dropping the packets for some 
reason.  Your VPN gateway/firewall may have additional ipsec debugging 
that you can enable that might tell you why.

Another possibility is NAT confusions.  If you have more than one client 
behind a NAT router, perhaps either the gateway is rejecting due to SPI 
confusions or your NAT router is sending the packets to the wrong host 
(or dropping them). Have you tried testing this client with all other 
clients that are behind the same router disconnected?



More information about the vpn-help mailing list