[vpn-help] Windows 8 - Shrew to Juniper connection - SA (Kevin VPN)

Kevin VPN kvpn at live.com
Wed May 15 21:17:11 CDT 2013


On 05/14/2013 01:48 PM, James Minard wrote:
> Kevin, Mystery solved! I looked at the logs on the Juniper while
> establishing the connection, and the system event log didn't give me
> much information to go on, however, I noticed in the alarm logs that
> when I tried to establish the connection, it started logging
> fragmented traffic alerts. I turned off the block fragment traffic
> protection and 2.2.0 client established the SA.
>
> I guess the only question is why the 2.2.0 client traffic is being
> fragmented and the 2.1.7 isn't?
>

Hi James,

Shrew v2.2.0 supports many more options for negotiating hashes and 
transforms for Phase1 and Phase2 connections.  Including all the options 
in one message makes it larger than the Maximum Transmission Unit 
supported by most networks (typically 1500 bytes), so the packet gets 
fragmented.

Interestingly, we thought we fixed a problem with fragments just before 
the 2.2.0-release version.  Is there a chance that you're still using a 
a beta/rc version of Shrew 2.2.0?

To avoid the fragmentation problem (i.e. so you can turn block fragments 
back on), you can try two things:

1) Manually select the Phase1 and Phase2 options in the Shrew site 
configuration (instead of leaving them on auto).  That should result in 
smaller packets.

2) If you're using the Shrew 2.2.0-release version, you can try to 
manually adjust (i.e. reduce) the MTU value for your network adapter 
until the fragments disappear.
http://support.microsoft.com/kb/314053


FYI, I'll be traveling for a while, so I won't be active on the list.


More information about the vpn-help mailing list