[vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12

[Kevin VPN]

On 11/12/2013 01:25 PM, James Minard wrote:
> Has anyone had success with the combination of Windows 8, Shrew
> 2.2.2, and a Netscreen 5GT running 5.4.0r12 firmware? I tried it with
> the same policy settings that are working with Windows 7/Shrew 2.1.7
> and couldn't establish an SA. Then I tweaked the policy settings in
> Shrew so that Phase 1 and Phase 2 weren't set to "auto" on the
> client-side, I matched them up with the values that were configured
> on the Netscreen itself, and then the SA established, but now no
> traffic will pass through the tunnel.

Hi James,

It looks like you ran into a packet size/fragmentation problem with the 
SA negotiation.  The Shrew 2.2.x negotiation supports more protocol 
combinations than 2.1.x does, so it generates larger packets when set to 
auto.  These packets are often larger than the maximum packet size, 
resulting in them being fragmented.  However, many firewalls don't like 
fragmented packets and drop them automatically.

Specifying the particular values to use for phase 1 and 2 result in the 
negotiation packets being smaller, so they don't get fragmented.

Since smaller packets worked for the SA negotiation, why don't you try 
manually setting the MTU (maximum packet size) in the VPN configuration 
to a smaller value to see if that helps?

If it doesn't I'd suggest providing us with a debug log and also a copy 
of the Win8 routing table when the VPN is connected.

Debug log: https://www.shrew.net/support/VPN_Bug_Report_Windows

Route table: open a command prompt, then type 'route print'