[vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12

James Minard JMinard at precisioncs.net
Wed Nov 13 08:09:48 CST 2013 

Kevin,
Well, that was too easy. Dropped the MTU down 1372 in the ShrewVPN client and I was able to RDP through the VPN. I sent the updated policy file to the client for testing, but it should be fine for them too. Thanks for your help!

James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net
Phone (810) 987-8748 Ext 122

-----Original Message-----
From: vpn-help [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of vpn-help-request at lists.shrew.net
Sent: Wednesday, November 13, 2013 6:57 AM
To: vpn-help at lists.shrew.net
Subject: vpn-help Digest, Vol 86, Issue 9

Send vpn-help mailing list submissions to
	vpn-help at lists.shrew.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
	vpn-help-request at lists.shrew.net

You can reach the person managing the list at
	vpn-help-owner at lists.shrew.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of vpn-help digest..."


Today's Topics:

   1. Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12 (James Minard)
   2. Re: Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12 (Kevin VPN)
   3. Re: probleme with cisco vpn (Kevin VPN)
   4. Re: Split DNS not working (Kevin VPN)
   5. Re: Shrew + Win 7 (64) - no incoming packets (Service Lists)
   6. Re: Shrew + Win 7 (64) - no incoming packets (lst_hoe02 at kwsoft.de)


----------------------------------------------------------------------

Message: 1
Date: Tue, 12 Nov 2013 18:25:48 +0000
From: James Minard <JMinard at precisioncs.net>
To: "vpn-help at lists.shrew.net" <vpn-help at lists.shrew.net>
Subject: [vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12
Message-ID:
	<EBC4F299528134478BCB14B72DB797A00103E3B6 at PCSIVMail.pcsi.local>
Content-Type: text/plain; charset="us-ascii"

Has anyone had success with the combination of Windows 8, Shrew 2.2.2, and a Netscreen 5GT running 5.4.0r12 firmware? I tried it with the same policy settings that are working with Windows 7/Shrew 2.1.7 and couldn't establish an SA. Then I tweaked the policy settings in Shrew so that Phase 1 and Phase 2 weren't set to "auto" on the client-side, I matched them up with the values that were configured on the Netscreen itself, and then the SA established, but now no traffic will pass through the tunnel.
James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
JMinard at PrecisionCS.net<mailto:JMinard at PrecisionCS.net>
Phone (810) 987-8748 Ext 122

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131112/c5690f3e/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 12 Nov 2013 22:09:49 -0500
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12
Message-ID: <BLU0-SMTP3061C394FE9D853960BB920A0F90 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

On 11/12/2013 01:25 PM, James Minard wrote:
> Has anyone had success with the combination of Windows 8, Shrew
> 2.2.2, and a Netscreen 5GT running 5.4.0r12 firmware? I tried it with
> the same policy settings that are working with Windows 7/Shrew 2.1.7
> and couldn't establish an SA. Then I tweaked the policy settings in
> Shrew so that Phase 1 and Phase 2 weren't set to "auto" on the
> client-side, I matched them up with the values that were configured
> on the Netscreen itself, and then the SA established, but now no
> traffic will pass through the tunnel.

Hi James,

It looks like you ran into a packet size/fragmentation problem with the 
SA negotiation.  The Shrew 2.2.x negotiation supports more protocol 
combinations than 2.1.x does, so it generates larger packets when set to 
auto.  These packets are often larger than the maximum packet size, 
resulting in them being fragmented.  However, many firewalls don't like 
fragmented packets and drop them automatically.

Specifying the particular values to use for phase 1 and 2 result in the 
negotiation packets being smaller, so they don't get fragmented.

Since smaller packets worked for the SA negotiation, why don't you try 
manually setting the MTU (maximum packet size) in the VPN configuration 
to a smaller value to see if that helps?

If it doesn't I'd suggest providing us with a debug log and also a copy 
of the Win8 routing table when the VPN is connected.

Debug log: https://www.shrew.net/support/VPN_Bug_Report_Windows

Route table: open a command prompt, then type 'route print'




------------------------------

Message: 3
Date: Tue, 12 Nov 2013 22:20:10 -0500
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] probleme with cisco vpn
Message-ID: <BLU0-SMTP35656783D4DE10ED33F28EBA0F90 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

On 07/24/2013 01:00 PM, vpn-devel-request at lists.shrew.net wrote:
>
> Today's Topics:
>
>     1. probleme with cisco vpn (Brasseur Val?ry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Jul 2013 09:44:36 +0200
> From: Brasseur Val?ry <Valery.Brasseur at atos.net>
> To: "vpn-devel at lists.shrew.net" <vpn-devel at lists.shrew.net>
> Subject: [vpn-devel] probleme with cisco vpn
> Message-ID:
> 	<BBDB6F8E46B86245820205AB03DE3D4A7AA72FBDB3 at FRSPX100.fr01.awl.atosorigin.net>
> 	
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I try using shrew vpn with a cisco vpn under a windows 7 64bits.
> the vpn is connected but I cant' connect/ping to servers through the vpn.
> I also have the cisco client installed and working.
> the same configuration works under an XP without the cisco client.
> can you help ?
> thanks
>

Hi Valery,

I know this is an old post, but are you still having a problem getting 
Shrew to work?

If so, can you answer the following questions?

1. Are you using the same version of Shrew on Windows 7 as you are on 
the Windows XP machine?

2. On the Win7 machine, did you install Shrew or the Cisco client first?

3. Does Shrew work on Win7 if you uninstall the Cisco client?

4. Can you provide a debug log for us?
https://www.shrew.net/support/VPN_Bug_Report_Windows




------------------------------

Message: 4
Date: Tue, 12 Nov 2013 22:22:56 -0500
From: Kevin VPN <kvpn at live.com>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Split DNS not working
Message-ID: <BLU0-SMTP462986AF9A13679317282B4A0F90 at phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

On 08/13/2013 08:39 PM, Richard Ihmels wrote:
> I have installed a trial of the Shrewsoft VPN client for Windows V
> 2.2.2 and I am having difficulty getting the Split DNS functionality
> working.  This is with the client installed on Windows 7 x64 or
> Windows 8 x64.
>
>
> When the connection is traced the log states ii : split DNS is
> disabled.
>
> The gateway is an ASA5505 with Split-dns enabled
>
> group-policy Domain_Prod internal group-policy Domain_Prod
> attributes dns-server value 192.168.1.19 192.168.1.24
> vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified
> split-tunnel-network-list value Internal default-domain value
> corporate.domain split-dns value corporate.domain
>
> Split DNS is set to enabled and set to automatic in the client, and
> the proxy seems to be running.
>
> Any ideas how to proceed from here?
>

Hi Richard,

Maybe the ASA is not providing the split DNS settings as expected?  Does 
the split DNS work if you hardcode the values into the site configuration?


------------------------------

Message: 5
Date: Wed, 13 Nov 2013 12:48:02 +0100
From: Service Lists <lists at michael-bruenisholz.ch>
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Shrew + Win 7 (64) - no incoming packets
Message-ID:
	<CAJZzQt4B4-JU71wS0Uqy2z+mErvXeb2RKPp2kZtPT7twn3529g at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hello J?rn, Hello Kevin

Altough this is a rather old thread, i'm really wondering if you found
a solution for your problem. I ran into the same problem with some of
our vpn-clients, on different windows-versions. It seems like the
returning pakets reach the client-machine, at least i can see some
returning pakets in wireshark.
Strange is the fact, that some other vpn-clients, with the same
configuration and client-version, run smoothly.

I'd be very happy if you've found a solution to your problem, because
i'm really stuck at this.

Best regards
Mike



------------------------------

Message: 6
Date: Wed, 13 Nov 2013 12:57:11 +0100
From: lst_hoe02 at kwsoft.de
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Shrew + Win 7 (64) - no incoming packets
Message-ID:
	<20131113125711.Horde.s9HslpnO_paOBLq6gJHk2w7 at webmail.kwsoft.de>
Content-Type: text/plain; charset="utf-8"; Format="flowed";
	DelSp="Yes"


Zitat von Service Lists <lists at michael-bruenisholz.ch>:

> Hello J?rn, Hello Kevin
>
> Altough this is a rather old thread, i'm really wondering if you found
> a solution for your problem. I ran into the same problem with some of
> our vpn-clients, on different windows-versions. It seems like the
> returning pakets reach the client-machine, at least i can see some
> returning pakets in wireshark.
> Strange is the fact, that some other vpn-clients, with the same
> configuration and client-version, run smoothly.
>
> I'd be very happy if you've found a solution to your problem, because
> i'm really stuck at this.
>
> Best regards
> Mike

We sometimes get this repaired by starting the VPN Manager once as  
Administrator. Not sure why it works afterwards and it wasn't a  
solution in any case :-(

Regards

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131113/2c24e105/attachment.bin>

------------------------------

Subject: Digest Footer

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help


------------------------------

End of vpn-help Digest, Vol 86, Issue 9
***************************************

More information about the vpn-help mailing list