[vpn-help] shrew soft client and zywall 5 -no LAN to LAN traffic, phase2 not operating?

Kevin VPN kvpn at live.com
Wed Nov 13 21:42:59 CST 2013 

On 08/07/2013 05:44 PM, Dr. Adrian Bratt wrote:
> Hi,
>
> thanks for picking this up.
>
> The log files are attached, the shrew client side and the zywall 5
> gateway side.
>
> I did have this working once at the weekend, but have sicne managed to
> mess up
> a setting somewhere, so I am sure its OK hardware-wise.
>
> Cheers
>
> Adrian
>
> On 07/08/2013 04:03, Kevin VPN wrote:
>> On 08/04/2013 11:28 AM, Dr. Adrian Bratt wrote:
>>> Hi,
>>>
>> <snip>
>>>
>>> I think my phase 2 may be the problem (but I copied it  to the letter
>>> from the
>>> help file.)
>>>
>>>  From a cmd window in the laptop a ping request gets the reply,
>>>
>>> C:\Users\adrian>ping 192.168.0.100
>>>
>>> Pinging 192.168.0.100 with 32 bytes of data:
>>> Reply from 192.168.0.77: Destination host unreachable.
>>> Request timed out.
>>>
>>> Shrew debug Log is below.
>>>
>> <snip>
>>> ============
>>> 13/08/04 16:25:47 ## : IKE Daemon, ver 2.2.2
>>> 13/08/04 16:25:47 ## : Copyright 2013 Shrew Soft Inc.
>>> 13/08/04 16:25:47 ## : This product linked OpenSSL 1.0.1c 10 May 2012
>> <snip>
>>> 13/08/04 16:26:20 ii : created IPSEC policy route for 192.168.1.0/24
>>> 13/08/04 16:26:20 DB : policy added ( obj count = 6 )
>>> 13/08/04 16:26:20 K> : send pfkey X_SPDADD UNSPEC message
>>> 13/08/04 16:26:20 K< : recv pfkey X_SPDADD UNSPEC message
>>> 13/08/04 16:26:20 DB : policy found
>>> 13/08/04 16:26:20 ii : split DNS is disabled
>>>
>>
>> Hi Adrian,
>>
>> Can you include the rest of the debug log and make sure the logging
>> level is set to at least debug?  What you sent is missing the details
>> on the phase2 negotiation.
>>

Hi Adrian,

I know this is a very old thread (I've been away), but I think I see a 
problem.  Looking at your log files, it appears that you have a subnet 
overlap between your local NATted subnet (behind your personal router) 
and the subnet that is delivered by the Zywall for your virtual VPN adapter.

Based on your log files, it appears that your PC's local network address 
is 192.168.1.2 with a default gateway/router address of 192.168.1.1.

It appears that the Zywall assigns the Shrew virtual VPN adapter an IP 
address of 192.168.1.17, which is in the same subnet as your device's 
physical adapter.

I think this address overlap may be causing some problems.  My 
recommendation would be to change the addresses given out by the Zywall 
to VPN clients, since subnet 192.168.1.x is commonly used by many home 
routers as the protected subnet.

More information about the vpn-help mailing list