[vpn-help] One tunnel works, other does not on Win7

Kevin VPN kvpn at live.com
Thu Nov 21 21:27:29 CST 2013 

On 09/30/2013 08:31 AM, Lukasz Sokol wrote:
> Hi,
> I have a working tunnel configuration (from Shrew on WinXP to ZyXEL ZyWALL (USG 20) as per
> user guide)
> that I have transferred between different PC's and across Shrew versions with
> results like: (of course every remote PC uses different ID and virtual adapter IP, to start with)
>
> - PC1: WinXP, Shrew 2.0.0 (approx, don't have this pc on hand exactly now but d/l and done about May),
> Windows Firewall + Avast! AV
> Result : it works. Tunnel is established and passes traffic. No problem. Have NOT tried latest Shrew.
>
> - PC2: Win7, Shrew 2.2.0 (downloaded about a week ago), Windows Firewall
> Result: it works, tunnel is established and passes traffic. No problem.
>
> - PC3 : Win7, tried Shrew 2.2.0 and 2.0.0, ZoneAlarm AV+FW;
> Result : NO. Tunnel is reported established, SA's show up, firewall rules too, but no traffic can pass,
> The tunnel also does show up in the gw's VPN IPSEC monitor OK, but no incoming traffic (Rx Bytes always zero).
> I tried snoozing the AV and FW temporarily before establishing the tunnel, no difference.
>
> - PC1 and PC3 were tried from the same remote location behind NAT (i.e. NAT traversal is actually
> on on gw and shrew, and obviously works), PC2 is somewhere completely different;
>
> - shrew configs are obviously modified between PC1 2 and 3 so they can access the gw simultaneously
> and that works where the tunnel works (on PC1 and 2), to the point that
>
> - trying to establish tunnels from PC2 and PC3 simultaneously also works (is established on both)
> but only tunnel to PC1 passes traffic anyway.
>
> What can I try (preferably on the PC1 with XP and pc3 where it doesn't work) to narrow it down?
>

Hi Lukasz,

I'd look to see if the ZoneAlarm FW on PC3 is blocking the VPN traffic. 
  IPsec VPNs need both the UDP port 500 open as well as allowing IP 
protocol 50 (ESP) traffic (for reference, TCP is IP protocol 6 and UDP 
is protocol 17).

Look in the ZoneAlarm FW to see if it has any settings for IPsec or VPN 
or a place where you can define rules including the IP protocol number.

More information about the vpn-help mailing list