[vpn-help] [Cisco] Cannot connect more than 4/5 Shrew VPN clients

Alexis La Goutte alexis.lagoutte at gmail.com
Fri Apr 14 11:50:47 CDT 2017 

Hi,

I think coming from issue on NAT stuff but it will be complicated to
troubleshooting...

On Wed, Apr 12, 2017 at 8:58 AM, Renaud Motuelle <
renaud.motuelle at nttdata.com> wrote:

> Dear helpers,
>
>
>
> I have set up Shrew VPN to get around an issue with Cisco VPN client that
> was removing access to our local LAN as soon as we were connected to the
> remote gateway (Cisco ASE). I do not have access to the Cisco gateway setup.
>
>
>
> With Shrew VPN, I can get around this thanks to the policy settings and it
> works very well for up to 4 (or 5 sometimes) connections… I need 7 active
> connections (7 developers to access simultaneously to this VPN)…
>
>
>
> There seems to be a limit of available connections setup in the gateway
> for VPN clients when using Shrew VPN (no limitation when using Cisco VPN
> Client, the 7 developers can connect through the Cisco VPN client
> simultaneously). Would you have any advice to help us solving this
> limitation / indicate to the customer the potential configuration changes
> required on their gateway settings or even on the Shrew VPN Client Settings?
>
>
>
> When facing this limitation, symptoms are the following:
>
>
>
> On Shrew VPN, the connect tab hangs at “bringing up tunnel ...”
>
> config loaded for site 'config.vpn'
>
> attached to key daemon ...
>
> peer configured
>
> iskamp proposal configured
>
> esp proposal configured
>
> client configured
>
> local id configured
>
> remote id configured
>
> pre-shared key configured
>
> bringing up tunnel ...
>
> and stops after a few seconds:
>
> gateway is not responding
>
> tunnel disabled
>
> detached from key daemon
>
>
>
> IKE Log at info level (VPN IP @ replaced by x.x.x.x)
>
> 17/04/12 14:36:10 ## : IKE Daemon, ver 2.2.2
>
> 17/04/12 14:36:10 ## : Copyright 2013 Shrew Soft Inc.
>
> 17/04/12 14:36:10 ## : This product linked OpenSSL 1.0.1c 10 May 2012
>
> 17/04/12 14:36:10 ii : opened 'C:\Program Files\ShrewSoft\VPN
> Client\debug\iked.log'
>
> 17/04/12 14:36:10 ii : rebuilding vnet device list ...
>
> 17/04/12 14:36:10 ii : device ROOT\VNET\0000 disabled
>
> 17/04/12 14:36:10 ii : network process thread begin ...
>
> 17/04/12 14:36:10 ii : pfkey process thread begin ...
>
> 17/04/12 14:36:10 ii : ipc server process thread begin ...
>
> 17/04/12 14:37:09 ii : ipc client process thread begin ...
>
> 17/04/12 14:37:09 <A : peer config add message
>
> 17/04/12 14:37:09 <A : proposal config message
>
> 17/04/12 14:37:09 <A : proposal config message
>
> 17/04/12 14:37:09 <A : client config message
>
> 17/04/12 14:37:09 <A : xauth username message
>
> 17/04/12 14:37:09 <A : xauth password message
>
> 17/04/12 14:37:09 <A : local id 'VPN-USERS' message
>
> 17/04/12 14:37:09 <A : preshared key message
>
> 17/04/12 14:37:09 <A : remote resource message
>
> 17/04/12 14:37:09 <A : remote resource message
>
> 17/04/12 14:37:09 <A : remote resource message
>
> 17/04/12 14:37:09 <A : remote resource message
>
> 17/04/12 14:37:09 <A : peer tunnel enable message
>
> 17/04/12 14:37:09 ii : local supports XAUTH
>
> 17/04/12 14:37:09 ii : local supports nat-t ( draft v00 )
>
> 17/04/12 14:37:09 ii : local supports nat-t ( draft v01 )
>
> 17/04/12 14:37:09 ii : local supports nat-t ( draft v02 )
>
> 17/04/12 14:37:09 ii : local supports nat-t ( draft v03 )
>
> 17/04/12 14:37:09 ii : local supports nat-t ( rfc )
>
> 17/04/12 14:37:09 ii : local supports FRAGMENTATION
>
> 17/04/12 14:37:09 ii : local supports DPDv1
>
> 17/04/12 14:37:09 ii : local is SHREW SOFT compatible
>
> 17/04/12 14:37:09 ii : local is NETSCREEN compatible
>
> 17/04/12 14:37:09 ii : local is SIDEWINDER compatible
>
> 17/04/12 14:37:09 ii : local is CISCO UNITY compatible
>
> 17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:0000000000000000
>
> 17/04/12 14:37:09 >= : message 00000000
>
> 17/04/12 14:37:09 ii : processing phase1 packet ( 460 bytes )
>
> 17/04/12 14:37:09 =< : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:09 =< : message 00000000
>
> 17/04/12 14:37:09 ii : matched isakmp proposal #1 transform #14
>
> 17/04/12 14:37:09 ii : - transform    = ike
>
> 17/04/12 14:37:09 ii : - cipher type  = 3des
>
> 17/04/12 14:37:09 ii : - key length   = default
>
> 17/04/12 14:37:09 ii : - hash type    = sha1
>
> 17/04/12 14:37:09 ii : - dh group     = group2 ( modp-1024 )
>
> 17/04/12 14:37:09 ii : - auth type    = xauth-initiator-psk
>
> 17/04/12 14:37:09 ii : - life seconds = 86400
>
> 17/04/12 14:37:09 ii : - life kbytes  = 0
>
> 17/04/12 14:37:09 ii : phase1 id match ( natt prevents ip match )
>
> 17/04/12 14:37:09 ii : received = ipv4-host x.x.x.x
>
> 17/04/12 14:37:09 ii : peer is CISCO UNITY compatible
>
> 17/04/12 14:37:09 ii : peer supports XAUTH
>
> 17/04/12 14:37:09 ii : peer supports DPDv1
>
> 17/04/12 14:37:09 ii : peer supports nat-t ( draft v02 )
>
> 17/04/12 14:37:09 ii : nat discovery - local address is translated
>
> 17/04/12 14:37:09 ii : switching to src nat-t udp port 4500
>
> 17/04/12 14:37:09 ii : switching to dst nat-t udp port 4500
>
> 17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:09 >= : message 00000000
>
> 17/04/12 14:37:09 ii : phase1 sa established
>
> 17/04/12 14:37:09 ii : x.x.x.x:4500 <-> 10.10.110.93:4500
>
> 17/04/12 14:37:09 ii : 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:09 ii : sending peer INITIAL-CONTACT notification
>
> 17/04/12 14:37:09 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:09 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:09 ii : - data size 0
>
> 17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:09 >= : message d023e6f8
>
> 17/04/12 14:37:24 ii : sending peer DPDV1-R-U-THERE notification
>
> 17/04/12 14:37:24 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:24 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:24 ii : - data size 4
>
> 17/04/12 14:37:24 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:24 >= : message c034539d
>
> 17/04/12 14:37:39 ii : sending peer DPDV1-R-U-THERE notification
>
> 17/04/12 14:37:39 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:39 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:39 ii : - data size 4
>
> 17/04/12 14:37:39 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:39 >= : message 6b4feee0
>
> 17/04/12 14:37:43 ii : sending peer DPDV1-R-U-THERE notification
>
> 17/04/12 14:37:43 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:43 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:43 ii : - data size 4
>
> 17/04/12 14:37:43 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:43 >= : message d9c3ccc0
>
> 17/04/12 14:37:46 ii : sending peer DPDV1-R-U-THERE notification
>
> 17/04/12 14:37:46 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:46 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:46 ii : - data size 4
>
> 17/04/12 14:37:46 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:46 >= : message d77f036f
>
> 17/04/12 14:37:48 ii : sending peer DPDV1-R-U-THERE notification
>
> 17/04/12 14:37:48 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:48 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:48 ii : - data size 4
>
> 17/04/12 14:37:48 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:48 >= : message 12e879e9
>
> 17/04/12 14:37:49 !! : tunnel DPD timeout for peer x.x.x.x:4500
>
> 17/04/12 14:37:49 DB : removing tunnel config references
>
> 17/04/12 14:37:49 DB : removing tunnel phase2 references
>
> 17/04/12 14:37:49 DB : removing tunnel phase1 references
>
> 17/04/12 14:37:49 ii : sending peer DELETE message
>
> 17/04/12 14:37:49 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
>
> 17/04/12 14:37:49 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:49 ii : - data size 0
>
> 17/04/12 14:37:49 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
>
> 17/04/12 14:37:49 >= : message 20bf4ec9
>
> 17/04/12 14:37:49 ii : phase1 removal before expire time
>
> 17/04/12 14:37:49 DB : removing all peer tunnel references
>
> 17/04/12 14:37:50 ii : ipc client process thread exit ...
>
>
>
> Thanks in advance for your support.
>
>
>
> *Renaud Motuelle*
>
> ______________________________________________________________________
> Disclaimer: This email and any attachments are sent in strictest confidence
> for the sole use of the addressee and may contain legally privileged,
> confidential, and proprietary data. If you are not the intended recipient,
> please advise the sender by replying promptly to this email and then delete
> and destroy this email and any attachments without any further use, copying
> or forwarding.
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20170414/d4c1ba87/attachment-0001.html>

More information about the vpn-help mailing list