Cory, thanks very much for posting the solution to the list, I'm sure
there are people who will be able to use it.
On 04/15/2013 10:47 AM, Cory Bell wrote:
Well, it appears I've answered my own question, so I'll post the
answer here for posterity.
It appears the problem is that 8.3(2) is very buggy WRT IPSec and NAT.
There were a few suspiciously familiar-sounding bugs in the "fixed"
list for the latest interim release - none mentioned ShrewSoft, of
course, but the Mac OS IPSec/L2TP client was mentioned. So, I upgraded
to 8.3(2)37 and my problems vanished. Based on the number of bug fixes
that are in 8.2(5) but are *not* in 8.3(2), I'd advise anyone who is
upgrading to 8.3 to go directly to the latest interim release.
It's still a mystery why the Mac OS X and vpnc clients were able to
connect (but suffered occasional connection drops), whereas the
ShrewSoft client was completely stymied - perhaps they have some
mechanism to detect and/or attempt to avoid NAT collisions?
Hope this saves someone else a headache.
On Thu, Mar 28, 2013 at 8:58 PM, Cory Bell <[email protected]> wrote:
Further investigation leads me to believe this may be NAT or NAT-T
related - it appears that the first ShrewSoft client to connect from
behind a NAT router is able to establish a VPN session. Any subsequent
sessions will fail. I've tried the various NAT-T settings in the
client, to no avail - "enabled" is what we had been using previously
and seemed to work fine.
I've also noticed that, while multiple vpnc and Mac OS X clients are
able to connect from behind a single NAT router, we have been
experiencing connection drops much more frequently since the upgrade
to 8.3(2). There does not seem to be any clear pattern to when the
disconnects occur, but multiple clients are affected when they do.
On Tue, Mar 26, 2013 at 7:31 AM, Cory Bell <[email protected]> wrote:
VPN Client Version: 2.1.7-release and 2.2.0-rc-2
Windows OS Version: 7
Gateway Make/Model: Cisco ASA
Gateway OS Version: 8.3(2)
I've got a couple of ASAs that were both on 8.2(5) and working fine
with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and
now the ShrewSoft client can no longer connect. I'm aware of the
"unidirectional" nat exclusion issue in 8.3(2) and have already
corrected it. The official Cisco client is able to connect, as is vpnc
on Linux and the integrated Cisco-compatible client in Mac OS X. The
same ShrewSoft clients that can't connect to the 8.3(2) ASA can still
connect to the 8.2(5) ASA (the tunnel-groups are identical).
There's nothing exotic about my configuration, just your standard
IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually
identical to the Cisco ASA example on the Support page, except that
the example is from a pretty old ASA version.
I see two different failure modes - sometimes the ASA shows a "Failure
during phase 1 rekeying attempt due to collision" error and
immediately sends a DELETE to the client, at which point the
connection is terminated. Other times, the client will seemingly hang
after sending multiple config requests. I also gave the ShrewSoft
2.2.0-rc-2 client a try, and it behaves exactly the same.
Cisco TAC was about as helpful as you might expect, so I'm hoping
someone else has been through this and had better luck. I'm happy to
provide sanitized logs if it will help identify the issue. Thanks!
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
