On 05/14/2013 01:48 PM, James Minard wrote:
Kevin, Mystery solved! I looked at the logs on the Juniper while
establishing the connection, and the system event log didn't give me
much information to go on, however, I noticed in the alarm logs that
when I tried to establish the connection, it started logging
fragmented traffic alerts. I turned off the block fragment traffic
protection and 2.2.0 client established the SA.
I guess the only question is why the 2.2.0 client traffic is being
fragmented and the 2.1.7 isn't?
Hi James,
Shrew v2.2.0 supports many more options for negotiating hashes and
transforms for Phase1 and Phase2 connections. Including all the options
in one message makes it larger than the Maximum Transmission Unit
supported by most networks (typically 1500 bytes), so the packet gets
fragmented.
Interestingly, we thought we fixed a problem with fragments just before
the 2.2.0-release version. Is there a chance that you're still using a
a beta/rc version of Shrew 2.2.0?
To avoid the fragmentation problem (i.e. so you can turn block fragments
back on), you can try two things:
1) Manually select the Phase1 and Phase2 options in the Shrew site
configuration (instead of leaving them on auto). That should result in
smaller packets.
2) If you're using the Shrew 2.2.0-release version, you can try to
manually adjust (i.e. reduce) the MTU value for your network adapter
until the fragments disappear.
http://support.microsoft.com/kb/314053
FYI, I'll be traveling for a while, so I won't be active on the list.
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
