The MTU in the Shrew client is set at 1380 right now. You think I need to try
and set it lower still?
Here's my route table: 192.168.98.5 is my Shrew Soft Virtual Adapter IP that
the Netscreen is assigning. The VPN Policy tab is configured to maintain
persistent security associations and the remote network resource is 10.0.0.0 /
255.255.0.0.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.10.11 172.16.10.68 10
10.0.0.0 255.255.0.0 On-link 192.168.98.5 31
10.0.255.255 255.255.255.255 On-link 192.168.98.5 286
74.204.92.85 255.255.255.255 172.16.10.11 172.16.10.68 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.10.0 255.255.255.0 On-link 172.16.10.68 266
172.16.10.68 255.255.255.255 On-link 172.16.10.68 266
172.16.10.255 255.255.255.255 On-link 172.16.10.68 266
192.168.98.5 255.255.255.255 On-link 192.168.98.5 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.10.68 266
224.0.0.0 240.0.0.0 On-link 192.168.98.5 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.10.68 266
255.255.255.255 255.255.255.255 On-link 192.168.98.5 286
James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
[email protected]
Phone (810) 987-8748 Ext 122
-----Original Message-----
From: vpn-help [mailto:[email protected]] On Behalf Of
[email protected]
Sent: Wednesday, November 13, 2013 6:57 AM
To: [email protected]
Subject: vpn-help Digest, Vol 86, Issue 9
Send vpn-help mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.shrew.net/mailman/listinfo/vpn-help
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of vpn-help digest..."
Today's Topics:
1. Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12 (James Minard)
2. Re: Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12 (Kevin VPN)
3. Re: probleme with cisco vpn (Kevin VPN)
4. Re: Split DNS not working (Kevin VPN)
5. Re: Shrew + Win 7 (64) - no incoming packets (Service Lists)
6. Re: Shrew + Win 7 (64) - no incoming packets ([email protected])
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Nov 2013 18:25:48 +0000
From: James Minard <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="us-ascii"
Has anyone had success with the combination of Windows 8, Shrew 2.2.2, and a
Netscreen 5GT running 5.4.0r12 firmware? I tried it with the same policy
settings that are working with Windows 7/Shrew 2.1.7 and couldn't establish an
SA. Then I tweaked the policy settings in Shrew so that Phase 1 and Phase 2
weren't set to "auto" on the client-side, I matched them up with the values
that were configured on the Netscreen itself, and then the SA established, but
now no traffic will pass through the tunnel.
James J. Minard, MCP
Network Technician
Precision Computer Solutions, Inc.
[email protected]<mailto:[email protected]>
Phone (810) 987-8748 Ext 122
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.shrew.net/pipermail/vpn-help/attachments/20131112/c5690f3e/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 12 Nov 2013 22:09:49 -0500
From: Kevin VPN <[email protected]>
To: [email protected]
Subject: Re: [vpn-help] Windows 8/Shrew 2.2.2/Netscreen 5GT 5.40r12
Message-ID: <[email protected]>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
On 11/12/2013 01:25 PM, James Minard wrote:
> Has anyone had success with the combination of Windows 8, Shrew 2.2.2,
> and a Netscreen 5GT running 5.4.0r12 firmware? I tried it with the
> same policy settings that are working with Windows 7/Shrew 2.1.7 and
> couldn't establish an SA. Then I tweaked the policy settings in Shrew
> so that Phase 1 and Phase 2 weren't set to "auto" on the client-side,
> I matched them up with the values that were configured on the
> Netscreen itself, and then the SA established, but now no traffic will
> pass through the tunnel.
Hi James,
It looks like you ran into a packet size/fragmentation problem with the SA
negotiation. The Shrew 2.2.x negotiation supports more protocol combinations
than 2.1.x does, so it generates larger packets when set to auto. These
packets are often larger than the maximum packet size, resulting in them being
fragmented. However, many firewalls don't like fragmented packets and drop
them automatically.
Specifying the particular values to use for phase 1 and 2 result in the
negotiation packets being smaller, so they don't get fragmented.
Since smaller packets worked for the SA negotiation, why don't you try manually
setting the MTU (maximum packet size) in the VPN configuration to a smaller
value to see if that helps?
If it doesn't I'd suggest providing us with a debug log and also a copy of the
Win8 routing table when the VPN is connected.
Debug log: https://www.shrew.net/support/VPN_Bug_Report_Windows
Route table: open a command prompt, then type 'route print'
------------------------------
Message: 3
Date: Tue, 12 Nov 2013 22:20:10 -0500
From: Kevin VPN <[email protected]>
To: [email protected]
Subject: Re: [vpn-help] probleme with cisco vpn
Message-ID: <[email protected]>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
On 07/24/2013 01:00 PM, [email protected] wrote:
>
> Today's Topics:
>
> 1. probleme with cisco vpn (Brasseur Val?ry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Jul 2013 09:44:36 +0200
> From: Brasseur Val?ry <[email protected]>
> To: "[email protected]" <[email protected]>
> Subject: [vpn-devel] probleme with cisco vpn
> Message-ID:
>
> <bbdb6f8e46b86245820205ab03de3d4a7aa72fb...@frspx100.fr01.awl.atosorig
> in.net>
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I try using shrew vpn with a cisco vpn under a windows 7 64bits.
> the vpn is connected but I cant' connect/ping to servers through the vpn.
> I also have the cisco client installed and working.
> the same configuration works under an XP without the cisco client.
> can you help ?
> thanks
>
Hi Valery,
I know this is an old post, but are you still having a problem getting Shrew to
work?
If so, can you answer the following questions?
1. Are you using the same version of Shrew on Windows 7 as you are on the
Windows XP machine?
2. On the Win7 machine, did you install Shrew or the Cisco client first?
3. Does Shrew work on Win7 if you uninstall the Cisco client?
4. Can you provide a debug log for us?
https://www.shrew.net/support/VPN_Bug_Report_Windows
------------------------------
Message: 4
Date: Tue, 12 Nov 2013 22:22:56 -0500
From: Kevin VPN <[email protected]>
To: [email protected]
Subject: Re: [vpn-help] Split DNS not working
Message-ID: <[email protected]>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
On 08/13/2013 08:39 PM, Richard Ihmels wrote:
> I have installed a trial of the Shrewsoft VPN client for Windows V
> 2.2.2 and I am having difficulty getting the Split DNS functionality
> working. This is with the client installed on Windows 7 x64 or
> Windows 8 x64.
>
>
> When the connection is traced the log states ii : split DNS is
> disabled.
>
> The gateway is an ASA5505 with Split-dns enabled
>
> group-policy Domain_Prod internal group-policy Domain_Prod attributes
> dns-server value 192.168.1.19 192.168.1.24 vpn-tunnel-protocol IPSec
> split-tunnel-policy tunnelspecified split-tunnel-network-list value
> Internal default-domain value corporate.domain split-dns value
> corporate.domain
>
> Split DNS is set to enabled and set to automatic in the client, and
> the proxy seems to be running.
>
> Any ideas how to proceed from here?
>
Hi Richard,
Maybe the ASA is not providing the split DNS settings as expected? Does the
split DNS work if you hardcode the values into the site configuration?
------------------------------
Message: 5
Date: Wed, 13 Nov 2013 12:48:02 +0100
From: Service Lists <[email protected]>
To: [email protected]
Subject: Re: [vpn-help] Shrew + Win 7 (64) - no incoming packets
Message-ID:
<cajzzqt4b4-ju71ws0uqy2z+mervxeb2rkpp2kztpt7twn35...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello J?rn, Hello Kevin
Altough this is a rather old thread, i'm really wondering if you found
a solution for your problem. I ran into the same problem with some of
our vpn-clients, on different windows-versions. It seems like the
returning pakets reach the client-machine, at least i can see some
returning pakets in wireshark.
Strange is the fact, that some other vpn-clients, with the same
configuration and client-version, run smoothly.
I'd be very happy if you've found a solution to your problem, because
i'm really stuck at this.
Best regards
Mike
------------------------------
Message: 6
Date: Wed, 13 Nov 2013 12:57:11 +0100
From: [email protected]
To: [email protected]
Subject: Re: [vpn-help] Shrew + Win 7 (64) - no incoming packets
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed";
DelSp="Yes"
Zitat von Service Lists <[email protected]>:
> Hello J?rn, Hello Kevin
>
> Altough this is a rather old thread, i'm really wondering if you found
> a solution for your problem. I ran into the same problem with some of
> our vpn-clients, on different windows-versions. It seems like the
> returning pakets reach the client-machine, at least i can see some
> returning pakets in wireshark.
> Strange is the fact, that some other vpn-clients, with the same
> configuration and client-version, run smoothly.
>
> I'd be very happy if you've found a solution to your problem, because
> i'm really stuck at this.
>
> Best regards
> Mike
We sometimes get this repaired by starting the VPN Manager once as
Administrator. Not sure why it works afterwards and it wasn't a
solution in any case :-(
Regards
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://lists.shrew.net/pipermail/vpn-help/attachments/20131113/2c24e105/attachment.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
------------------------------
End of vpn-help Digest, Vol 86, Issue 9
***************************************
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
