Re: [vpn-help] One tunnel works, other does not on Win7

Thu, 21 Nov 2013 19:29:25 -0800 

On 09/30/2013 08:31 AM, Lukasz Sokol wrote:

Hi,
I have a working tunnel configuration (from Shrew on WinXP to ZyXEL ZyWALL (USG 
20) as per
user guide)
that I have transferred between different PC's and across Shrew versions with
results like: (of course every remote PC uses different ID and virtual adapter 
IP, to start with)

- PC1: WinXP, Shrew 2.0.0 (approx, don't have this pc on hand exactly now but 
d/l and done about May),
Windows Firewall + Avast! AV
Result : it works. Tunnel is established and passes traffic. No problem. Have 
NOT tried latest Shrew.

- PC2: Win7, Shrew 2.2.0 (downloaded about a week ago), Windows Firewall
Result: it works, tunnel is established and passes traffic. No problem.

- PC3 : Win7, tried Shrew 2.2.0 and 2.0.0, ZoneAlarm AV+FW;
Result : NO. Tunnel is reported established, SA's show up, firewall rules too, 
but no traffic can pass,
The tunnel also does show up in the gw's VPN IPSEC monitor OK, but no incoming 
traffic (Rx Bytes always zero).
I tried snoozing the AV and FW temporarily before establishing the tunnel, no 
difference.

- PC1 and PC3 were tried from the same remote location behind NAT (i.e. NAT 
traversal is actually
on on gw and shrew, and obviously works), PC2 is somewhere completely different;

- shrew configs are obviously modified between PC1 2 and 3 so they can access 
the gw simultaneously
and that works where the tunnel works (on PC1 and 2), to the point that

- trying to establish tunnels from PC2 and PC3 simultaneously also works (is 
established on both)
but only tunnel to PC1 passes traffic anyway.

What can I try (preferably on the PC1 with XP and pc3 where it doesn't work) to 
narrow it down?



Hi Lukasz,
I'd look to see if the ZoneAlarm FW on PC3 is blocking the VPN traffic. IPsec VPNs need both the UDP port 500 open as well as allowing IP protocol 50 (ESP) traffic (for reference, TCP is IP protocol 6 and UDP is protocol 17).
Look in the ZoneAlarm FW to see if it has any settings for IPsec or VPN or a place where you can define rules including the IP protocol number. 

_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to