I have an answer to my own question. According to RFC1812 - Requirements for IP Version 4 Routers (snippet below), arguably it appears that Ubuntu 10.04 (and 9.04) desktop do not adhere to this RFC since they implement the Source Address Validation and enable it by default. One can argue that Ubuntu desktop is not an IPv4 router per se.; regardless, disabling this feature on the client/remote host side of the VPN (the host that runs the ShrewSoft VPN client) resolves the problem with virtual adapter (ModeConfig) configurations not being able to see or ping the remote LAN.
> 5.3.8 Source Address Validation > > A router SHOULD IMPLEMENT the ability to filter traffic based on a > comparison of the source address of a packet and the forwarding table > for a logical interface on which the packet was received. If this > filtering is enabled, the router MUST silently discard a packet if > the interface on which the packet was received is not the interface > on which a packet would be forwarded to reach the address contained > in the source address. In simpler terms, if a router wouldn't route > a packet containing this address through a particular interface, it > shouldn't believe the address if it appears as a source address in a > packet read from this interface. > > If this feature is implemented, it MUST be disabled by default. > > DISCUSSION > This feature can provide useful security improvements in some > situations, but can erroneously discard valid packets in > situations where paths are asymmetric. Disabling Source Address Validation is a double-edge sword, particularly if the client machine is directly connected to the Internet since packet spoofing malware has a much easier time with this disabled. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
