On 8/2/2010 5:39 AM, Weber, Uwe wrote:
Hi there
Another no response vom DHCP server issue: I have set up a ipsec dialup
vpn against a FGT 80C, did all the testing with their native Forticlient
and everthing was fine. As we had some PCs with the actual Shrew vpn
client software already installed, I gave it a try and it worked fine as
well.
Over the weekend some users connected to the vpn and it suddently
stopped working with the message: no response from DHCP server.
(It is DHCP over IPSEC on the FGT)
When I looked into it today the first thing that I found was that I
could still connect with the fortigate client and I could not with the
Shrew client. The second thing, that I found, was that all the leases
from the DHCP-over-IPSEC range had already been leased out, but were not
active (since no client was connected) Then I cleared all the leases via
command line on the FGT and yeeeehaaaaaa! could connect with the
Shrew-client again.
It would be nice, if that could be fixed, because I really like the
client and would only reluctantly uninstall it from my clients and use
the Forticlient instead J
Hi Uwe,
This sounds like a different problem from the DHCP over IPsec related
issue that was reported previously. It pertains to the client not using
a consistent MAC address for the DHCP discover. Since each connection is
processed as a different machine, the gateway hands out a new DHCP
address for each Shrew connection attempt which eventually exhausts the
DHCP pool. My guess is that the Fortigate client wasn't effected by this
because it retained the MAC value previously sent and gets handed an
address which is still reserved. The easiest solution will be for the
client to offer the same MAC address each time so it doesn't cause this
problem. I haven't gotten around to this yet, but it shouldn't be too
difficult to add. I'll keep you posted.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
