On 8/5/2010 4:32 AM, Weber, Uwe wrote:
Hi Uwe,
This sounds like a different problem from the DHCP over IPsec related
issue that was reported previously. It pertains to the client not using
a consistent MAC address for the DHCP discover. Since each connection is
processed as a different machine, the gateway hands out a new DHCP
address for each Shrew connection attempt which eventually exhausts the
DHCP pool. My guess is that the Fortigate client wasn't effected by this
because it retained the MAC value previously sent and gets handed an
address which is still reserved. The easiest solution will be for the
client to offer the same MAC address each time so it doesn't cause this
problem. I haven't gotten around to this yet, but it shouldn't be too
difficult to add. I'll keep you posted.
-Matthew
-- Matthew, you exactly hit the nail: In the meantime, I found out, that
really the FGT went out of DHCP-Leases and wasn't able to had out more
leases to the Shrew-Clients (which are always the same) but seem to come
with a different MAC and so requesting a new IP from IPSEC-DHCP instead
of reclaiming the previous lease. Forticlient alwys comes with the same
MAC as you said, and subsequently gets the old lease. My workaround so
far is, that I have set the lease time to one hour, which prevents the
DHCP pool from getting exhausted. So far this worked for me :) But if
there is not a specific reason for the Shrew client software to use a
different MAC for each connection attempt, and if you can change this
behavior, you should do it, because logically seen it would be clear to
me, that a connection (or a virtual IPSEC interface) always uses the
same MAC. As far as I have seen it, every IPSEC client does use one and
the same MAC address (which is even configurable in some cases iirc) for
every connection butcause the MAC logically belongs to the interface and
not to the connection imho. Regards Uwe
Hi Uwe,
Please test this build. It should hand out the same IP address to the
client each time ...
http://www.shrew.net/download/vpn/vpn-client-2.1.6-dhcpfix-1.exe
... if you can provide feedback quickly enough, I will roll the change
into 2.1.6 for the release.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
