On 9/22/2010 7:10 PM, Leblanc, Guy (IT) wrote:
I am not a VPN expert so I read forums and apply instructions. I found
that the only way for me to get rid of the "session terminated by
gateway" issue was to disable my Windows 7 (64 bits) firewall in
addition to setting Phase-2 PFS=2 as recommended. (Windows firewall
issued no warning that it had blocked anything Shrew, though, even if
the notification option was checked). Once the Windows firewall has been
disabled on my domain connection with my head office, the tunnel remains
stable over my Linksys WRT-610N WIFI broadband home router/gateway (with
its own firewall active, btw).
I have now installed Shrew version 2.1.7 beta but I still have to
disable the Windows firewall to eliminate the error. Is there a
workaround to this? Much has been written regarding interference from
some specific router firewalls but after reading many forums, I seem to
be the only one having to disable its Windows firewall. Anybody has an idea?
This is an interesting issue. I believe the windows firewall has been
implemented as a windows filtering platform driver which is higher in
the NDIS stack than the Shrew Soft LWF driver. In other words, this
shouldn't cause any packets sent during IKE negotiations to be blocked
by the filter. My guess is that the client didn't negotiate an initial
IPsec SA after the connection had been established. A Cisco gateway will
terminate the connection unless this occurs. Disabling the windows FW
may have allowed packets to traverse the tunnel ( DNS or something
similar ) which allowed the IPsec SA to be established and the tunnel to
remain active.
I would suggest you try to install the latest 2.1.7 RC and see if that
makes any difference. Michael Kenny submitted a patch ( which has been
committed ) that fixes a bug related to the initial SA negotiation which
may resolve your issue. If that doesn't help, try starting a ping to an
IP address on the distant side of the tunnel, and then try the
connection. If the ping starts to respond after you connect and the
connection remains stable, please let me know. There may be something
else we can do to improve the situation.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
