<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4630.0">
<TITLE>FW: VPN works, but you can't eBay ;-)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hi all,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I've a very strange problem here.</FONT>
<BR><FONT SIZE=2 FACE="Arial">We're using latest 2.3.0-2 Debian package for Openswan, together with Debian kernel 2.6.11.</FONT>
<BR><FONT SIZE=2 FACE="Arial">Only roadwarriors, all using X.509 certificates.</FONT>
<BR><FONT SIZE=2 FACE="Arial">The clients are WinXP (most of them SP2) boxes with SafeNet 8.0.2.</FONT>
<BR><FONT SIZE=2 FACE="Arial">Everyone can connect, the authentication is properly done using the certificates by the Openswan box, the ids are setup using the DN, and life should have been a wonderful thing to live… BUT…</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Some users can't browse some sites. Example: several of them can't browse to eBay (a few more sites affected ;-)</FONT>
<BR><FONT SIZE=2 FACE="Arial">I can't spot any obvious differences in the client setup at the machine level (but of course the machines are not 100% clones of each other), and for sure their configuration files for SafeNet are the same, except for the certificate.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">MTU set to 1300-1400 in all machines (also verified with Ethereal that the overhead is less than 30 bytes), DNS working properly.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">The output of ipsec auto --status showed some lines like these at the end:</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">{web address}</FONT><FONT SIZE=2 FACE="Courier New">/32:0 -></FONT> <FONT SIZE=2 FACE="Courier New">{roadwarrior address}</FONT><FONT SIZE=2 FACE="Courier New">/32:0 => %hold:1 0 %acquire-netlink</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">After some investigation I came on the following post in the Openswan dev mailing list:</FONT>
</P>
<P><A HREF="http://lists.openswan.org/pipermail/dev/2004-July/000495.html"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://lists.openswan.org/pipermail/dev/2004-July/000495.html</FONT></U></A>
</P>
<P><FONT SIZE=2 FACE="Arial">So I ensured:</FONT>
<BR><FONT SIZE=2 FACE="Arial">A) I'm using auto=add instead of auto=start</FONT>
<BR><FONT SIZE=2 FACE="Arial">B) My kernel has the patch mentioned already incorporated (it is already present in Debian's 2.6.11)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">It SEEMS that I don't have lines like the above anymore, but OTOH ipsec was restarted a short while ago…</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">AND I still have the problem for some users…</FONT>
<BR><FONT SIZE=2 FACE="Arial">Setting plutodebug=all showed information about the roadwarrior starting a second, Quick Mode tunnel, even after the Main Mode one being in place. This is exactly what's causing the failure to browse some sites.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">The strange thing is that some other roadwarriors can browse these same sites with no problem at all…</FONT>
<BR><FONT SIZE=2 FACE="Arial">I know that all the evidence points to the WinXP boxes, but at the moment I can only ensure that they use the same version of SafeNet and the configuration file used is the same (except for the certificate) for all clients.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Any ideas, hints, friendship from people who experienced the same problem, etc., are welcome!</FONT>
<BR><FONT SIZE=2 FACE="Arial">Thank you in advance.</FONT>
<BR><FONT SIZE=2 FACE="Arial">Regards,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Miguel</FONT>
</P>
<br>***********************************************************************************************************<br>
DISCLAIMER: <br>
This e-mail contains proprietary information, some or all of which may be legally privileged. <br>
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, <br>
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,<br>
disclose, distribute, copy, print or rely on this e-mail. <br>
***********************************************************************************************************</body>
</HTML>