[Openswan Users] FW: VPN works, but you can't eBay ;-)

Miguel Dilaj mdilaj at nccglobal.com
Mon May 16 17:07:49 CEST 2005 

> Hi all,
> 
> I've a very strange problem here.
> We're using latest 2.3.0-2 Debian package for Openswan, together with
> Debian kernel 2.6.11.
> Only roadwarriors, all using X.509 certificates.
> The clients are WinXP (most of them SP2) boxes with SafeNet 8.0.2.
> Everyone can connect, the authentication is properly done using the
> certificates by the Openswan box, the ids are setup using the DN, and life
> should have been a wonderful thing to live. BUT.
> Some users can't browse some sites. Example: several of them can't browse
> to eBay (a few more sites affected ;-)
> I can't spot any obvious differences in the client setup at the machine
> level (but of course the machines are not 100% clones of each other), and
> for sure their configuration files for SafeNet are the same, except for
> the certificate.
> MTU set to 1300-1400 in all machines (also verified with Ethereal that the
> overhead is less than 30 bytes), DNS working properly.
> The output of ipsec auto --status showed some lines like these at the end:
> 
> {web address}/32:0 -> {roadwarrior address}/32:0 => %hold:1 0
> %acquire-netlink
> 
> After some investigation I came on the following post in the Openswan dev
> mailing list:
> 
> http://lists.openswan.org/pipermail/dev/2004-July/000495.html
> 
> So I ensured:
> A) I'm using auto=add instead of auto=start
> B) My kernel has the patch mentioned already incorporated (it is already
> present in Debian's 2.6.11)
> 
> It SEEMS that I don't have lines like the above anymore, but OTOH ipsec
> was restarted a short while ago.
> 
> AND I still have the problem for some users.
> Setting plutodebug=all showed information about the roadwarrior starting a
> second, Quick Mode tunnel, even after the Main Mode one being in place.
> This is exactly what's causing the failure to browse some sites.
> The strange thing is that some other roadwarriors can browse these same
> sites with no problem at all.
> I know that all the evidence points to the WinXP boxes, but at the moment
> I can only ensure that they use the same version of SafeNet and the
> configuration file used is the same (except for the certificate) for all
> clients.
> 
> Any ideas, hints, friendship from people who experienced the same problem,
> etc., are welcome!
> Thank you in advance.
> Regards,
> 
> Miguel
> 


***********************************************************************************************************
DISCLAIMER:                                                                                                
This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  
***********************************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050516/88201685/attachment.htm

More information about the Users mailing list