NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Remote Client Full Tunnel VPN with SRX5308 and Shrew Soft - Some Websites Don't Load
Hi everyone,
I've really been scratching my head on this one. Any help would be greatly appreciated.
Remote users need to access remote servers through the office, which is whitelisted for access. Since the remote servers are dynamic IPs (AWS), I'm trying to send all remote traffic through the office while we investiage better solutions. SSL VPN is not an option due to compatibility issues with modern browsers and OSes.
I have configured an IPSEC VPN for remote users. It connects, but only some websites load. Others will time out. DNS does not seem to be the issue, as a ping will resolve the IP (and some sites load). I thought it might be related to fragmentation, but my tests (ping with different packet sizes) indicate the MTU should be 1500.
Shrew Soft Client --VPN--> Office --Whitelist--> Remote Servers
Info
- VPN policy Local IP: Any
- Shrew Soft Client: Policy - Obtain Topology Automatically or Tunnel All
Testing/Troubleshooting
- Mode Config
- Connects, but local traffic only.
- IP Ranges of Servers
- I backtracked the ranges the servers could use, but it was the same results as tunneling all (page times out)
- Netgear VPN client
- Internet traffic didn't flow when I tried to set the range for the entire Internet (if I remember correctly).
- L2TP (MSCHAPv2) with built-in Windows 10 client
- PSK, but blank
- Computers that have previously been on the internal network behind the SRX5308 will connect.
- Computers that have not been on the internal network behind the SRX5308 get an error
- "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."
- Error 789 in event logs
- "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."
- Certifcate
- Did some research, but it seemed complicated. Will likely research further.
- PSK, but blank
I know I'm close, since some websites do load when connected. I'm leaning towards it still being a fragmentation/MTU issue, but I can only change that in Shrew Soft with using Mode Config. I have not tested changing the MTU on the SRX5308 yet.
This is the first time I've attempted a full tunnel this way. I'm open to any suggestions for getting this working, except for PPTP due to security concerns and SSL due to compatibility.
Thanks in advance!
Dropping the computer's MTU down to 1380 resolved this. I ended up going back up to about 1400. Might be able to go a little higher, but the sites I needed to load were fine at 1400.
https://support.zen.co.uk/kb/Knowledgebase/Changing-the-MTU-size-in-Windows-Vista-7-or-8
2 Replies
Dropping the computer's MTU down to 1380 resolved this. I ended up going back up to about 1400. Might be able to go a little higher, but the sites I needed to load were fine at 1400.
https://support.zen.co.uk/kb/Knowledgebase/Changing-the-MTU-size-in-Windows-Vista-7-or-8
Hi MattMS,
Thanks for sharing the solution you did to resolve the problem. :)
I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
Regards,DaneA
NETGEAR Community Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
