[vpn-help] SonicWALL softlimit phase2 renewal problems

Alexis La Goutte alexis.lagoutte at gmail.com
Tue Jul 28 12:55:18 CDT 2015 

On Thu, Jul 2, 2015 at 12:46 AM, Michael Schler <mailabo at blatten.com> wrote:

> Hello,
>
> I've set up a connection between a Windows 2012 R2 Server (40.40.40.40)
> using Shrew VPN Client (version 2.2.2) and a SonicWALL (and for tests
> also with a FortiGate) (50.50.50.50).
>
> The initial VPN tunnel comes up with either firewall.
> When the softlimit timeout for the phase2 is reached the VPN Client
> starts the renewal of phase2. With the SonicWALL this renewal shows two
> errors (!!:) towards its end. While the tunnel as such seems to fire up
> again it is not possible to reach the final destination server
> (10.10.10.10) behind the SonicWALL for some time (using Test-Connection
> i.e. pings). Only after the hardlimit timeout for phase2 is reached the
> pings go through again.
>
> The identical setup (VPN Client wise) with a FortiGate does not have
> this problem. Here the phase2 renewal produces no erros and the
> destination server can be reached by pings all times.
>
> Shrew VPN Client setup
>
> n:version:4
> n:network-ike-port:500
> n:network-mtu-size:1380
> n:client-addr-auto:0
> n:network-natt-port:4500
> n:network-natt-rate:15
> n:network-frag-size:540
> n:network-dpd-enable:1
> n:client-banner-enable:0
> n:network-notify-enable:1
> n:client-dns-used:0
> n:client-dns-auto:0
> n:client-dns-suffix-auto:0
> n:client-splitdns-used:0
> n:client-splitdns-auto:0
> n:client-wins-used:0
> n:client-wins-auto:1
> n:phase1-dhgroup:5
> n:phase1-life-secs:28800
> n:phase1-life-kbytes:0
> n:vendor-chkpt-enable:0
> n:phase2-life-secs:1800
> n:phase2-life-kbytes:0
> n:policy-nailed:1
> n:policy-list-auto:0
> s:network-host:40.40.40.40
> s:client-auto-mode:disabled
> s:client-iface:virtual
> s:client-ip-addr:192.168.1.1
> s:client-ip-mask:255.255.255.255
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:auth-method:mutual-psk
> s:ident-client-type:address
> s:ident-server-type:address
> b:auth-mutual-psk:(secret)
> s:phase1-exchange:aggressive
> s:phase1-cipher:3des
> s:phase1-hash:sha1
> s:phase2-transform:esp-3des
> s:phase2-hmac:sha1
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:5
> s:policy-level:require
> s:policy-list-include:50.50.50.50 / 255.255.255.255,10.10.10.10 /
> 255.255.255.255
>
> Connection with the SonicWALL phase 2 renewal last part (VPN Client log)
> <- :    recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes )
> DB :    phase1 found
> ii :    processing informational packet ( 76 bytes )
> == :    new informational iv ( 8 bytes )
> =< :    cookies 915d9ca44709a15b:e77b80b9c572d32d
> =< :    message 552fc103
> =< :    decrypt iv ( 8 bytes )
> == :    decrypt packet ( 76 bytes )
> <= :    trimmed packet padding ( 4 bytes )
> <= :    stored iv ( 8 bytes )
> << :    hash payload
> << :    delete payload
> !! :    unprocessed payload data !!!
> == :    informational hash_i ( computed ) ( 20 bytes )
> == :    informational hash_c ( received ) ( 20 bytes )
> !! :    informational hash verification failed
> ii :    received peer DELETE message
> ii :    - 50.50.50.50:500 -> 40.40.40.40:500
> ii :    - ipsec-esp spi = 0x5347bf9c
> no further entries until a few minutes later
> ii :    phase2 sa is dead
> ii :    phase2 removal after expire time
> DB :    phase2 deleted ( obj count = 1 )
>
> Connection with the SonicWALL phase 2 renewal last part (VPN Client log)
> <- :    recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes )
> DB :    phase1 found
> ii :    processing informational packet ( 76 bytes )
> == :    new informational iv ( 8 bytes )
> =< :    cookies 30319e5309693dd8:33dfc550c179a81b
> =< :    message 2db6a00f
> =< :    decrypt iv ( 8 bytes )
> == :    decrypt packet ( 76 bytes )
> <= :    trimmed packet padding ( 8 bytes )
> <= :    stored iv ( 8 bytes )
> << :    hash payload
> << :    delete payload
> == :    informational hash_i ( computed ) ( 20 bytes )
> == :    informational hash_c ( received ) ( 20 bytes )
> ii :    informational hash verified
> ii :    received peer DELETE message
> ii :    - 50.50.50.50:500 -> 40.40.40.40:500
> ii :    - ipsec-esp spi = 0xb9b142e9
> DB :    phase2 found
> DB :    cleanup, marked phase2 0xb9b142e9 for removal
> DB :    phase2 hard event canceled ( ref count = 1 )
> K> :    send pfkey DELETE ESP message
> K< :    recv pfkey DELETE ESP message
> K> :    send pfkey DELETE ESP message
> K< :    recv pfkey DELETE ESP message
> ii :    phase2 removal before expire time
> DB :    phase2 deleted ( obj count = 1 )
>
> Has anyone an idea why the phase2 renewal with the SonicWALL produces the
> !! : unprocessed payload data !!!
> !! : informational hash verification failed
> errors?
> Even setting the log level to "loud" I could see nothing in the logs why
> the pings don't go through for some minutes and afterwards go again
> through.
>
> Thank You!
>
Hi Michael,

Can you enable debug and attach on this mail
https://www.shrew.net/support/VPN_Bug_Report_Windows

Regards,


> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150728/9b065106/attachment-0001.html>

More information about the vpn-help mailing list