[vpn-devel] Bug: IKE falts (SA established but no packet flow) after connecting, stopping, and reconnecting following PC sleep

Idon fehe at hotmail.com
Sun Dec 23 14:23:09 CST 2012 

Problem:

The IKE faults (service remains started and VPN connectivity succeeds 
but packet flow through tunnel fails) and requires a restart after the 
following conditions: (1) you establish an SA (packet flow through 
tunnel is successful); (2) put the computer to sleeps; (3) wake the PC 
some minutes later; (4) reestablish SA (packet flow through tunnel still 
successful); (5) Disconnect VPN; (6) reestablish SA (at this point 
packet flow fails).  At this point stopping the IKE service also takes a 
long time and VPN Trace Utility becomes unresponsive.

I have included my VPN client configuration in the attached debug.zip 
archive -- with certain information changed for obvious security reasons:

To Reproduce:

NOTE 1: You need physical hardware, as you need to be able to put the 
computer to sleep.
NOTE 2: In my configuration, both VPN endpoints sit behind routers 
performing NAT.

1. Establish a VPN connection and make sure you're able to ping a host 
on the remote network
2. Put the PC to sleep
3. Wait a few minutes
4. Wake the PC
5. Reestablish the VPN connection and make sure you can still ping the 
remote host
6. Click "Disconnect" to terminate the VPN connection
7. Reestablish the VPN connection
8. Try to ping the remote host again.  This should fail
9. Open the VPN Trace Utility; click the IKE Service tab; click the 
"Stop" button
10. Notice that it takes a long time to stop and during that time, the 
VPN Trace Utility becomes unresponsive
11. Once the service has finally stopped, click "Start"
12. Now reestablish the VPN connection
13. You should now be able to successfully ping the remote host

VPN Client Version = 2.1.0 RC2
Windows OS Version = Windows 8 Pro 64-bit (but has been experienced with 
Window 7 Pro 64-bit and XP 32-bit)
Gateway Make/Model = PC Engines alix2d3
Gateway OS Version = pfSense 2.0.1 (i386) - nanobsd (512mb)

NOTE 3: I believe this bug exists in the VPN client builds as old as 2.1.7

The IKE debug log does not show anything obvious, which is is not 
surprising, as this appears to be an internal application bug; 
nevertheless, I am attaching the log files for completeness.

P.S. If you would like access to a VPN account to assist with 
troubleshooting, I can provide one (but probably not before December 27 
or 28, as I would need to setup a standalone environment and I may not 
have physical access to the hardware before then).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.zip
Type: application/x-zip-compressed
Size: 32389 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20121223/13517c35/attachment-0002.bin>

More information about the vpn-devel mailing list