[vpn-devel] Bug: IKE falts (SA established but no packet flow) after connecting, stopping, and reconnecting following PC sleep
Idon
fehe at hotmail.com
Sun Dec 23 14:23:09 CST 2012
Problem:
The IKE faults (service remains started and VPN connectivity succeeds
but packet flow through tunnel fails) and requires a restart after the
following conditions: (1) you establish an SA (packet flow through
tunnel is successful); (2) put the computer to sleeps; (3) wake the PC
some minutes later; (4) reestablish SA (packet flow through tunnel still
successful); (5) Disconnect VPN; (6) reestablish SA (at this point
packet flow fails). At this point stopping the IKE service also takes a
long time and VPN Trace Utility becomes unresponsive.
I have included my VPN client configuration in the attached debug.zip
archive -- with certain information changed for obvious security reasons:
To Reproduce:
NOTE 1: You need physical hardware, as you need to be able to put the
computer to sleep.
NOTE 2: In my configuration, both VPN endpoints sit behind routers
performing NAT.
1. Establish a VPN connection and make sure you're able to ping a host
on the remote network
2. Put the PC to sleep
3. Wait a few minutes
4. Wake the PC
5. Reestablish the VPN connection and make sure you can still ping the
remote host
6. Click "Disconnect" to terminate the VPN connection
7. Reestablish the VPN connection
8. Try to ping the remote host again. This should fail
9. Open the VPN Trace Utility; click the IKE Service tab; click the
"Stop" button
10. Notice that it takes a long time to stop and during that time, the
VPN Trace Utility becomes unresponsive
11. Once the service has finally stopped, click "Start"
12. Now reestablish the VPN connection
13. You should now be able to successfully ping the remote host
VPN Client Version = 2.1.0 RC2
Windows OS Version = Windows 8 Pro 64-bit (but has been experienced with
Window 7 Pro 64-bit and XP 32-bit)
Gateway Make/Model = PC Engines alix2d3
Gateway OS Version = pfSense 2.0.1 (i386) - nanobsd (512mb)
NOTE 3: I believe this bug exists in the VPN client builds as old as 2.1.7
The IKE debug log does not show anything obvious, which is is not
surprising, as this appears to be an internal application bug;
nevertheless, I am attaching the log files for completeness.
P.S. If you would like access to a VPN account to assist with
troubleshooting, I can provide one (but probably not before December 27
or 28, as I would need to setup a standalone environment and I may not
have physical access to the hardware before then).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.zip
Type: application/x-zip-compressed
Size: 32389 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20121223/13517c35/attachment-0002.bin>
More information about the vpn-devel
mailing list