[Vpn-help] next bug- SA failed -release 2.1.0

Matthew Grooms mgrooms at shrew.net
Tue Jul 1 14:56:18 CDT 2008 

Dietmar Papperitz wrote:
> Matthew,
> 
> sorry, i mean exactly:
> 
> setting Lifetime 60 sec = tunnel fails for 50 sec.
> setting lifetime for 3600 sec = tunnel fails for 50 min.
> 

Dietmar,

This makes perfect sense. The client is designed to stay connected 
indefinitely. For the connection to live past the lifetime of a single 
ISAKMP SA, it needs to renegotiate a replacement SA. Its obvious from 
the Lancom log, Shrew Soft log and the IKE packet dump output that the 
renegotiation is being initiated by the client but Lancom device isn't 
responding. When a gateway encounters a problem with a peers proposal 
that is serious enough to warrant discarding a packet with no response, 
its customary for the log output to give some sort of explanation so the 
problem can be corrected. I'm not suggesting that the Lancom device is 
flawed, I'm just saying that we don't have very much information that 
can be used to fix the problem.

I had to make several modifications to the client to get renegotiation 
working during the 2.1.0 development cycle. Before that, a tunnel would 
always die after the phase1 SA expired. IKE implementations tend to be 
fickle. I am fortunate enough to have a lab with a half dozen commercial 
gateways to perform testing with. The Lancom is not the only device that 
is particular about the way it expects a re-negotiation to be formatted. 
In the Zywall case, it refuses to respond to negotiations that occur on 
port 4500 which is in direct opposition to what the RFC defines. Since I 
own a Zywall device, I was able to open a ticket with their support 
department. Hopefully this problem will be resolved on their end. But 
determining the exact cause of the problem required a LOT of trial and 
error because their log output is almost non-existent. Not having access 
to a Lancom device or helpful log output that describes the error you 
are seeing makes improving support very, very difficult.

To improve this situation, I would like to purchase a Lancom device to 
add to my lab. A large portion of our VPN client downloads actually come 
from Germany. I expect that the popularity of Lancom gateways is 
partially responsible for this. Unfortunately, the devices are not FCC 
compliant which makes it very difficult to obtain one from within the 
United States. I contacted their direct sales department but they claim 
that I need an EU VAT reseller ID to purchase one from within the US. 
Since Shrew Soft has no business presence inside the EU, so I don't 
think I could obtain one even if I wanted to. Hopefully they will find a 
way around this so I can gain access to one sooner rather than later.

Until then, maybe you have any suggestions on how we can trouble shoot 
this. Obtain more detailed output from the Lancom would hopefully help. 
Alternately, if you have support through that company you can try to 
open up a ticket with their support department. They may be able to 
insight as to why the re-negotiation problem occurs.

Thanks,

-Matthew

More information about the vpn-help mailing list