[Vpn-help] next bug- SA failed -release 2.1.0
Matthew Grooms
mgrooms at shrew.net
Tue Jul 1 14:56:18 CDT 2008
Dietmar Papperitz wrote:
> Matthew,
>
> sorry, i mean exactly:
>
> setting Lifetime 60 sec = tunnel fails for 50 sec.
> setting lifetime for 3600 sec = tunnel fails for 50 min.
>
Dietmar,
This makes perfect sense. The client is designed to stay connected
indefinitely. For the connection to live past the lifetime of a single
ISAKMP SA, it needs to renegotiate a replacement SA. Its obvious from
the Lancom log, Shrew Soft log and the IKE packet dump output that the
renegotiation is being initiated by the client but Lancom device isn't
responding. When a gateway encounters a problem with a peers proposal
that is serious enough to warrant discarding a packet with no response,
its customary for the log output to give some sort of explanation so the
problem can be corrected. I'm not suggesting that the Lancom device is
flawed, I'm just saying that we don't have very much information that
can be used to fix the problem.
I had to make several modifications to the client to get renegotiation
working during the 2.1.0 development cycle. Before that, a tunnel would
always die after the phase1 SA expired. IKE implementations tend to be
fickle. I am fortunate enough to have a lab with a half dozen commercial
gateways to perform testing with. The Lancom is not the only device that
is particular about the way it expects a re-negotiation to be formatted.
In the Zywall case, it refuses to respond to negotiations that occur on
port 4500 which is in direct opposition to what the RFC defines. Since I
own a Zywall device, I was able to open a ticket with their support
department. Hopefully this problem will be resolved on their end. But
determining the exact cause of the problem required a LOT of trial and
error because their log output is almost non-existent. Not having access
to a Lancom device or helpful log output that describes the error you
are seeing makes improving support very, very difficult.
To improve this situation, I would like to purchase a Lancom device to
add to my lab. A large portion of our VPN client downloads actually come
from Germany. I expect that the popularity of Lancom gateways is
partially responsible for this. Unfortunately, the devices are not FCC
compliant which makes it very difficult to obtain one from within the
United States. I contacted their direct sales department but they claim
that I need an EU VAT reseller ID to purchase one from within the US.
Since Shrew Soft has no business presence inside the EU, so I don't
think I could obtain one even if I wanted to. Hopefully they will find a
way around this so I can gain access to one sooner rather than later.
Until then, maybe you have any suggestions on how we can trouble shoot
this. Obtain more detailed output from the Lancom would hopefully help.
Alternately, if you have support through that company you can try to
open up a ticket with their support department. They may be able to
insight as to why the re-negotiation problem occurs.
Thanks,
-Matthew
More information about the vpn-help
mailing list