[Vpn-help] Zywall Rekey issues with NAT-T

[Matthew Grooms]

All,

I just noticed a problem with Zywall devices so I thought I would post 
this information to the list. When the client communicates with a Zywall 
device, ISAKMP rekey will fail if NAT-T is enabled. The client follows 
RFC3947 by initiating a rekey on port 4500. The Zywall responds to the 
rekey attempt using port 500. Here is a snippet from the RFC ...

    Similarly, if the responder has to rekey the Phase 1 SA, then the
    rekey negotiation MUST be started by using UDP(4500,Y).  Any
    implementation that supports NAT traversal MUST support negotiations
    that begin on port 4500.  If a negotiation starts on port 4500, then
    it doesn't need to change anywhere else in the exchange.

By responding on a different port that the initiator, the firewall state 
will have timed out between rekey attempts. This means the ISAKMP 
response sent from the zywall will never reach the initiator ( client ).

I just opened a ticket with zywall. Hopefully they assign an engineer to 
this ticket and get it resolved. In the near term, you will need to 
disable NAT-T if you want the tunnel to live longer than the phase1 
lifetime.

Thanks,

-Matthew