[Vpn-help] Zywall Rekey issues with NAT-T
Matthew Grooms
mgrooms at shrew.net
Sat Jun 7 15:33:24 CDT 2008
All,
I just noticed a problem with Zywall devices so I thought I would post
this information to the list. When the client communicates with a Zywall
device, ISAKMP rekey will fail if NAT-T is enabled. The client follows
RFC3947 by initiating a rekey on port 4500. The Zywall responds to the
rekey attempt using port 500. Here is a snippet from the RFC ...
Similarly, if the responder has to rekey the Phase 1 SA, then the
rekey negotiation MUST be started by using UDP(4500,Y). Any
implementation that supports NAT traversal MUST support negotiations
that begin on port 4500. If a negotiation starts on port 4500, then
it doesn't need to change anywhere else in the exchange.
By responding on a different port that the initiator, the firewall state
will have timed out between rekey attempts. This means the ISAKMP
response sent from the zywall will never reach the initiator ( client ).
I just opened a ticket with zywall. Hopefully they assign an engineer to
this ticket and get it resolved. In the near term, you will need to
disable NAT-T if you want the tunnel to live longer than the phase1
lifetime.
Thanks,
-Matthew
More information about the vpn-help
mailing list