[Vpn-help] Fwd: New 2.2.0 alpha available ...
Matthew Grooms
mgrooms at shrew.net
Tue Oct 28 18:52:25 CDT 2008
Matthew Grooms wrote:
> Rodrigo Ferroni wrote:
>> 2.2.0-alpha-2-x86 just works fine on another pc. Thanks.
>> Rodrigo.
>>
>
> Rodrigo,
>
> From the log output you sent me in a private email, it would appear the
> connection problem you were seeing on the first workstation while using
> alpha-2 was related to an old ISAKMP SA still being used by the gateway
> from a previous connection attempt. Its a good idea to use DPD to
> prevent problems like this from occurring.
>
Rodrigo,
Strange. I just looked a the log again and noticed that you do have DPD
enabled on both ends. But the peer was still trying to use an old ISAKMP
SA to communicate with the Shrew Soft Client. For example, you see a lot
of messages that look like this in your log output ...
08/10/28 19:17:42 ww : ike packet from xx.xx.xx.xx ignored, unknown
phase1 sa for peer
08/10/28 19:17:42 ww : 11c8e933c98ffbfb:7b2155d1ae13bb9a
... but the ISAKMP cookie pair "11c8e933c98ffbfb:7b2155d1ae13bb9a" was
not negotiated by the client during that session which means it was from
a previous connection. Maybe the DPD timeout hadn't triggered yet. What
do you have it set to in your racoon.conf file?
One good thing to note is that Timmo, another ipsec-tools developer, has
added proper handling of the INITIAL-CONTACT notification message to the
forthcoming 0.8 release. This means that anytime there are stale ISAKMP
or IPsec SAs, they should get cleanup up automatically as the Shrew Soft
client sends this notification explicitly after connecting.
Thanks,
-Matthew
More information about the vpn-help
mailing list