[Vpn-help] trying to connect VPN to Zyxel 2602hwl adsl router

Paul Webster pwebster at softhome.net
Sun Apr 26 06:55:46 CDT 2009


Matthew,

After reading your email I changed the phase 1 & 2 lifetimes at XP 
client and Zyxel 2602hwl from 3600secs to max (28800secs = 8 hours). Now 
the connection dies after  6 hours 24 mins (8 times 48 mins) with the 
IKE log recording "phase 1 sa is expiring".
I ran constant ping as you suggested and it does not start working again 
after 5-10 mins. In fact the Shrew client tells me "session terminated 
by gateway". Logs from Shrew & Zyxel are attached. Many thanks for your 
advice.

Regards,
Paul


Matthew Grooms wrote:
> Paul Webster wrote:
>> Here's some more information on the connection dropouts. Below is the 
>> log file off the Zyxel. The log shows:
>>
>> 1) The initial connection is established at 15:21:25
>> 2) Looks like some sort of renegotiation 48 mins later at 16:09:53
>> 3) Two minutes later there is a time out disconnect.
>> 4) "No corresponding tunnel" message at 16:12:40 appears at the same 
>> time my VNC client told me the connection was down..
>>
>> But no new messages appear in the Shrew VPN client  connect window. 
>> Why does the Zyxel say it's built a new tunnel but the VPN client 
>> tells me nothing?
>>
>
> "IPsec tunnel" is a very loose term. Its not like a TCP connection. 
> Its basically a set of security association built between two peers. 
> You have ISAKMP SAs used for negotiation and IPSec SAs which are used 
> to protect host traffic. There is no 1:1 mapping between the two. The 
> Shrew Soft VPN client reports "connected" after establishing the 
> ISAKMP SA.
>
> You can negotiate any number of IPsec SAs under the protection of a 
> singe ISAKMP SA. When you say the Zywall says it has built a new 
> tunnel, it probably means it believes that a new IPsec SA has been 
> established.
>
>> ============== VPN client connect windows ======
>> configuring client settings ...
>> attached to key daemon ...
>> peer configured
>> iskamp proposal configured
>> esp proposal configured
>> client configured
>> local id configured
>> remote id configured
>> pre-shared key configured
>> bringing up tunnel ...
>> network device configured
>> tunnel enabled
>>
>
> The VPN client has extensive debug facilities that provide detailed 
> log output. This is just the user interface feedback window. Please 
> see ...
>
> http://www.shrew.net/support/wiki/BugReportVpnWindows
>
> As for your issue, it sounds like a phase 2 rekey problem. Seeing the 
> debug level log output would be useful. Is your phase2 lifetime set to 
> 3600 seconds? This sounds about right for the time when a rekey occurs.
>
> Some platforms prefer newer or older IPsec SAs after a rekey. The 
> Zywall may be silently deleting the older SA and rejecting traffic 
> sent by the client which still uses the old SA for some time before 
> switching to the new SA.
>
> If you try running a constant ping and see the traffic drop out at 48 
> minutes, does it start to work again 5-10 minutes later?
>
> -Matthew
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shrew ike trace.log
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090426/b60559c3/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: zyxel2602hwl .log
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090426/b60559c3/attachment-0003.ksh>


More information about the vpn-help mailing list