[Vpn-help] trying to connect VPN to Zyxel 2602hwl adsl router
Matthew Grooms
mgrooms at shrew.net
Tue Feb 3 18:54:55 CST 2009
Paul Webster wrote:
> Here's some more information on the connection dropouts. Below is the
> log file off the Zyxel. The log shows:
>
> 1) The initial connection is established at 15:21:25
> 2) Looks like some sort of renegotiation 48 mins later at 16:09:53
> 3) Two minutes later there is a time out disconnect.
> 4) "No corresponding tunnel" message at 16:12:40 appears at the same
> time my VNC client told me the connection was down..
>
> But no new messages appear in the Shrew VPN client connect window. Why
> does the Zyxel say it's built a new tunnel but the VPN client tells me
> nothing?
>
"IPsec tunnel" is a very loose term. Its not like a TCP connection. Its
basically a set of security association built between two peers. You
have ISAKMP SAs used for negotiation and IPSec SAs which are used to
protect host traffic. There is no 1:1 mapping between the two. The Shrew
Soft VPN client reports "connected" after establishing the ISAKMP SA.
You can negotiate any number of IPsec SAs under the protection of a
singe ISAKMP SA. When you say the Zywall says it has built a new tunnel,
it probably means it believes that a new IPsec SA has been established.
> ============== VPN client connect windows ======
> configuring client settings ...
> attached to key daemon ...
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> local id configured
> remote id configured
> pre-shared key configured
> bringing up tunnel ...
> network device configured
> tunnel enabled
>
The VPN client has extensive debug facilities that provide detailed log
output. This is just the user interface feedback window. Please see ...
http://www.shrew.net/support/wiki/BugReportVpnWindows
As for your issue, it sounds like a phase 2 rekey problem. Seeing the
debug level log output would be useful. Is your phase2 lifetime set to
3600 seconds? This sounds about right for the time when a rekey occurs.
Some platforms prefer newer or older IPsec SAs after a rekey. The Zywall
may be silently deleting the older SA and rejecting traffic sent by the
client which still uses the old SA for some time before switching to the
new SA.
If you try running a constant ping and see the traffic drop out at 48
minutes, does it start to work again 5-10 minutes later?
-Matthew
More information about the vpn-help
mailing list