[Vpn-help] Strange behavior

[Matthew Grooms]

Knut Kroeger wrote:
> Hello,
> my wish is to connect to a Funkwerk(Bintec) router which is not administrated by myself via vpn. I´ve been using the NCP client which worked perfectly. Now I replaced the NCP with your nice client version 2.1.4. First (2 days ago) it worked like charm but now we have this strange thing:
> Tunnel comes up.
> But no connection can be established, this means I can´t ping any host via IP on the remote network or connect by any other protocol. The tunnel is still up. I took a look at the routing table and it´s ok.
> After a bit frustration and a few hours of doing other things I tried again with success! This was yesterday.
> But today I had again no luck.
> Just remember: There´s no problem bringing up the tunnel as the connect window tells me.
> My OS: XP Pro SP3
> Any ideas?
> 

Hi Knut,

Are you using DPD? I would venture guess that the client may be sending 
a delete message for current IPsec SAs before disconnecting but maybe 
they are not being deleted by the gateway. If this is true, on later 
connection attempts the gateway may send traffic using an SA that the 
client has already deleted and wont be able to process the traffic. What 
does the ipsec debug log output look like when the connection can't pass 
traffic? Does it show any errors like "unable to process packet, unkown 
SA" or something similar?

Thanks,

-Matthew