[Vpn-help] trying to connect VPN to Zyxel 2602hwl adsl router

[Paul Webster]

Matthew,

You have an answer for everything - very impressive! Since the client is 
behind a NAT router, disabling NAT-T isn't an option so I'll live with 
the 6.5 hour time limit. Thanks for setting my mind at rest, I was 
worried the configuration was wrong.

- Paul


Matthew Grooms wrote:
> Paul Webster wrote:
>> Matthew,
>>
>> After reading your email I changed the phase 1 & 2 lifetimes at XP 
>> client and Zyxel 2602hwl from 3600secs to max (28800secs = 8 hours). 
>> Now the connection dies after  6 hours 24 mins (8 times 48 mins) with 
>> the IKE log recording "phase 1 sa is expiring".
>> I ran constant ping as you suggested and it does not start working 
>> again after 5-10 mins. In fact the Shrew client tells me "session 
>> terminated by gateway". Logs from Shrew & Zyxel are attached. Many 
>> thanks for your advice.
>>
>
> Hi Paul,
>
> Zyxel gateways have a bug that prevents them from properly negotiating 
> a replacement ISAKMP SA when NAT-T is in use. The specification states 
> that an IKE implementation should only change ports once ( ie, from 
> 500 -> 4500 ). When the Shrew Soft VPN client legitimately attempts to 
> negotiate a replacement SA by initiating an exchange on port 4500, the 
> Zyxel device responds on port 500. Obviously, the packet will 
> completely fail to pass back to the client through the NAT device 
> because it has long since expired the port 500 mapping.
>
> I reported this bug to Zyxel and they have yet to fix it. I assume you 
> are running into the same issue. Try disabling NAT-T support and see 
> if the re-negotiation issue clears up for you.
>
> Hope this helps,
>
> -Matthew
>