[Vpn-help] trying to connect VPN to Zyxel 2602hwl adsl router
Matthew Grooms
mgrooms at shrew.net
Sat May 2 14:38:13 CDT 2009
Paul Webster wrote:
> Matthew,
>
> After reading your email I changed the phase 1 & 2 lifetimes at XP
> client and Zyxel 2602hwl from 3600secs to max (28800secs = 8 hours). Now
> the connection dies after 6 hours 24 mins (8 times 48 mins) with the
> IKE log recording "phase 1 sa is expiring".
> I ran constant ping as you suggested and it does not start working again
> after 5-10 mins. In fact the Shrew client tells me "session terminated
> by gateway". Logs from Shrew & Zyxel are attached. Many thanks for your
> advice.
>
Hi Paul,
Zyxel gateways have a bug that prevents them from properly negotiating a
replacement ISAKMP SA when NAT-T is in use. The specification states
that an IKE implementation should only change ports once ( ie, from 500
-> 4500 ). When the Shrew Soft VPN client legitimately attempts to
negotiate a replacement SA by initiating an exchange on port 4500, the
Zyxel device responds on port 500. Obviously, the packet will completely
fail to pass back to the client through the NAT device because it has
long since expired the port 500 mapping.
I reported this bug to Zyxel and they have yet to fix it. I assume you
are running into the same issue. Try disabling NAT-T support and see if
the re-negotiation issue clears up for you.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list