[vpn-help] Timeouts?

Matthew Grooms mgrooms at shrew.net
Wed Jul 28 20:41:44 CDT 2010


On 7/28/2010 9:06 AM, kevin shrew-vpn wrote:
> On Sun, 11 Jul 2010 02:34:26 -0500
> Matthew Grooms<mgrooms at shrew.net>  wrote:
>
>>
>> Your best bet is to always use matching lifetime values.
>>
>
> Hi Matthew, thanks for the detailed response.  Matching the lifetimes
> has really helped stabilize one of my VPNs.
>
> However, for the other VPN, when Phase 1 expires, the VPN breaks.
> Based on info from Shrew and the gateway it looks like some form of
> re-authentication is occurring (Shrew seems to re-send PAP).  This
> appears to cause the gateway to assign a new virtual adapter IP, but
> Shrew does not appear to realize this - at least, the virtual adapter
> IP on the client does not change and no reference to a new
> configuration appears in the Shrew iked trace.
>
> Is assigning a new IP normal/permitted? Or is this a sign that I haven't
> quite got the configs right between the client and gateway?
>
> For what it's worth, the client is only able to connect if it is set to
> 'ike config pull'.

Hmmm. Odd that it would assign a different address after an ISAKMP SA 
renegotiation. A replacement SA is required when the original expires. 
Depending on the gateway, this involves another Xauth and an additional 
modecfg negotiation as well. What kind of gateway do you use?

-Matthew



More information about the vpn-help mailing list