[vpn-help] [vpn help] Problem with Phase 2 SA lifetime rekeying between ShrewSoft 2.1.7 and Cisco IOS

[kevin vpn]

On Mon, 21 Mar 2011 02:25:51 +0200
"Nikolaj Griscenko" <n.griscenko at gmail.com> wrote:

> 
> I have encountered a problem I can't solve. The connection between
> shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g)
> IOS) is established normally and traffic passes ok, but when phase 2
> security association life-time expires - shrewsoft can't renegotiate
> a new SA with Cisco and former SA is deleted. I checked the SA
> parameter both on Cisco and Shrewsoft and tried different SA values,
> but no luck. I also attach my trace files. What could be the problem?
> Could it be a software bug? Thanks.
> 

Hi Nikolaj,

I looked at your ike trace and it does look like the Phase 2
re-negotiation is failing.  I can see a bunch of phase2 resends:

11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500 
11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500 
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500 
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
X.X.X.X:4500

Unfortunately, the log doesn't suggest (to me at least) any reason why
the phase2 packets aren't going through.  If you checked that the Phase
2 SA lifetime parameter was the same in the Shrew client and the Cisco,
Phase 2 re-negotiation should occur many times because your Phase 1
lifetime is 86400 seconds (vs 300 seconds for Phase 2).

Perhaps someone with more experience with Cisco can help?  I know
there's some settings regarding Cisco compatible vendor IDs, but I
don't know what they do.

Just a question, during the time that Phase 2 was up, were you sending
traffic through the tunnel?  Like a persistent ping or something?  If
there was no traffic, maybe the gateway closed the connection because
it was idle?