[vpn-help] Problem with Phase 2 SA lifetime rekeying between ShrewSoft 2.1.7 and Cisco IOS

Mark A. Sibert marksibert at gmail.com
Wed Apr 11 11:28:06 CDT 2012

Has anyone figured out the cause of this problem and/or a solution to it?

My connection drops briefly every 48 minutes.  It appears it's the
same issue as described here - the SA expires and Shrew does
re-establish the connection automatically, but traffic stops for maybe
30 seconds during the process.  Long enough to terminate the
connections for some of the programs I'm running.

Cisco AnyConnect works fine, but doesn't allow me to do split
tunneling like Shrew does.  I'm running 2.2.0-beta-2.


- Mark

On Mon, 21 Mar 2011 02:25:51 +0200
"Nikolaj Griscenko" <n.griscenko at gmail.com> wrote:

> I have encountered a problem I can't solve. The connection between
> shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g)
> IOS) is established normally and traffic passes ok, but when phase 2
> security association life-time expires - shrewsoft can't renegotiate
> a new SA with Cisco and former SA is deleted. I checked the SA
> parameter both on Cisco and Shrewsoft and tried different SA values,
> but no luck. I also attach my trace files. What could be the problem?
> Could it be a software bug? Thanks.

Hi Nikolaj,

I looked at your ike trace and it does look like the Phase 2
re-negotiation is failing.  I can see a bunch of phase2 resends:

11/03/21 01:50:21 -> : resend 1 phase2 packet(s) ->
11/03/21 01:50:21 -> : resend 1 phase2 packet(s) ->
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) ->
11/03/21 01:50:26 -> : resend 1 phase2 packet(s) ->

Unfortunately, the log doesn't suggest (to me at least) any reason why
the phase2 packets aren't going through.  If you checked that the Phase
2 SA lifetime parameter was the same in the Shrew client and the Cisco,
Phase 2 re-negotiation should occur many times because your Phase 1
lifetime is 86400 seconds (vs 300 seconds for Phase 2).

Perhaps someone with more experience with Cisco can help?  I know
there's some settings regarding Cisco compatible vendor IDs, but I
don't know what they do.

Just a question, during the time that Phase 2 was up, were you sending
traffic through the tunnel?  Like a persistent ping or something?  If
there was no traffic, maybe the gateway closed the connection because
it was idle?

More information about the vpn-help mailing list