[vpn-help] Problem with Phase 2 SA lifetime rekeying between ShrewSoft 2.1.7 and Cisco IOS

Wed Apr 11 21:42:18 CDT 2012

On 04/11/2012 12:28 PM, Mark A. Sibert wrote:
> Has anyone figured out the cause of this problem and/or a solution to it?
>
> My connection drops briefly every 48 minutes.  It appears it's the
> same issue as described here - the SA expires and Shrew does
> re-establish the connection automatically, but traffic stops for maybe
> 30 seconds during the process.  Long enough to terminate the
> connections for some of the programs I'm running.
>
> Cisco AnyConnect works fine, but doesn't allow me to do split
> tunneling like Shrew does.  I'm running 2.2.0-beta-2.
>
> Thanks!
>
> - Mark
>
>
> On Mon, 21 Mar 2011 02:25:51 +0200
> "Nikolaj Griscenko"<n.griscenko at gmail.com>  wrote:
>
>>
>> I have encountered a problem I can't solve. The connection between
>> shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g)
>> IOS) is established normally and traffic passes ok, but when phase 2
>> security association life-time expires - shrewsoft can't renegotiate
>> a new SA with Cisco and former SA is deleted. I checked the SA
>> parameter both on Cisco and Shrewsoft and tried different SA values,
>> but no luck. I also attach my trace files. What could be the problem?
>> Could it be a software bug? Thanks.
>>
>
> Hi Nikolaj,
>
> I looked at your ike trace and it does look like the Phase 2
> re-negotiation is failing.  I can see a bunch of phase2 resends:
>
> 11/03/21 01:50:21 ->  : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
> X.X.X.X:4500
> 11/03/21 01:50:21 ->  : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
> X.X.X.X:4500
> 11/03/21 01:50:26 ->  : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
> X.X.X.X:4500
> 11/03/21 01:50:26 ->  : resend 1 phase2 packet(s) 192.168.0.125:4500 ->
> X.X.X.X:4500
>
> Unfortunately, the log doesn't suggest (to me at least) any reason why
> the phase2 packets aren't going through.  If you checked that the Phase
> 2 SA lifetime parameter was the same in the Shrew client and the Cisco,
> Phase 2 re-negotiation should occur many times because your Phase 1
> lifetime is 86400 seconds (vs 300 seconds for Phase 2).
>
> Perhaps someone with more experience with Cisco can help?  I know
> there's some settings regarding Cisco compatible vendor IDs, but I
> don't know what they do.
>

Hi Mark,

My observation of Shrew's behaviour is that it actually tries to setup a 
new SA *before* the old one expires.  If you look in the Trace Utility 
at the SA tab close the the expiry time, you may find that there's two 
SAs, the old one with status DYING and a new one.

I've sometimes seen that one end of the tunnel switches to the new SA 
before the other end, so you end up with a strange situation of bytes in 
one direction using one SA and bytes in the other direction using the 
other SA.

Perhaps there is a problem with this process.  Either the Cisco does not 
allow two concurrent SAs, so Shrew has to wait until the first SA has 
completely died before starting the re-negotiation, or the Cisco balks 
at the "split-SA" condition and drops packets that Shrew sends over the 
new SA before the Cisco has switched to it?