[vpn-help] Problem with Phase 2 SA lifetime rekeying
kvpn at live.com
Mon Apr 16 19:53:38 CDT 2012
On 04/13/2012 05:47 PM, Mark A. Sibert wrote:
> Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to
> 28,800 seconds. (Since that was the maximum allowable value for Phase 2.)
> Approximately 6 hours and 24 minutes later, I got the same behavior where
> traffic stops temporarily, then resumes. This happens at 80% of the
> lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had
> specified previously. I looked through the IKE Service tab of the Trace
> Utility and confirmed that the 'traffic hiccup' occurred while Shrew was
> setting up new SAs.
> This has now gone from being a major hassle to a minor nuisance. I can
> live with a 'hiccup' every six hours if it means I can use split tunneling.
> :-) Still, it would be nice if someone knowledgeable in such things could
> determine what is happening and why.
I agree, it would be nice to get to the bottom of it. It could just be
an incompatibility though.
I saw a similar situation with another vendor's VPN gateway a few years
ago. I could connect fine with Shrew, but at the end of the lifetime,
the gateway refused to re-negotiate the SAs and would drop the tunnel.
In this case it ended up being the vendor's IPSec stack, as TheGreenBow
VPN client could not connect at all, despite mirroring all the settings
from Shrew. I even setup another gateway from another vendor that used
the same settings to ensure that both Shrew and TheGreenBow would
re-negotiate SAs at timeout in that configuration, which they dutifully
did for days at a time.
BTW, have you tried configuring Shrew to accept the policy from the
gateway (or chose Tunnel All)? I know, no split tunnelling, but it
might be worth it to see if that makes a difference?
More information about the vpn-help