[vpn-help] Problem with Phase 2 SA lifetime rekeying

[Kevin VPN]

On 04/13/2012 05:47 PM, Mark A. Sibert wrote:
> Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to
> 28,800 seconds.  (Since that was the maximum allowable value for Phase 2.)
>   Approximately 6 hours and 24 minutes later, I got the same behavior where
> traffic stops temporarily, then resumes.  This happens at 80% of the
> lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had
> specified previously.  I looked through the IKE Service tab of the Trace
> Utility and confirmed that the 'traffic hiccup' occurred while Shrew was
> setting up new SAs.
>
> This has now gone from being a major hassle to a minor nuisance.  I can
> live with a 'hiccup' every six hours if it means I can use split tunneling.
>   :-)  Still, it would be nice if someone knowledgeable in such things could
> determine what is happening and why.
>

Hi Mark,

I agree, it would be nice to get to the bottom of it.  It could just be 
an incompatibility though.

I saw a similar situation with another vendor's VPN gateway a few years 
ago.  I could connect fine with Shrew, but at the end of the lifetime, 
the gateway refused to re-negotiate the SAs and would drop the tunnel. 
In this case it ended up being the vendor's IPSec stack, as TheGreenBow 
VPN client could not connect at all, despite mirroring all the settings 
from Shrew.  I even setup another gateway from another vendor that used 
the same settings to ensure that both Shrew and TheGreenBow would 
re-negotiate SAs at timeout in that configuration, which they dutifully 
did for days at a time.

BTW, have you tried configuring Shrew to accept the policy from the 
gateway (or chose Tunnel All)?  I know, no split tunnelling, but it 
might be worth it to see if that makes a difference?