[vpn-help] Problem with Phase 2 SA lifetime rekeying
Mark A. Sibert
marksibert at gmail.com
Tue Apr 17 08:58:54 CDT 2012
On Mon, Apr 16, 2012 at 8:53 PM, Kevin VPN <kvpn at live.com> wrote:
> On 04/13/2012 05:47 PM, Mark A. Sibert wrote:
>
>> Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to
>> 28,800 seconds. (Since that was the maximum allowable value for Phase 2.)
>> Approximately 6 hours and 24 minutes later, I got the same behavior where
>> traffic stops temporarily, then resumes. This happens at 80% of the
>> lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had
>> specified previously. I looked through the IKE Service tab of the Trace
>> Utility and confirmed that the 'traffic hiccup' occurred while Shrew was
>> setting up new SAs.
>>
>> This has now gone from being a major hassle to a minor nuisance. I can
>> live with a 'hiccup' every six hours if it means I can use split
>> tunneling.
>> :-) Still, it would be nice if someone knowledgeable in such things
>> could
>> determine what is happening and why.
>>
>>
> Hi Mark,
>
> I agree, it would be nice to get to the bottom of it. It could just be an
> incompatibility though.
>
> I saw a similar situation with another vendor's VPN gateway a few years
> ago. I could connect fine with Shrew, but at the end of the lifetime, the
> gateway refused to re-negotiate the SAs and would drop the tunnel. In this
> case it ended up being the vendor's IPSec stack, as TheGreenBow VPN client
> could not connect at all, despite mirroring all the settings from Shrew. I
> even setup another gateway from another vendor that used the same settings
> to ensure that both Shrew and TheGreenBow would re-negotiate SAs at timeout
> in that configuration, which they dutifully did for days at a time.
>
> BTW, have you tried configuring Shrew to accept the policy from the
> gateway (or chose Tunnel All)? I know, no split tunnelling, but it might
> be worth it to see if that makes a difference?
> ______________________________**_________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/**mailman/listinfo/vpn-help<http://lists.shrew.net/mailman/listinfo/vpn-help>
>
I did try accepting the policy as-is, and the behavior was the same. Oh
well. It's not a huge deal, as long as my IT department doesn't change the
phase-2 timeout on the gateway to something short. Thanks...
- Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20120417/7c0da864/attachment-0002.html>
More information about the vpn-help
mailing list