[vpn-help] Problem with Phase 2 SA lifetime rekeying

Mark A. Sibert marksibert at gmail.com
Tue Apr 17 08:58:54 CDT 2012

On Mon, Apr 16, 2012 at 8:53 PM, Kevin VPN <kvpn at live.com> wrote:

> On 04/13/2012 05:47 PM, Mark A. Sibert wrote:
>> Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to
>> 28,800 seconds.  (Since that was the maximum allowable value for Phase 2.)
>>  Approximately 6 hours and 24 minutes later, I got the same behavior where
>> traffic stops temporarily, then resumes.  This happens at 80% of the
>> lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had
>> specified previously.  I looked through the IKE Service tab of the Trace
>> Utility and confirmed that the 'traffic hiccup' occurred while Shrew was
>> setting up new SAs.
>> This has now gone from being a major hassle to a minor nuisance.  I can
>> live with a 'hiccup' every six hours if it means I can use split
>> tunneling.
>>  :-)  Still, it would be nice if someone knowledgeable in such things
>> could
>> determine what is happening and why.
> Hi Mark,
> I agree, it would be nice to get to the bottom of it.  It could just be an
> incompatibility though.
> I saw a similar situation with another vendor's VPN gateway a few years
> ago.  I could connect fine with Shrew, but at the end of the lifetime, the
> gateway refused to re-negotiate the SAs and would drop the tunnel. In this
> case it ended up being the vendor's IPSec stack, as TheGreenBow VPN client
> could not connect at all, despite mirroring all the settings from Shrew.  I
> even setup another gateway from another vendor that used the same settings
> to ensure that both Shrew and TheGreenBow would re-negotiate SAs at timeout
> in that configuration, which they dutifully did for days at a time.
> BTW, have you tried configuring Shrew to accept the policy from the
> gateway (or chose Tunnel All)?  I know, no split tunnelling, but it might
> be worth it to see if that makes a difference?
> ______________________________**_________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/**mailman/listinfo/vpn-help<http://lists.shrew.net/mailman/listinfo/vpn-help>

I did try accepting the policy as-is, and the behavior was the same.  Oh
well.  It's not a huge deal, as long as my IT department doesn't change the
phase-2 timeout on the gateway to something short. Thanks...

- Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20120417/7c0da864/attachment-0002.html>

More information about the vpn-help mailing list