[vpn-help] Phase 2 Rekeying

Matthew Grooms mgrooms at shrew.net
Wed Apr 3 02:33:33 CDT 2013 

On 3/29/2013 10:50 AM, John Sayce wrote:
>
> I had this configured on two sites.  Both have Juniper SSG-320
> firewalls.  However, one site is managed by the ISP so I don't have
> access to the firewall.  Both sites have the same problem but have
> significantly different versions of firmware running on the
> firewalls.  On the site that I manage I've removed this vpn and
> replaced it with an L2TP vpn.
>
> I am by no means an expert on any of this but usually if the problem
> is related to the config I can figure it out.  I'm being told by the
> ISP that the problem is most likely a bug with the shrewsoft client.
> Although I can't say I understand the reasoning and it seems
> reasonable that it's in their interest to blame the client.
>
> In terms of the VPN monitor setting, you are indeed right, it should
> be off.  I only had it on to see if it would make a difference.  I've
> obviously forgotten I had this on when I was capturing logs, however
> the problem remains the same.  I can't remember what I had with the
> rekey setting.  I think if VPN monitor is disabled, rekey is also
> disabled.
>
> If it'll help I can get more logs and do more testing but I'll have
> to go to the ISP to get the logs.  I can also ask for a written
> explanation of why they think the client is at fault.  However they
> won't give me the config on the firewall.....
>

John,

The Shrew Soft client attempts to re-negotiate a new SA before the old 
SA expires. This is in an attempt to make sure there are no gaps in 
communication. It's possible that the Juniper device is discarding the 
old SA after the new one is established, even though the old SA hasn't 
expired yet. That wouldn't explain why there is a 30 minute gap in 
communications, but it would explain a 12 ( or maybe 15 ) minute gap.

If you leave the connection up until the first SA expires ( you should 
see them expire in the VPN Trace App ), does the communication resume? 
The idea being that the client would start sending traffic using the new 
SA which the gateway would then accept.

I probably need to add an option to prevent the client from negotiating 
overlapping SAs. The problem is that it would either need to be a global 
option or I would need to add a proprietary extension to the SP 
database. A peer shouldn't discard an SA until it's expiration time. If 
it does, it should at least send a delete notification. I'm guessing 
that it's discarding the SA without a notification.

-Matthew

More information about the vpn-help mailing list