[vpn-help] Shrew VPN Client + Juniper SRX : Autodisconnect

Eric eric.havemann at gmail.com
Fri Mar 1 14:11:29 CST 2013 

I have some information on this topic that might be of interest to the community.

I had the same problem as everyone else which ultimately led me to this page. 
The VPN connection would drop about 45 seconds after successfully completing
Phase1 and Phase2.  What was strange was that I had a working Shrewsoft
configuration before I upgraded my SRX210 cluster from OS version 11.2R4.3 to
the current release, 12.1X44-D10.4

Between the time I successfully got Shrewsoft to work and I upgraded the SRX OS,
I had made significant changes to the SRX configuration without going back to
test if Shrewsoft still worked.  So once I was able to get back to the VPN
configuration, I experienced the timeout issue and assumed I broke something.

I rolled back the SRX210 cluster to 11.2RR.3 (CLI command "request system
software rollback") and rebooted.  I got the same disconnect issue, but this
time it occurred every time at exactly 355 seconds, not 45.  Both P1 and P2 were
configured on both sides - SRX and Shrewsoft - at 28,800 seconds.

I set the SRX P1 timeout to 181 seconds - same problem - disconnect at 355
seconds.  I set the Shrewsoft timeout to 120 seconds and it worked!  No
disconnect at 355 seconds.  I gave up waiting after 1200 seconds or so.

Through trial and error I can tell you that when Shrewsoft Phase1 rekey time is
set to 403 seconds, it disconnects at 355 seconds.  When I reconfigure Shrewsoft
P1 to 402 seconds, I no longer get the disconnect.  I have no idea why this
appears to be a "magic number".  But the behavior so far is consistent.

My test consisted of a Windows 7 Ultimate machine, running a continuous ping
test to an IP behind the firewall to provide constant traffic.

I've also got Junos Pulse and Netscreen Remote clients configured and working on
the same SRX210 setup.

I will be doing some additional testing and will keep you posted.  For example I
want to compare the Shrewsoft IKE and IPSEC logs under both scenarios - working
and failed - to see if I can spot differences.  Also I am going to mess around
with the SRX Phase1 lifetime setting and see if that affects anything.

If anyone wants the Shrewsoft and SRX configs I will post.

More information about the vpn-help mailing list