[vpn-help] Phase 2 Rekeying
Kevin VPN
kvpn at live.com
Thu Mar 28 22:12:12 CDT 2013
On 02/28/2013 02:53 AM, John Sayce wrote:
> My problem seems roughly similar to this one
> https://lists.shrew.net/pipermail/vpn-help/2012-April/013833.html
>
> I have a dial up vpn that is connecting to a Juniper SSG-140. The
> initial connection is fine and all works as expect until the phase
> two key time limit expires. The time limit is currently set to 3600
> seconds. At 2880 seconds (48 minutes)a new SA is established and my
> connection fails. At the point where the connection fails, I cannot
> simply disconnect and reconnect. I have to wait for about half an
> hour before reconnecting. I guess it would make sense if I had to
> wait an additional 48 minutes. I don't have the exact figures for
> this.
>
> I've attached the config for the firewall and client. And I've
> attached the debug log from the client and the "debug ike detail"
> output from the firewall.
>
> I've tried to trip part of the firewall log as I have multiple vpn
> connections.
>
Hi John,
I see in the Shrew Client Log.txt where the Phase 2 is re-negotiated,
but the Firewall Log.log does not show that. Can you take another dbuf
stream around the time the phase 2 should renegotiate?
The regular firewall log would be helpful too.
I've seen the 30 minute delay before reconnecting before, I think it's
somehow related to the VPN Monitor. Turn that off (AutoKey IKE config)
and see if it makes a difference. VPN monitor doesn't make sense for a
dialup VPN with a dynamic address anyway.
I also do not have rekey selected for my dialup VPNs and they renew fine
(which is counter-intuitive). Maybe that's messing up the Phase 2 renewal?
More information about the vpn-help
mailing list