[vpn-help] Phase 2 Rekeying

Fri Mar 29 10:50:27 CDT 2013

>On 02/28/2013 02:53 AM, John Sayce wrote:
>> My problem seems roughly similar to this one
>> https://lists.shrew.net/pipermail/vpn-help/2012-April/013833.html
>>
>> I have a dial up vpn that is connecting to a Juniper SSG-140.  The
>> initial connection is fine and all works as expect until the phase
>> two key time limit expires.  The time limit is currently set to 3600
>> seconds.  At 2880 seconds (48 minutes)a new SA is established and my
>> connection fails.  At the point where the connection fails, I cannot
>> simply disconnect and reconnect.  I have to wait for about half an
>> hour before reconnecting.  I guess it would make sense if I had to
>> wait an additional 48 minutes.  I don't have the exact figures for
>> this.
>>
>> I've attached the config for the firewall and client.  And I've
>> attached the debug log from the client and the "debug ike detail"
>> output from the firewall.
>>
>> I've tried to trip part of the firewall log as I have multiple vpn
>> connections.
>>
>
>
>
>Hi John,
>
>I see in the Shrew Client Log.txt where the Phase 2 is re-negotiated,
>but the Firewall Log.log does not show that.  Can you take another dbuf
>stream around the time the phase 2 should renegotiate?
>
>The regular firewall log would be helpful too.
>
>I've seen the 30 minute delay before reconnecting before, I think it's
>somehow related to the VPN Monitor.  Turn that off (AutoKey IKE config)
>and see if it makes a difference.  VPN monitor doesn't make sense for a
>dialup VPN with a dynamic address anyway.
>
>
>I also do not have rekey selected for my dialup VPNs and they renew fine
>(which is counter-intuitive).  Maybe that's messing up the Phase 2 renewal?

I had this configured on two sites.  Both have Juniper SSG-320 firewalls.  However, one site is managed by the ISP so I don't have access to the firewall.  Both sites have the same problem but have significantly different versions of firmware running on the firewalls.  On the site that I manage I've removed this vpn and replaced it with an L2TP vpn.  

I am by no means an expert on any of this but usually if the problem is related to the config I can figure it out.  I'm being told by the ISP that the problem is most likely a bug with the shrewsoft client.  Although I can't say I understand the reasoning and it seems reasonable that it's in their interest to blame the client.

In terms of the VPN monitor setting, you are indeed right, it should be off.  I only had it on to see if it would make a difference.  I've obviously forgotten I had this on when I was capturing logs, however the problem remains the same.  I can't remember what I had with the rekey setting.  I think if VPN monitor is disabled, rekey is also disabled.

If it'll help I can get more logs and do more testing but I'll have to go to the ISP to get the logs.  I can also ask for a written explanation of why they think the client is at fault.  However they won't give me the config on the firewall.....

Thanks
John

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________