[vpn-help] SonicWALL softlimit phase2 renewal problems

Michael Schler mailabo at blatten.com
Wed Jul 1 17:46:37 CDT 2015 

Hello,

I've set up a connection between a Windows 2012 R2 Server (40.40.40.40)
using Shrew VPN Client (version 2.2.2) and a SonicWALL (and for tests
also with a FortiGate) (50.50.50.50).

The initial VPN tunnel comes up with either firewall.
When the softlimit timeout for the phase2 is reached the VPN Client
starts the renewal of phase2. With the SonicWALL this renewal shows two
errors (!!:) towards its end. While the tunnel as such seems to fire up
again it is not possible to reach the final destination server
(10.10.10.10) behind the SonicWALL for some time (using Test-Connection
i.e. pings). Only after the hardlimit timeout for phase2 is reached the
pings go through again.

The identical setup (VPN Client wise) with a FortiGate does not have
this problem. Here the phase2 renewal produces no erros and the
destination server can be reached by pings all times.

Shrew VPN Client setup

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:network-host:40.40.40.40
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.1.1
s:client-ip-mask:255.255.255.255
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:(secret)
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:require
s:policy-list-include:50.50.50.50 / 255.255.255.255,10.10.10.10 /
255.255.255.255

Connection with the SonicWALL phase 2 renewal last part (VPN Client log)
<- :	recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes )
DB :	phase1 found
ii :	processing informational packet ( 76 bytes )
== :	new informational iv ( 8 bytes )
=< :	cookies 915d9ca44709a15b:e77b80b9c572d32d
=< :	message 552fc103
=< :	decrypt iv ( 8 bytes )
== :	decrypt packet ( 76 bytes )
<= :	trimmed packet padding ( 4 bytes )
<= :	stored iv ( 8 bytes )
<< :	hash payload
<< :	delete payload
!! :	unprocessed payload data !!!
== :	informational hash_i ( computed ) ( 20 bytes )
== :	informational hash_c ( received ) ( 20 bytes )
!! :	informational hash verification failed
ii :	received peer DELETE message
ii :	- 50.50.50.50:500 -> 40.40.40.40:500
ii :	- ipsec-esp spi = 0x5347bf9c
no further entries until a few minutes later
ii :	phase2 sa is dead
ii :	phase2 removal after expire time
DB :	phase2 deleted ( obj count = 1 )

Connection with the SonicWALL phase 2 renewal last part (VPN Client log)
<- :	recv IKE packet 50.50.50.50:500 -> 40.40.40.40:500 ( 76 bytes )
DB :	phase1 found
ii :	processing informational packet ( 76 bytes )
== :	new informational iv ( 8 bytes )
=< :	cookies 30319e5309693dd8:33dfc550c179a81b
=< :	message 2db6a00f
=< :	decrypt iv ( 8 bytes )
== :	decrypt packet ( 76 bytes )
<= :	trimmed packet padding ( 8 bytes )
<= :	stored iv ( 8 bytes )
<< :	hash payload
<< :	delete payload
== :	informational hash_i ( computed ) ( 20 bytes )
== :	informational hash_c ( received ) ( 20 bytes )
ii :	informational hash verified
ii :	received peer DELETE message
ii :	- 50.50.50.50:500 -> 40.40.40.40:500
ii :	- ipsec-esp spi = 0xb9b142e9
DB :	phase2 found
DB :	cleanup, marked phase2 0xb9b142e9 for removal
DB :	phase2 hard event canceled ( ref count = 1 )
K> :	send pfkey DELETE ESP message
K< :	recv pfkey DELETE ESP message
K> :	send pfkey DELETE ESP message
K< :	recv pfkey DELETE ESP message
ii :	phase2 removal before expire time
DB :	phase2 deleted ( obj count = 1 )

Has anyone an idea why the phase2 renewal with the SonicWALL produces the
!! : unprocessed payload data !!!
!! : informational hash verification failed
errors?
Even setting the log level to "loud" I could see nothing in the logs why
the pings don't go through for some minutes and afterwards go again through.

Thank You!

More information about the vpn-help mailing list