<div class="gmail_quote">On Mon, Apr 16, 2012 at 8:53 PM, Kevin VPN <span dir="ltr"><<a href="mailto:kvpn@live.com">kvpn@live.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 04/13/2012 05:47 PM, Mark A. Sibert wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to<br>
28,800 seconds. (Since that was the maximum allowable value for Phase 2.)<br>
Approximately 6 hours and 24 minutes later, I got the same behavior where<br>
traffic stops temporarily, then resumes. This happens at 80% of the<br>
lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had<br>
specified previously. I looked through the IKE Service tab of the Trace<br>
Utility and confirmed that the 'traffic hiccup' occurred while Shrew was<br>
setting up new SAs.<br>
<br>
This has now gone from being a major hassle to a minor nuisance. I can<br>
live with a 'hiccup' every six hours if it means I can use split tunneling.<br>
:-) Still, it would be nice if someone knowledgeable in such things could<br>
determine what is happening and why.<br>
<br>
</blockquote>
<br></div>
Hi Mark,<br>
<br>
I agree, it would be nice to get to the bottom of it. It could just be an incompatibility though.<br>
<br>
I saw a similar situation with another vendor's VPN gateway a few years ago. I could connect fine with Shrew, but at the end of the lifetime, the gateway refused to re-negotiate the SAs and would drop the tunnel. In this case it ended up being the vendor's IPSec stack, as TheGreenBow VPN client could not connect at all, despite mirroring all the settings from Shrew. I even setup another gateway from another vendor that used the same settings to ensure that both Shrew and TheGreenBow would re-negotiate SAs at timeout in that configuration, which they dutifully did for days at a time.<br>
<br>
BTW, have you tried configuring Shrew to accept the policy from the gateway (or chose Tunnel All)? I know, no split tunnelling, but it might be worth it to see if that makes a difference?<br>
______________________________<u></u>_________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a><br>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/<u></u>mailman/listinfo/vpn-help</a><br>
</blockquote></div><div><br></div><br><div>I did try accepting the policy as-is, and the behavior was the same. Oh well. It's not a huge deal, as long as my IT department doesn't change the phase-2 timeout on the gateway to something short. Thanks...</div>
<div><br></div><div>- Mark</div>