On 11/29/2010 9:44 AM, Jochen De Smet wrote:
I'm not 100% sure what kind of Cisco is on the other side; I configured shrew by importing the .pfc file. Here's a summary of the config options: - general: hostname and port set, auto config set to "ike config pull" - client: NAT traversal enabled, keep-alive packet rate 15 secs, ike fragmentation disabled, all "other options" checked - phase1: aggressive, group2, auto, key life time limit 86400 secs, 0 data lmit - phase2: auto, auto, auto, compress disabled, key life time limit 3600 secs, 0 data limit Symptom: Sometimes all VPN traffic stops for a minute or so, then after that things usually work again. When looking at the "Network" tab of the established connection, it seem to always show the number of establish associations as (expired + 2). Then after a while expired increases by 1 and that's when things work again. I'm not sure if it's related, but the shrew client also appears to take a lot longer to enable the initial tunnel than the cisco client ( +-30 seconds vs +-3 seconds)
I'm not sure about this. Do you have any debug log output that shows this problem happening?
Any idea what the problem is or what to do about it? It's a bit annoying since the pause is usually long enough to make my ssh sessions disconnect.
Have you noticed that the traffic passing correctly at a specific time after the tunnel has been established? It could be that you have a pahse2 timeout mismatch between the client and the gateway. To test the client in my lab, I set it to use 60sec IPsec SA's to ensure that it works well during phase2 rekeys. However, your cisco gateway may be configured to behave differently, allowing a phase2 lifetime mismatch to occur.
My other guess is that there is a firewall state expiring for the UDP port mapping. Have you tried forcing NAT-T to enable to see if it has an effect? The reason I suggest this is that keepalive messages aren't sent unless NAT is detected and NAT-T is enabled.
-Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
