On Mon, 21 Mar 2011 02:25:51 +0200 "Nikolaj Griscenko" <[email protected]> wrote:
> > I have encountered a problem I can't solve. The connection between > shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g) > IOS) is established normally and traffic passes ok, but when phase 2 > security association life-time expires - shrewsoft can't renegotiate > a new SA with Cisco and former SA is deleted. I checked the SA > parameter both on Cisco and Shrewsoft and tried different SA values, > but no luck. I also attach my trace files. What could be the problem? > Could it be a software bug? Thanks. > Hi Nikolaj, I looked at your ike trace and it does look like the Phase 2 re-negotiation is failing. I can see a bunch of phase2 resends: 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 Unfortunately, the log doesn't suggest (to me at least) any reason why the phase2 packets aren't going through. If you checked that the Phase 2 SA lifetime parameter was the same in the Shrew client and the Cisco, Phase 2 re-negotiation should occur many times because your Phase 1 lifetime is 86400 seconds (vs 300 seconds for Phase 2). Perhaps someone with more experience with Cisco can help? I know there's some settings regarding Cisco compatible vendor IDs, but I don't know what they do. Just a question, during the time that Phase 2 was up, were you sending traffic through the tunnel? Like a persistent ping or something? If there was no traffic, maybe the gateway closed the connection because it was idle? _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
