Has anyone figured out the cause of this problem and/or a solution to it? My connection drops briefly every 48 minutes. It appears it's the same issue as described here - the SA expires and Shrew does re-establish the connection automatically, but traffic stops for maybe 30 seconds during the process. Long enough to terminate the connections for some of the programs I'm running.
Cisco AnyConnect works fine, but doesn't allow me to do split tunneling like Shrew does. I'm running 2.2.0-beta-2. Thanks! - Mark On Mon, 21 Mar 2011 02:25:51 +0200 "Nikolaj Griscenko" <n.griscenko at gmail.com> wrote: > > I have encountered a problem I can't solve. The connection between > shrewsoft 2.1.7 client (Win 7 x64) and Cisco 2811 router (12.4.(3g) > IOS) is established normally and traffic passes ok, but when phase 2 > security association life-time expires - shrewsoft can't renegotiate > a new SA with Cisco and former SA is deleted. I checked the SA > parameter both on Cisco and Shrewsoft and tried different SA values, > but no luck. I also attach my trace files. What could be the problem? > Could it be a software bug? Thanks. > Hi Nikolaj, I looked at your ike trace and it does look like the Phase 2 re-negotiation is failing. I can see a bunch of phase2 resends: 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:21 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 11/03/21 01:50:26 -> : resend 1 phase2 packet(s) 192.168.0.125:4500 -> X.X.X.X:4500 Unfortunately, the log doesn't suggest (to me at least) any reason why the phase2 packets aren't going through. If you checked that the Phase 2 SA lifetime parameter was the same in the Shrew client and the Cisco, Phase 2 re-negotiation should occur many times because your Phase 1 lifetime is 86400 seconds (vs 300 seconds for Phase 2). Perhaps someone with more experience with Cisco can help? I know there's some settings regarding Cisco compatible vendor IDs, but I don't know what they do. Just a question, during the time that Phase 2 was up, were you sending traffic through the tunnel? Like a persistent ping or something? If there was no traffic, maybe the gateway closed the connection because it was idle? _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
