On 04/13/2012 05:47 PM, Mark A. Sibert wrote:
Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to
28,800 seconds. (Since that was the maximum allowable value for Phase 2.)
Approximately 6 hours and 24 minutes later, I got the same behavior where
traffic stops temporarily, then resumes. This happens at 80% of the
lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had
specified previously. I looked through the IKE Service tab of the Trace
Utility and confirmed that the 'traffic hiccup' occurred while Shrew was
setting up new SAs.
This has now gone from being a major hassle to a minor nuisance. I can
live with a 'hiccup' every six hours if it means I can use split tunneling.
:-) Still, it would be nice if someone knowledgeable in such things could
determine what is happening and why.
Hi Mark,
I agree, it would be nice to get to the bottom of it. It could just be
an incompatibility though.
I saw a similar situation with another vendor's VPN gateway a few years
ago. I could connect fine with Shrew, but at the end of the lifetime,
the gateway refused to re-negotiate the SAs and would drop the tunnel.
In this case it ended up being the vendor's IPSec stack, as TheGreenBow
VPN client could not connect at all, despite mirroring all the settings
from Shrew. I even setup another gateway from another vendor that used
the same settings to ensure that both Shrew and TheGreenBow would
re-negotiate SAs at timeout in that configuration, which they dutifully
did for days at a time.
BTW, have you tried configuring Shrew to accept the policy from the
gateway (or chose Tunnel All)? I know, no split tunnelling, but it
might be worth it to see if that makes a difference?
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
