On Mon, Apr 16, 2012 at 8:53 PM, Kevin VPN <[email protected]> wrote: > On 04/13/2012 05:47 PM, Mark A. Sibert wrote: > >> Today, I tried setting the Phase 1 and Phase 2 Key Life Time Limits to >> 28,800 seconds. (Since that was the maximum allowable value for Phase 2.) >> Approximately 6 hours and 24 minutes later, I got the same behavior where >> traffic stops temporarily, then resumes. This happens at 80% of the >> lifetime limit, just as 48 minutes was 80% of the 1-hour limit I had >> specified previously. I looked through the IKE Service tab of the Trace >> Utility and confirmed that the 'traffic hiccup' occurred while Shrew was >> setting up new SAs. >> >> This has now gone from being a major hassle to a minor nuisance. I can >> live with a 'hiccup' every six hours if it means I can use split >> tunneling. >> :-) Still, it would be nice if someone knowledgeable in such things >> could >> determine what is happening and why. >> >> > Hi Mark, > > I agree, it would be nice to get to the bottom of it. It could just be an > incompatibility though. > > I saw a similar situation with another vendor's VPN gateway a few years > ago. I could connect fine with Shrew, but at the end of the lifetime, the > gateway refused to re-negotiate the SAs and would drop the tunnel. In this > case it ended up being the vendor's IPSec stack, as TheGreenBow VPN client > could not connect at all, despite mirroring all the settings from Shrew. I > even setup another gateway from another vendor that used the same settings > to ensure that both Shrew and TheGreenBow would re-negotiate SAs at timeout > in that configuration, which they dutifully did for days at a time. > > BTW, have you tried configuring Shrew to accept the policy from the > gateway (or chose Tunnel All)? I know, no split tunnelling, but it might > be worth it to see if that makes a difference? > ______________________________**_________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/**mailman/listinfo/vpn-help<http://lists.shrew.net/mailman/listinfo/vpn-help> >
I did try accepting the policy as-is, and the behavior was the same. Oh well. It's not a huge deal, as long as my IT department doesn't change the phase-2 timeout on the gateway to something short. Thanks... - Mark
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
