On 02/28/2013 02:53 AM, John Sayce wrote:
My problem seems roughly similar to this one
https://lists.shrew.net/pipermail/vpn-help/2012-April/013833.html
I have a dial up vpn that is connecting to a Juniper SSG-140. The
initial connection is fine and all works as expect until the phase
two key time limit expires. The time limit is currently set to 3600
seconds. At 2880 seconds (48 minutes)a new SA is established and my
connection fails. At the point where the connection fails, I cannot
simply disconnect and reconnect. I have to wait for about half an
hour before reconnecting. I guess it would make sense if I had to
wait an additional 48 minutes. I don't have the exact figures for
this.
I've attached the config for the firewall and client. And I've
attached the debug log from the client and the "debug ike detail"
output from the firewall.
I've tried to trip part of the firewall log as I have multiple vpn
connections.
Hi John,
I see in the Shrew Client Log.txt where the Phase 2 is re-negotiated,
but the Firewall Log.log does not show that. Can you take another dbuf
stream around the time the phase 2 should renegotiate?
The regular firewall log would be helpful too.
I've seen the 30 minute delay before reconnecting before, I think it's
somehow related to the VPN Monitor. Turn that off (AutoKey IKE config)
and see if it makes a difference. VPN monitor doesn't make sense for a
dialup VPN with a dynamic address anyway.
I also do not have rekey selected for my dialup VPNs and they renew fine
(which is counter-intuitive). Maybe that's messing up the Phase 2 renewal?
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
