On 3/29/2013 10:50 AM, John Sayce wrote:
I had this configured on two sites. Both have Juniper SSG-320
firewalls. However, one site is managed by the ISP so I don't have
access to the firewall. Both sites have the same problem but have
significantly different versions of firmware running on the
firewalls. On the site that I manage I've removed this vpn and
replaced it with an L2TP vpn.
I am by no means an expert on any of this but usually if the problem
is related to the config I can figure it out. I'm being told by the
ISP that the problem is most likely a bug with the shrewsoft client.
Although I can't say I understand the reasoning and it seems
reasonable that it's in their interest to blame the client.
In terms of the VPN monitor setting, you are indeed right, it should
be off. I only had it on to see if it would make a difference. I've
obviously forgotten I had this on when I was capturing logs, however
the problem remains the same. I can't remember what I had with the
rekey setting. I think if VPN monitor is disabled, rekey is also
disabled.
If it'll help I can get more logs and do more testing but I'll have
to go to the ISP to get the logs. I can also ask for a written
explanation of why they think the client is at fault. However they
won't give me the config on the firewall.....
John,
The Shrew Soft client attempts to re-negotiate a new SA before the old
SA expires. This is in an attempt to make sure there are no gaps in
communication. It's possible that the Juniper device is discarding the
old SA after the new one is established, even though the old SA hasn't
expired yet. That wouldn't explain why there is a 30 minute gap in
communications, but it would explain a 12 ( or maybe 15 ) minute gap.
If you leave the connection up until the first SA expires ( you should
see them expire in the VPN Trace App ), does the communication resume?
The idea being that the client would start sending traffic using the new
SA which the gateway would then accept.
I probably need to add an option to prevent the client from negotiating
overlapping SAs. The problem is that it would either need to be a global
option or I would need to add a proprietary extension to the SP
database. A peer shouldn't discard an SA until it's expiration time. If
it does, it should at least send a delete notification. I'm guessing
that it's discarding the SA without a notification.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help
