<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE>Windows XP - ISAKMP SA</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hi,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I have a setup with a laptop running Windows XP connecting to an Openswan server using L2TP/IPsec. The server is using Openswan 2.4.6 with NETKEY on kernel 2.6.19. If I don't configure the ikelifetime value, so it uses the default of 3600s, after an hour when the ISAKMP SA expires I continuously (every 10s) get the following log messages on the server. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">Feb 2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #510: max number of retransmissions (2) reached STATE_QUICK_I1</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Feb 2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #510: starting keying attempt 30 of an unlimited number</FONT>
<BR><FONT SIZE=2 FACE="Arial">Feb 2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #512: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #510 {using isakmp#443}</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Feb 2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #443: ignoring informational payload, type INVALID_ID_INFORMATION</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Feb 2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #443: received and ignored informational message</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">What I'm guessing is that the ISAKMP SA timeouts out on the server which is the responder and then the server tries to renegotiate a new ISAKMP SA, but the Windows XP laptop is refusing the renegotiation attempts, possibly because it has an unexpired ISAKMP SA for this peer.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">The laptop is still able to pass traffic (the ESP SA is still active) until the ESP SA timeouts at 28800 seconds. At that point the tunnel fails and I need to restart the Openswan tunnel connection and reconnect from the laptop.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Is there some configuration setting I can use, other than extending the ikelifetime, that would enable the two systems to successfully renegotiate the ISAKMP SA when the renegotiate is initiated by the responder? Does anyone else see this behavior?</FONT></P>
<BR>
<P><FONT SIZE=2 FACE="Arial">conn l2tp-psk</FONT>
<BR><FONT SIZE=2 FACE="Arial"> left=192.168.2.75</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftprotoport=17/1701</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightprotoport=17/1701</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightsubnet=vhost:%priv,%no</FONT>
<BR><FONT SIZE=2 FACE="Arial"> right=%any</FONT>
<BR><FONT SIZE=2 FACE="Arial"> auto=add</FONT>
<BR><FONT SIZE=2 FACE="Arial"> authby=secret</FONT>
<BR><FONT SIZE=2 FACE="Arial"> pfs=no</FONT>
<BR><FONT SIZE=2 FACE="Arial"> type=transport</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">-mike</FONT>
</P>
<BR>
</BODY>
</HTML>