<div>Hello,</div>
<div> </div>
<div>I&#39;m experiencing some problems connecting Openswan to Microsoft TMG.</div>
<div>The connection is being established succesfully, traffic flows to the other side, but after ~10 minutes, the connection drops.</div>
<div>Only solution left is to restart OpenSwan and the tunnel is up again.</div>
<div>It&#39;s a very basic PSK net-to-net configuration, no NAT-T.</div>
<div> </div>
<div>--</div>
<div>conn vpn</div>
<div>        type=tunnel<br>        authby=secret<br>        modecfgpull=no<br>        left=213.108.105.22<br>        leftid=213.108.105.22<br>        leftsubnet=<a href="http://172.16.100.1/32" target="_blank">172.16.100.1/32</a><br>
        leftsourceip=172.16.100.1<br>        right=62.21.130.3<br>        rightsubnet=<a href="http://10.22.130.2/32" target="_blank">10.22.130.2/32</a><br>        ike=aes256-md5-modp1024<br>        ikelifetime=86400s<br>
        keylife=28800s<br>        phase2=esp<br>        phase2alg=aes256-md5<br>        pfs=no<br>        auto=start<br>--</div>
<div> </div>
<div>ipsec auto --status</div>
<div>000 #2: &quot;vpn&quot;:500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26553s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate<br>000 #2: &quot;vpn&quot; <a href="mailto:esp.573fec00@62.21.130.3">esp.573fec00@62.21.130.3</a> <a href="mailto:esp.79f79b0b@213.108.105.22">esp.79f79b0b@213.108.105.22</a> <a href="mailto:tun.0@62.21.130.3">tun.0@62.21.130.3</a> <a href="mailto:tun.0@213.108.105.22">tun.0@213.108.105.22</a> ref=0 refhim=4294901761<br>
000 #1: &quot;vpn&quot;:500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83912s; newest ISAKMP; nodpd; idle; import:admin initiate<br></div>
<div>ipsec --version<br>Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.x86_64 (netkey)<br></div>
<div>In the logfile I find the following message, right after bringing up the VPN:</div>
<div> </div>
<div>&quot;vpn&quot; #2: IKE message has the Commit Flag set but Pluto doesn&#39;t implement this feature; ignoring flag<br>&quot;vpn&quot; #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)<br>
&quot;vpn&quot; #2: sending encrypted notification INVALID_PAYLOAD_TYPE to <a href="http://62.21.130.3:500">62.21.130.3:500</a><br>| sending 60 bytes for notification packet through eth0:0:500 to <a href="http://62.21.130.3:500">62.21.130.3:500</a> (using #2)<br>
</div>
<div>After the 10 minutes, no additional messages can be found in the logfiles.</div>
<div>Also on the TMG, the logfiles also are giving no insights.</div>
<div><br>Any suggestions to fix this problem?</div>
<div> </div>
<div>Thanks!</div>
<div><br>Bart</div>