[Openswan dev] Vista rekey breakage - right=%any and rekey workaroud?

Paul Wouters paul at xelerance.com
Wed Oct 3 12:39:05 EDT 2007


On Wed, 3 Oct 2007, Christian Hocken wrote:

> Thanks for your fast reply.
> Sounds good that it's not a consequence of misconfiguration. Exists a
> workaround solution?

Unfortunately not for roadwarriors. One work around would be to initiate
our own rekeying before Vista starts to rekey, but with right=%any we
can't rekey, since we "don't know where they are".

Though if someone would write a patch that allows rekeys to happen to
"the same ip/port as currently used", then this, if no other bugs exist
in Vista, it would workaround the current Vista bug.

Paul


> Christian
>
> Am 03.10.2007 um 16:56 schrieb Paul Wouters:
>
> > On Wed, 3 Oct 2007, Christian Hocken wrote:
> >
> >> running on Fedora Core 6 with kernel 2.6.22.7-57.fc6.
> >> Several road warriors with different operating systems are connected
> >> to the gateway, including Windows XP SP2,
> >> Windows Vista and Mac OS X. All of them are using a combination of
> >> ipsec and l2tp.
> >> Initialising the connection works fine but the Vista client gets
> >> disconnected after one hour. It seems as if something during
> >> the rekey attempt goes wrong.
> >
> > Correct. I've notified Microsoft of this issue. You are not the fist
> > to encounter this. It seems their rekeying code contains a bug where
> > it tries to negotiate a "new" connection for the current one.
> >
> >> #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x67d65cc2 <0x4d8fe6fb
> >> xfrm=AES_128-HMAC_SHA1 NATD=80.130.250.50:4500 DPD=none}
> >
> >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50
> >> #5: responding to Quick Mode {msgid:02000000}
> >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50
> >> #5: cannot install eroute -- it is in use for "l2tp-cert-nat"[4]
> >> 80.130.250.50 #4
> >
> > Paul
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Dev mailing list