[Openswan dev] Vista rekey breakage - right=%any and rekey workaround?

Julien DELEAN julien.delean at gmail.com
Tue Jan 15 06:54:42 EST 2008 

I haven't found anything in Openswan's mailinglists after this quoted email.
Has anybody found a solution (patch) to workaround this Vista Bug ?

I've tried to regularly restart Vista connections with "ipsec auto
--replace <conn_name>" to prevent Vista rekeying.

It's a little better but not acceptable

Thanks !

Regards

Julien

-------------------
On Wed, 3 Oct 2007, Christian Hocken wrote:

>* Thanks for your fast reply.
*>
* Sounds good that it's not a consequence of misconfiguration. Exists a
*>* workaround solution?
*
Unfortunately not for roadwarriors. One work around would be to initiate
our own rekeying before Vista starts to rekey, but with right=%any we

can't rekey, since we "don't know where they are".

Though if someone would write a patch that allows rekeys to happen to
"the same ip/port as currently used", then this, if no other bugs exist

in Vista, it would workaround the current Vista bug.

Paul


>* Christian
*>*
*>* Am 03.10.2007 um 16:56 schrieb Paul Wouters:
*>*
*>* > On Wed, 3 Oct 2007, Christian Hocken wrote:

*>* >
*>* >> running on Fedora Core 6 with kernel 2.6.22.7-57.fc6.
*>* >> Several road warriors with different operating systems are connected
*>* >> to the gateway, including Windows XP SP2,

*>* >> Windows Vista and Mac OS X. All of them are using a combination of
*>* >> ipsec and l2tp.
*>* >> Initialising the connection works fine but the Vista client gets

*>* >> disconnected after one hour. It seems as if something during
*>* >> the rekey attempt goes wrong.
*>* >
*>* > Correct. I've notified Microsoft of this issue. You are not the fist

*>* > to encounter this. It seems their rekeying code contains a bug where
*>* > it tries to negotiate a "new" connection for the current one.
*>* >
*>* >> #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x67d65cc2 <0x4d8fe6fb

*>* >> xfrm=AES_128-HMAC_SHA1 NATD=80.130.250.50:4500 DPD=none}
*>* >
*>* >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5]
80.130.250.50
*>* >> #5: responding to Quick Mode {msgid:02000000}
*>* >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5]
80.130.250.50
*>* >> #5: cannot install eroute -- it is in use for "l2tp-cert-nat"[4]
*>* >> 80.130.250.50 #4
*>* >
*>
* > Paul*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20080115/b34b4ab6/attachment.html

More information about the Dev mailing list