[Openswan dev] Vista rekey breakage - right=%any and rekey workaround?

Julien DELEAN julien.delean at gmail.com
Tue Jan 15 11:21:43 EST 2008 

I've found bugtracks concerning my problem :
http://bugs.xelerance.com/view.php?id=294 (closed)

http://bugs.xelerance.com/view.php?id=867
could you confirm me : it conerns what you have described in previous emails
?

is there a patch available ? (a patch that allows rekeys to happen to "the
same ip/port as currently used")
Do you believe that Vista SP1 will fix that ?

Thanks

Julien

2008/1/15, Julien DELEAN <julien.delean at gmail.com>:
>
> I haven't found anything in Openswan's mailinglists after this quoted email.
> Has anybody found a solution (patch) to workaround this Vista Bug ?
>
> I've tried to regularly restart Vista connections with "ipsec auto --replace <conn_name>" to prevent Vista rekeying.
>
>
> It's a little better but not acceptable
>
> Thanks !
>
> Regards
>
> Julien
>
> -------------------
> On Wed, 3 Oct 2007, Christian Hocken wrote:
>
> >* Thanks for your fast reply.
> *
> >
> * Sounds good that it's not a consequence of misconfiguration. Exists a
> *>* workaround solution?
> *
> Unfortunately not for roadwarriors. One work around would be to initiate
> our own rekeying before Vista starts to rekey, but with right=%any we
>
>
> can't rekey, since we "don't know where they are".
>
> Though if someone would write a patch that allows rekeys to happen to
> "the same ip/port as currently used", then this, if no other bugs exist
>
>
> in Vista, it would workaround the current Vista bug.
>
> Paul
>
>
> >* Christian
> *>*
> *>* Am 03.10.2007 um 16:56 schrieb Paul Wouters:
> *>*
> *>* > On Wed, 3 Oct 2007, Christian Hocken wrote:
>
>
> *>* >
> *>* >> running on Fedora Core 6 with kernel 2.6.22.7-57.fc6.
> *>* >> Several road warriors with different operating systems are connected
> *>* >> to the gateway, including Windows XP SP2,
>
>
> *>* >> Windows Vista and Mac OS X. All of them are using a combination of
> *>* >> ipsec and l2tp.
> *>* >> Initialising the connection works fine but the Vista client gets
>
>
> *>* >> disconnected after one hour. It seems as if something during
> *>* >> the rekey attempt goes wrong.
> *>* >
> *>* > Correct. I've notified Microsoft of this issue. You are not the fist
>
>
> *>* > to encounter this. It seems their rekeying code contains a bug where
> *>* > it tries to negotiate a "new" connection for the current one.
> *>* >
> *>* >> #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x67d65cc2 <0x4d8fe6fb
>
>
> *>* >> xfrm=AES_128-HMAC_SHA1 NATD=80.130.250.50:4500 DPD=none}
> *>* >
>
> *>* >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5]
> 80.130.250.50
> *>
> * >> #5: responding to Quick Mode {msgid:02000000}
> *>* >> Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5]
> 80.130.250.50
> *>* >> #5: cannot install eroute -- it is in use for "l2tp-cert-nat"[4]
> *>* >>
> 80.130.250.50 #4
> *>* >
> *>
> * > Paul*
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20080115/885e6a3a/attachment.html

More information about the Dev mailing list