[Openswan Users] Windows clients expire idle connection
Walter Haidinger
walter.haidinger at gmx.at
Sat Jun 26 17:00:49 CEST 2004
Hi!
Short: My Windows clients expire the IPsec connection after some time and
I'm not able to reestablish or keepalive the connection from my Linux
gateway. :-(
I know this is actually a Windows issue, but then it is a Openswan-Windows
interop issue too. In any case, I'd be glad for any references if you
think I should look somewhere else!
Now for the details:
I've successfully connected Windows clients to my Linux gateway running
Openswan 1.0.4 and kernel 2.4.26. The setup is either
* XP, directly connected but with XP firewall enabled or
* Win2k, Roadwarrior, NAT-ed (KB-818043 patched) behind a DSL router.
All Windows machines make use of Marcus Müller's great VPN config tool and
are authenticated using X509 certificates.
When the Windows clients connect, the IPsec connections are created and
everything (well, almost, but please read on ;-) works _while_ the
connections last. :-)
I do not bother that I cannot _initially_ create the connection because
the clients are either firewalled or behind a NAT router. However, after
some(?) time, the clients just delete the connection if the link is idle
and _then_ I'm unable to reestablish the connection, of course.
Now, how do I prevent Windows from shutting down the (idle) IPsec link?
If the connection times out, I'd like to have the connection rekeyed even
if there is no traffic (because I cannot establish the connection myself).
I can think of the following solutions.
Any comments about them are appreciated! ;-)
a. As an ugly (and temporary, I hope) workaround, I've created a
cron-script (using Cygwin's crond) which pings my Linux gateway every
five minutes.
b. Prevent Windows from shutting down the idle link. Perhaps with a magic
Registry entry somewhere to set the idle timeout to a high value?
c. Have the connection rekeyed before Windows thinks the connection is
idle. There are some questions with this approach:
- Does rekeying make Windows believe the link is not idle?
- If so, which timeout do I use for the keylife= option?
- Does Window honor this option if the same timeout used in the
Windows ipsec.conf ?
d. Anything else?
Personally, I'd favor option c unless there is better one, of course!
Unfortunately I've idea about the correct value for keylife.
Thanks in advance for any input!
Regards, Walter
PS: There is a small inconvenience while the connection is established:
I cannot ping the XP clients. Probably due to the brain-dead
built-in Windows firewall which eats the ICMP packets from the IPsec
link despite ICMP is allowed in the properies. Any other traffic
(TCP or UDP) is not affected.
Is there workaround other than disabling the XP firewall or using a
third-party firewall?
More information about the Users
mailing list