[Openswan Users] Windows clients expire idle connection

Walter Haidinger walter.haidinger at gmx.at
Sat Jun 26 17:00:49 CEST 2004 

Hi!

Short: My Windows clients expire the IPsec connection after some time and
I'm not able to reestablish or keepalive the connection from my Linux
gateway. :-(

I know this is actually a Windows issue, but then it is a Openswan-Windows 
interop issue too. In any case, I'd be glad for any references if you 
think I should look somewhere else!

Now for the details: 

I've successfully connected Windows clients to my Linux gateway running 
Openswan 1.0.4 and kernel 2.4.26. The setup is either
* XP, directly connected but with XP firewall enabled or
* Win2k, Roadwarrior, NAT-ed (KB-818043 patched) behind a DSL router.
All Windows machines make use of Marcus Müller's great VPN config tool and
are authenticated using X509 certificates. 

When the Windows clients connect, the IPsec connections are created and 
everything (well, almost, but please read on ;-) works _while_ the 
connections last. :-)

I do not bother that I cannot _initially_ create the connection because
the clients are either firewalled or behind a NAT router. However, after 
some(?) time, the clients just delete the connection if the link is idle 
and _then_ I'm unable to reestablish the connection, of course.

Now, how do I prevent Windows from shutting down the (idle) IPsec link?

If the connection times out, I'd like to have the connection rekeyed even 
if there is no traffic (because I cannot establish the connection myself).

I can think of the following solutions. 
Any comments about them are appreciated! ;-)

a. As an ugly (and temporary, I hope) workaround, I've created a 
   cron-script (using Cygwin's crond) which pings my Linux gateway every 
   five minutes.

b. Prevent Windows from shutting down the idle link. Perhaps with a magic
   Registry entry somewhere to set the idle timeout to a high value?

c. Have the connection rekeyed before Windows thinks the connection is 
   idle. There are some questions with this approach:
   - Does rekeying make Windows believe the link is not idle?
   - If so, which timeout do I use for the keylife= option?
   - Does Window honor this option if the same timeout used in the 
     Windows ipsec.conf ?

d. Anything else?

Personally, I'd favor option c unless there is better one, of course!
Unfortunately I've idea about the correct value for keylife.

Thanks in advance for any input!

Regards, Walter

PS: There is a small inconvenience while the connection is established:
    I cannot ping the XP clients. Probably due to the brain-dead 
    built-in Windows firewall which eats the ICMP packets from the IPsec
    link despite ICMP is allowed in the properies. Any other traffic 
    (TCP or UDP) is not affected.

    Is there workaround other than disabling the XP firewall or using a 
    third-party firewall?

More information about the Users mailing list