[Openswan Users] XP peer deletes subnet connections after 60 seconds

[Walter Haidinger]

Hi!

I've yet another connection expiry problem with XP peers but this time 
only regarding 
   roadwarrior(XP)-subnet <-> gateway (Linux 2.4.26/Openswan 1.0.6) 
connections.

The output from XP's oakley.log is interesting:
 ...
 14:59:14:269:480         SA life type in seconds
 14:59:14:269:480                 SA life duration 00008ca0
 ...
 14:59:14:279:480 QM Established SA: 000E1A08 Centry: 0013A9B8
 14:59:14:279:480 isadb_set_status sa:000E1A08 centry:0013A9B8 
status 0
 14:59:14:279:480
 14:59:14:279:480 Sending: SA = 0x000E1A08 to gateway:Type 4
 14:59:14:279:480 ISAKMP Header: (V1.0), len = 52
 14:59:14:279:480   I-COOKIE 16e9f36975db502a
 14:59:14:279:480   R-COOKIE 67b59132f7d63c2d
 14:59:14:279:480   exchange: Oakley Quick Mode
 14:59:14:279:480   flags: 1 ( encrypted )
 14:59:14:279:480   next payload: HASH
 14:59:14:279:480   message ID: 2c6cf161
 15:00:14:280:480 CE Dead. sa:000E1A08 ce:0013A9B8 status:35ef
 15:00:28:729:480 SA Dead. sa:000E1A08 status:35f0
 15:00:28:729:480 isadb_set_status sa:000E1A08 centry:00000000 
status 35f0

You can see that the tunnel gets established with a SA keylife of 
36000s (0x8ca0). However, exactly 60 seconds later XP logs "CE Dead."

Now, what does "CE Dead." mean and how do I prevent it?

On the Openswan side, the gateway receives a "Delete SA" packet and 
deletes the connection. DPD seems to be ignored.

Oddly enough, this only happens to roadwarrior_subnet-gateway connections,
i.e. the roadwarrior_host-gateway connections last and do not expire! 
I'm lost here...

Walter

PS: Another oddity: 
    The subnets connections are not started, i.e. I have to create some
    traffic (e.g. ping) to make XP initiate the connection.
    Again, this is not necessary for the roadwarrior-gateway connection.