[Openswan Users] L2TP/IPsec with double NAT
Stefano Pazzaglia
stefano.pazzaglia at fastwebnet.it
Fri Aug 12 00:59:28 CEST 2005
Much longer how much?
Which values would you suggest me for ikelifetime and keylife as a
workaround?
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Thursday, August 11, 2005 11:53 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
>
>> Ok, tried to put Openswan on the Internet. Tied to connect by a client
>> NATted (unfortunately I can only try in this way at the moment). As
>> usually, when the 2 parts are going to rekey something wrong happens!!! I
>> attach my logs and I hope someone can help me, because I'm seriously
>> thinking to look at
>
>> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c
>> NATOA=37.255.126.225}
>
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
>> 213.140.19.123:46945 #3: initiating Quick Mode
>> PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using isakmp#1}
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
>> 213.140.19.123:46945 #1: ignoring informational payload, type
>> INVALID_ID_INFORMATION
>
> This is a known Windows bug, though I am not sure if this issue was
> resolved or not. I believe some rekey patch was floating around, but I am
> not sure
> if that got applied to the tree. Can you try openswan-2.4.0dr8?
> If the patch is not in there, then it might still be in the queue
> somewhere on
> bugs.openswan.org.
>
> A workaround might be to change the keylife to something much longer then
> the
> XP client, so that the Openswan side does not initiate a rekey, and only
> XP
> rekeys.
>
> Paul
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.5/68 - Release Date: 10/08/2005
>
>
More information about the Users
mailing list