[Openswan Users] L2TP/IPsec with double NAT

Stefano Pazzaglia stefano.pazzaglia at fastwebnet.it
Fri Aug 12 00:59:28 CEST 2005


Much longer how much?
Which values would you suggest me for ikelifetime and keylife as a 
workaround?


----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Thursday, August 11, 2005 11:53 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
>
>> Ok, tried to put Openswan on the Internet. Tied to connect by a client 
>> NATted (unfortunately I can only try in this way at the moment). As 
>> usually, when the 2 parts are going to rekey something wrong happens!!! I 
>> attach my logs and I hope someone can help me, because I'm seriously 
>> thinking to look at
>
>> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c 
>> NATOA=37.255.126.225}
>
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 
>> 213.140.19.123:46945 #3: initiating Quick Mode 
>> PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using isakmp#1}
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 
>> 213.140.19.123:46945 #1: ignoring informational payload, type 
>> INVALID_ID_INFORMATION
>
> This is a known Windows bug, though I am not sure if this issue was 
> resolved or not. I believe some rekey patch was floating around, but I am 
> not sure
> if that got applied to the tree. Can you try openswan-2.4.0dr8?
> If the patch is not in there, then it might still be in the queue 
> somewhere on
> bugs.openswan.org.
>
> A workaround might be to change the keylife to something much longer then 
> the
> XP client, so that the Openswan side does not initiate a rekey, and only 
> XP
> rekeys.
>
> Paul
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.5/68 - Release Date: 10/08/2005
>
> 



More information about the Users mailing list