[Openswan Users] L2TP/IPsec with double NAT

Norman Rasmussen normanr at gmail.com
Fri Aug 12 01:43:45 CEST 2005 

as-far-as-i-can-see the windows default is 480 minutes, or 8 hours -
so you'd need to be a bit longer than that - by about 30 mins or so.

check out: Control Panel > Administrative Tools > Local Security
Settings > IP Security Policies on Local Computer > Client (Respond
Only) > Properties > General Tab > Advanced Button

On 11/08/05, Stefano Pazzaglia <stefano.pazzaglia at fastwebnet.it> wrote:
> Much longer how much?
> Which values would you suggest me for ikelifetime and keylife as a
> workaround?
> 
> 
> ----- Original Message -----
> From: "Paul Wouters" <paul at xelerance.com>
> To: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
> Cc: <users at openswan.org>
> Sent: Thursday, August 11, 2005 11:53 PM
> Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> 
> 
> > On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
> >
> >> Ok, tried to put Openswan on the Internet. Tied to connect by a client
> >> NATted (unfortunately I can only try in this way at the moment). As
> >> usually, when the 2 parts are going to rekey something wrong happens!!! I
> >> attach my logs and I hope someone can help me, because I'm seriously
> >> thinking to look at
> >
> >> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c
> >> NATOA=37.255.126.225}
> >
> >> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
> >> 213.140.19.123:46945 #3: initiating Quick Mode
> >> PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using isakmp#1}
> >> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
> >> 213.140.19.123:46945 #1: ignoring informational payload, type
> >> INVALID_ID_INFORMATION
> >
> > This is a known Windows bug, though I am not sure if this issue was
> > resolved or not. I believe some rekey patch was floating around, but I am
> > not sure
> > if that got applied to the tree. Can you try openswan-2.4.0dr8?
> > If the patch is not in there, then it might still be in the queue
> > somewhere on
> > bugs.openswan.org.
> >
> > A workaround might be to change the keylife to something much longer then
> > the
> > XP client, so that the Openswan side does not initiate a rekey, and only
> > XP
> > rekeys.
> >
> > Paul
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.338 / Virus Database: 267.10.5/68 - Release Date: 10/08/2005
> >
> >
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list