[Openswan Users] Rekeying problem with Windows client

[John A. Sullivan III]

Hello, all.  I'm using the Windows IPSec client without L2TP managed by
lsipsectool (http://sf/net/projects/lsipsectool).  All seems to be going
well except for rekeying.  The client is behind a NAT gateway and the
VPN gateway is old (Super-FreeS/WAN 1.99_kb1) but I do not think it is
the 500/4500 float problem.

The connection definition has auto=add on the gateway side and right=%
any as typical roadwarrior connections.  It also has rekey=no.  I would
suspect that the roadwarrior would thus always initiate rekeying (which
should also resolve any firewall problems).  The gateway allows all UDP
traffic on ports 500 and 4500 in the INPUT chain.

However, the gateway still seems to want to initiate main mode.  Since
these packets never make it through the firewall to the windows client,
the connection breaks.  The gateway thinks the ESP packets from the
client are for an incomplete ISAKMP SA (or at least so I think from the
error messages).  I set the ikelifetime=8h but I still have the problem.
Why is the gateway initiating ISAKMP rekeying when rekey=no? Am I doing
something wrong? Are there other options? Alas, upgrading the gateway or
letting IKE through the client firewall are not options.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net