[Openswan Users] Rekeying problem with Windows client
Paul Wouters
paul at xelerance.com
Tue Sep 13 18:29:54 CEST 2005
On Tue, 13 Sep 2005, John A. Sullivan III wrote:
> Hello, all. I'm using the Windows IPSec client without L2TP managed by
> lsipsectool (http://sf/net/projects/lsipsectool). All seems to be going
> well except for rekeying. The client is behind a NAT gateway and the
> VPN gateway is old (Super-FreeS/WAN 1.99_kb1) but I do not think it is
> the 500/4500 float problem.
>
> The connection definition has auto=add on the gateway side and right=%
> any as typical roadwarrior connections. It also has rekey=no. I would
> suspect that the roadwarrior would thus always initiate rekeying (which
> should also resolve any firewall problems). The gateway allows all UDP
> traffic on ports 500 and 4500 in the INPUT chain.
>
> However, the gateway still seems to want to initiate main mode. Since
> something wrong? Are there other options? Alas, upgrading the gateway or
> letting IKE through the client firewall are not options. Thanks - John
Several rekey issues have been addressed in openswan-2. Some relayed to
Windows XP (I believe SP2 even) based rekey anomalies. superfreeswan/openswan
might not have all these fixes, since it was discontinued and currently only
security fixes will be applied to the openswan-1 codebase. Security fixes
that are not in your old version. So you're at least vulnerable to two X.509
related bugs and one XAUTH related bug.
Apart from that, you will run into NAT-T issues with such an old superfreeswan.
Since upgrading is not an option, I do not have any recommended fix for you.
Paul
More information about the Users
mailing list