[Openswan Users] Windows XP - ISAKMP SA

[Paul Wouters]

On Fri, 2 Feb 2007, Mike Horn wrote:

> I have a setup with a laptop running Windows XP connecting to an Openswan
> server using L2TP/IPsec.  The server is using Openswan 2.4.6 with NETKEY on
> kernel 2.6.19.  If I don't configure the ikelifetime value, so it uses the
> default of 3600s, after an hour when the ISAKMP SA expires I continuously
> (every 10s) get the following log messages on the server.
>
> Feb  2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #510: max
> number of retransmissions (2) reached STATE_QUICK_I1
> Feb  2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #510:
> starting keying attempt 30 of an unlimited number
> Feb  2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #512:
> initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #510 {using isakmp#443}
> Feb  2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #443:
> ignoring informational payload, type INVALID_ID_INFORMATION
> Feb  2 16:36:31 uml-5 pluto[8301]: "l2tp-psk"[1] 192.168.2.139 #443:
> received and ignored informational message
>
> What I'm guessing is that the ISAKMP SA timeouts out on the server which is
> the responder and then the server tries to renegotiate a new ISAKMP SA, but
> the Windows XP laptop is refusing the renegotiation attempts, possibly
> because it has an unexpired ISAKMP SA for this peer.

You should put rekey=no on the server and let only the laptop rekey the connection
if it wants to. Especially if the laptop is on dynamic ip.

> The laptop is still able to pass traffic (the ESP SA is still active) until
> the ESP SA timeouts at 28800 seconds.  At that point the tunnel fails and I
> need to restart the Openswan tunnel connection and reconnect from the
> laptop.

Windows should rekey. Perhaps it is now not doing so because of the openswan
rekey attempts?

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155