[Openswan Users] Fedora + xl2tpd + openswan with psk retransmiting key?

Paul Wouters paul at xelerance.com
Thu Nov 8 12:41:24 EST 2007


On Thu, 8 Nov 2007, Panics Robert wrote:

> I got a working config with PSK setting, but when I use the VPN connection
> longer than an hour, I got a message like that at secure.log
>
> Nov  8 00:38:16 devel pluto[8487]: "L2TP-PSK"[4]  #9: responding to Quick
> Mode {msgid:df83756b}

> Every hour..

Yes.

> When this message shows, on the VPN client I got one or two packet lost, but
> the xl2tpd connection didn't disconnect. I think it's retransmit the ipsec
> key or something like that..

It is rekeying. And since the remote client has to rekey (and openswan waits
for that with rekey=no), there is nothing you can do. The keylife has been
set by the Windows client. On ISA server you can fairly easilly change the
keylifes, but i dont think you can easilly cahnge it on XP/Vista.

Of course, you should not be losing any packets, as with a proper rekey
you will briefly allow receiving packets on the old IPsec SA, but not use
it to send anymore, so it guarantees a smooth transition. Guess it's a bug
in Windows.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list